Gaming’s Dark Side: How Discord and Steam Became Tools for Cybercrime

July 8, 2026

It is estimated that over three billion people play video games. That is nearly 43% of the worlds population! Cybercriminals know that — and they’ve spent years turning the platforms gamers trust most into infrastructure for malware, money laundering, and stolen credential markets.

Gaming has a cybercrime problem that goes way beyond cheaters and griefers. The same platforms where players organize raids, share mods, and trade rare skins have become genuine darknet-adjacent ecosystems, hosting criminal marketplaces, command-and-control servers, and sophisticated money laundering pipelines. Two platforms in particular sit at the center of this, Discord and Steam.

Gaming environments are built on trust. Players routinely download mods from strangers, click invite links from people they’ve never met, and hand over login credentials to access new servers or betas. That culture of openness is exactly what attackers exploit.

In 2025, security researchers documented millions of malicious files disguised as mods, cheat tools, and cracked games for titles like GTA, Minecraft, and Call of Duty. Behind every fake cheat was the same payload: infostealer malware designed to harvest saved browser passwords, Steam session cookies, Discord tokens, and crypto wallet keys — all in one hit, from one infected machine.

The Malware-as-a-Service (MaaS) economy has turbocharged this. New stealers like Katz and Bee (the latter priced at just $300/month on criminal forums) were built with explicit focus on Discord and gaming platforms. Katz even injected malicious JavaScript directly into Discord’s own application files to establish a persistent backdoor. Low barrier to entry, high-value targets: it’s a formula that’s working.

Discord was designed to be a gaming community tool, built with persistent servers, voice channels, file sharing, bots, invite links, fine-grained permissions, and the option to make servers completely private. However, it has also become widely used as a criminal infrastructure tool for exactly the same reasons. Fake Steam, PlayStation, and Xbox login pages were widely distributed through Discord in 2025 which were promoted via messages promising free skins, beta access, or exclusive item drops. Classic social engineering, delivered through a trusted platform.

As law enforcement took down major darknet markets through the early 2020s, a lot of criminal communities migrated to Discord, trading the anonymity of Tor for Discord’s ease of use and real-time collaboration. DarkOwl monitors a large number of servers and channels hosted on Discord that are used to discuss and share malicious activity. These aren’t amateur operations. They’re organized by commodity, with dedicated channels for combolists (username/password pairs from breached databases), fraud tutorials, stolen session tokens, and cracking tools. They maintain mirror servers specifically to survive takedowns and reconstitute banned communities within hours.

Figure 1: Discord channel offering hacking services

Discord as a Malware Delivery Network

When you upload a file to Discord, it gets hosted on Discord’s own content delivery network (CDN) and generates a permanent direct link. Attackers exploit this constantly. They upload malicious payloads to Discord’s CDN, then distribute the links through phishing campaigns, fake gaming community invites, or DMs. Because Discord’s infrastructure is trusted, often explicitly allowlisted by enterprise security tools, the malicious traffic can blend in with normal activity.

In mid-2025, researchers uncovered a campaign exploiting a flaw in Discord’s invite link system to redirect victims through silent redirection chains ending in multi-stage malware. Payloads included AsyncRAT, Skuld Stealer, and ChromeKatz — all designed to drain credentials, browser cookies, and active Discord session tokens. The attack worked because users trusted the Discord branding.

Nation-States Are Using Discord Too

This isn’t just criminal-grade activity. Nation-state actors have adopted Discord as command-and-control (C2) infrastructure because it’s so hard to detect. When malware communicates over Discord’s API, the traffic is encrypted, globally distributed, and indistinguishable from a developer’s legitimate bot.

In late 2025, the Rust-based ChaosBot malware was discovered inside a financial services firm’s network, using Discord to create a private text channel named after the victim’s computer and receive commands through it. Separately, the China-aligned APT group Webworm deployed a backdoor called EchoCreep specifically engineered to use Discord for C2, targeting government institutions and enterprises across Europe and Asia. Another China-linked group, GopherWhisper, used Discord for data exfiltration in attacks on Mongolian government entities. Discord isn’t just a gaming platform anymore — it’s part of the nation-state toolkit.

Valve’s Steam platform is the world’s largest PC gaming store, with over 130 million registered accounts and stored payment data for most of them. That makes it an extremely attractive target and an effective vehicle for financial crime.

Steam Accounts for Sale

In May 2025, a threat actor listed what they claimed was a database of 89 million Steam accounts on a dark web forum, asking $5,000 to start. The gaming world panicked. Valve investigated and determined the dataset was mostly expired SMS authentication codes, not passwords or payment data, likely sourced from a supply chain compromise of Twilio, the communications provider that delivers Steam’s SMS verification messages, a useful reminder that your platform’s security is only as strong as its weakest third-party vendor.

The more common Steam account compromises are lower-tech: credential stuffing with passwords reused from other breaches, phishing via fake login pages promoted on Discord, and infostealer malware that captures active Steam session tokens from infected PCs bypassing two-factor authentication entirely.

Virtual Items as a Money Laundering Vehicle

Steam’s virtual item economy has been systematically exploited for money laundering. Criminals will use stolen credit cards to buy tradeable in-game items or currency and then sell those items on secondary markets for real money.

The most documented case: Counter-Strike: Global Offensive container keys. These were freely tradeable on the Steam Community Market until Valve shut it down in 2019 after discovering that worldwide fraud networks had taken over, at the time of the shutdown, Valve acknowledged that nearly all significant key purchases on the market were fraud-sourced. A Vice investigation had found that 90% of CS:GO loot box transactions globally were being used to launder illicit funds.

Fortnite’s V-Bucks saw the same pattern: stolen cards used to bulk-buy currency, then sold at a discount on dark web markets and grey-market platforms. Academic analysis of Steam Marketplace transaction data has since confirmed that identifying money laundering patterns is feasible with straightforward detection methods, and found numerous accounts warranting investigation.

It’s tempting to frame gaming cybercrime as a consumer problem, something that affects individual players, not enterprises. That framing is dangerously incomplete. An employee whose personal gaming PC is compromised by an infostealer doesn’t just lose their Steam library. Infostealers harvest everything from an infected machine: every saved browser password, every active session token, every stored credential. A compromised gaming machine is frequently a compromised enterprise access point.

The same Discord servers trading gamer credentials are trading enterprise combolists. The same C2 infrastructure being used to control gaming-targeted malware is being deployed against financial services firms. The overlap between gaming culture and cybercriminal culture, particularly among younger threat actors, means these ecosystems are deeply intertwined, not parallel.


DarkOwl monitors dark web forums, Telegram channels, Discord servers, and paste sites continuously — surfacing gaming platform credentials, session tokens, and threat actor activity relevant to your organization’s exposure. Get in touch to learn more about our darknet intelligence capabilities.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2026 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.