Discord is very popular with skiddies and real criminal organizations alike. It's got pretty basic KYC controls in place, meaning essentially anyone with just an email can sign up. It can be accessed from behind VPNs without any issues, so effectively it doesn't matter that it's not e2e encrypted.
I feel that discord the company probably let's it slide because:
1. Moderation at scale is incredibly difficult.
2. They work with law enforcement agencies to execute warrants and subpoenas.
I've been mistakenly banned from Discord before and I know from experience that pretty much any low level mod has a complete and readibly accessible history of all of my posts across all servers complete with timestamps and IP addresses
I'm also pretty sure phone number are required for sign up
I think your second point is the more likely explanation. Any other platform that would've hosted this many communities dedicated to drugs, cybercrime, etc would definitely have faced serious legal challenges. It seems much more likely that feds find it a useful platform to keep around
A mobile phone number is required for certain Discord servers (a setting available to the admins) but not for sign-up (maybe if you are using an IP in a suspicious/VPN range they force it now?). Otherwise they only require a valid email.
For Telegram though there isn't really a way around it, a phone is required. There is/was a way to buy some TON crypto token instead to avoid this verification but it became prohibitively too expensive.
I still don't get how Discord can be secure - I suspect it can't. Just the fact that the forums are persistent, and controlled by a third party, and the client is closed source means people on there can be compromised at any point incredibly easily, VPN or not.
Just something as simple as using a cookie or local storage can leave permanent traces behind so all the access can be easily correllated.
I'm not even sure if serious infosec measures exist to stop this, and if they do, someone is bound to slip up and they need to do it just once, and expose the whole chatroom.
I'm not a hacker but this sounds like failing Opsec 101, and people getting by just with sheer luck.
> It can be accessed from behind VPNs without any issues, so effectively it doesn't matter that it's not e2e encrypted.
How do these two things correlate? I thought the benefit of E2E encryption is the fact that no one can decrypt your messages except for the participants in the conversation. There’s no keys anywhere on a server that an admin could use to decrypt the conversation. How would being behind a VPN negate that? The VPN still has to go through Discord servers where a key is presumably stored if the information is encrypted at all.
This info seems very outdated. Creating a discord account from even a residential IP without SMS KYC is from my experience basically impossible, they even block most (all?) sms VOIP services.
I feel that discord the company probably let's it slide because:
1. Moderation at scale is incredibly difficult. 2. They work with law enforcement agencies to execute warrants and subpoenas.