That anonymous internet persona with an anime cartoon avatar in your Discord chat might actually be a contractor sent to spy on you. 

Enter the world of “threat intelligence.” 

It’s the term of art for a growing set of surveillance and security firms that create fake online personas to infiltrate and scrape data from private corners of the internet. The industry provides corporate and government clients with insight into conversations on private, invite-only Discord chats, WhatsApp groups, Reddit forums, and dark web message boards to help those powerful customers keep tabs on a variety of potential threats, from political hacktivists to the illegal markets that traffic in stolen passwords and intellectual property. 

I spoke to representatives of ZeroFox, DarkOwl, Searchlight Cyber, Recorded Future, CyberInt, Flashpoint, and other threat intelligence firms at RSA Conference 2023, an annual convention for cyber security professionals from across the world that is held in San Francisco. 

“We have personnel who already have established credentials in these environments so that we're able to go in and look for things,” said A.J. Nash, the vice president of intelligence at ZeroFox, a leader in the threat intelligence industry that is based in Baltimore, Maryland.

Nash confirmed that the company is active in Discord, an audio and video group chat app popular among young video-game players.

"We can do the same thing with Discord," Nash added. "It's hard to infiltrate a small group because everybody knows everybody. But some of the groups that are larger, yeah, we have the ability to get into some opportunities."

An executive at DarkOwl, a Denver-based threat intelligence firm that provides clients with a special database of information from its snooping, explained that the company creates fake identities and usernames to gain admission to many of the private platforms and chatrooms that it uses to collect information. 

"What we do, we work with personas," said Magnus Svärd, a director at DarkOwl. “We've done this at scale since 2018 so there's some trust in the personas that we've built up, whether they're on Discord, on Telegram, or wherever.”

Searchlight Cyber, a British firm that specializes in dark web message boards, similarly uses internet personas to gain access to private online forums and chat platforms.

"We actually get invited to those. We have human actors and get invited. We obviously don't identify as Searchlight on them,” said Peter Ritter, a sales manager at the firm. “Then we see what's going on there."

CyberInt, an Israeli threat intelligence firm, advertises how its team of analysts uses fake personas to thwart hackers, retail fraud, hacktivists, and other cyber security threats.

In one video posted by CyberInt, an analyst for the firm discusses her approach to go into online communities and “detect threat actors when they are young or starting out at 14 or 15, that's when I start observing and documenting their malicious activities.” At that age, they are “more careless and open,” the analyst said.

In another CyberInt marketing video, the firm walks a potential client through the process of using a fake online alias to contact a hacker over the messaging app Telegram and “get as much information as we can.”

Danny Miller, a director of marketing at CyberInt, confirmed to me that his firm has analysts infiltrating Discord servers, among other platforms.

Many of these firms maintain close ties to law enforcement and government agencies. Several are currently under contract with the Federal Bureau of Investigation or military intelligence.

The role of ZeroFox’s collaboration with the FBI, in particular, came to light in documents unearthed by the special House committee investigating the U.S. Capitol riot on Jan. 6, 2021. In a Jan. 3, 2021, email exchange between FBI officials preparing for the right-wing protests slated to occur, one official noted that the FBI team charged with monitoring groups due to assemble at the Capitol had just signed on with ZeroFox days earlier.  The official said that the agency  was still learning how to use the software to monitor social media posts from political extremists headed for Washington on Jan. 6, 2021.

"[O]ur social media abilities might be slightly degraded during this [sic] events as we are getting use [sic] to this new tool but we're gonna make it work," the FBI official wrote.

Having already gained access to traditional social media platforms, the federal government now has its sights set on private online communities where terrorist groups, radical political activists, and hackers can operate with relative freedom.

The recent disclosure of classified Pentagon documents, shared on an invitation-only chatroom on Discord, is fueling a new push for access to one of the last secretive corners of the internet. Air National Guardsman Jack Teixeira allegedly posted the classified documents in his group chat for months before authorities became aware of the leaks.

Following Teixeira’s arrest in mid-April, the federal government has begun calling for increased surveillance of Discord and similar platforms. The Biden administration is currently “looking at expanding how it monitors social media sites and chatrooms after U.S. intelligence agencies failed to spot classified Pentagon documents circulating online for weeks,” NBC News reported last month. A congressional aide told the news outlet that senior members of President Joe Biden’s team are looking at ways to “scrub platforms like Discord in search of relevant material to avoid a similar leak in the future.”

Should the federal government proceed with its plans, the threat intelligence companies present at RSA Conference 2023 stand to play a lucrative role in supporting those efforts. A representative of Recorded Future initially agreed to an interview with me, but later backed away over concerns that any discussion of the leak of classified documents on Discord would be too sensitive for the company. Federal contracts show that over the last year, Recorded Future has performed work for a host of federal government clients, including the U.S. Secret Service, Immigrations and Customs Enforcement, and U.S. Cyber Command.

Flashpoint, which openly advertises that it monitors activist groups and continually mines data from platforms such as Reddit and Discord, signed a contract with the FBI last year.

At the RSA Conference, a representative of Flashpoint said that his firm engages in a variety of tools, but generally does not “violate the terms of service” when accessing chatrooms and other forums.

“There is this tension between platforms being a safe space, and also not being able to harbor things that are being put out, you know, that are intellectual property, that are national security threats,” said Matthew Howell, vice president of product at Flashpoint.

Watchdog groups are raising concerns that the push for more surveillance of chatrooms, including gaming communities, will violate civil liberties. Government scans of private communications risks violating constitutional rights against unreasonable search and seizure.

"There's a disturbing trend toward government agencies contracting out surveillance, paying the likes of data brokers to spy on people even when agents wouldn't be allowed to,” said Sean Vitka, senior policy counsel of Demand Progress.

“It's becoming frighteningly apparent that a similar privatized spying cottage industry targeting private chat rooms also exists,” Vitka added.

Nash, the vice president of ZeroFox, said that every action at his firm, which signed a contract with the U.S. Navy Criminal Investigative Service in January, is vetted by a legal team.

"We're not violating people's civil rights or civil liberties. We're not working as a conduit to work around the Fourth Amendment,” said Nash. “We wouldn't do that.”

DarkOwl President Russel Cohen provided a similar assurance.

"We have algorithms about what information we find interesting. So if somebody is talking about guns, that would be something we find interesting,” Cohen said. “We're not looking for things that are not commercially interesting, such as pornography."

Cohen said that on occasion, his firm has alerted government authorities when they come across material that suggests a threat to security.

Determining whether something is a “threat” to national security is inherently subjective. And historically, the federal government has committed its worst infringements on personal freedom in the name of policing these vaguely defined threats.  

It is especially hard to assess the lawfulness of these new threat intelligence firms’ surveillance practices, because the industry is shrouded in secrecy.

On the rare occasions when the public has gained greater insight into the activities of these companies, the revelations have not been reassuring. The veil was briefly lifted in 2011, when a set of threat intelligence firms plotted to disrupt the hacktivist network LulzSec and attempt to discredit journalist Glenn Greenwald. The contractors, led by the now defunct firm HBGary, devised a plan to infiltrate left-leaning organizations using fake online identities, in a bid to win lucrative deals defending corporations facing public scrutiny.

The plan was eventually discovered and thwarted after hackers dumped emails from HBGary onto the web, embarrassing its partner firms, including Berico Technologies and Palantir.

U.S. intelligence agencies also have a record of coming up empty after infiltrating private, online spaces, raising the possibility that the security justifications for the current incursions are weaker than the agencies are claiming. The documents leaked by former National Security Agency contractor Edward Snowden revealed that FBI and CIA spies had created fake personas to hunt for potential terror plots discussed in online games, such as World of Warcraft and Second Life, as well as on platforms like Xbox Live. Those initiatives fizzled after the intelligence agencies found little to no evidence of terror communications.

But the federal government and its allies in academia and the media are pushing full-speed ahead for expanded surveillance of platforms like Discord that could mirror the now-defunct programs exposed by Snowden.

Renée DiResta, a research manager at the Stanford Internet Observatory, who has worked alongside Department of Homeland Security efforts to police online speech, has seized upon the so-called Discord Leaks to call for more monitoring of chat rooms. DiResta recently co-authored an essay in Foreign Policy to suggest that online gamers and chat rooms have "eclipsed spies as an intelligence threat":

Even where ideological commitments have motivated leakers, internet culture has often played a major role. U.S. Army intelligence analyst Chelsea Manning’s involvement with WikiLeaks began when she started monitoring—and then actively participating in—the forum’s chat channel. Her decision to leak diplomatic cables was initially motivated by debates about Icelandic politics on the WikiLeaks channel. When one looks at Manning’s conversations with WikiLeaks founder Julian Assange and others on the channel, they read very much like someone trying to connect with and impress her new internet friends; later, it was a similar desire to connect online that led to her arrest. Edward Snowden, too, attributed his decision to leak documents about National Security Agency surveillance programs to his concerns that they undermined the values he cherished as an avid denizen of early internet forums and chatrooms: anonymity, self-expression, and the right to reinvent oneself.

The conclusion that online community forums are somehow a prerequisite to radicalization suggests a sweeping view of potential government threats that encompasses almost anyone born after 1980 with access to the internet. DiResta, an influential voice in cyber security circles, is far from alone. 

A variety of journalists have urged a crackdown on private messaging platforms. 

“The FBI and other law enforcement organizations are not spending enough time trolling the edges of the web like Discord and Telegram,” veteran reporter Lucian Truscott IV declared in Salon, a progressive news outlet. 

A news article in Time took the validity of national-security officials’ concerns about Discord as a given. “The leak has also put a spotlight on the lack of law-enforcement visibility into platforms like Discord,” wrote Vera Bergengruen and W.J. Hennigan.

The growing number of calls for greater surveillance worries Vitka of Demand Progress.

“If this follows the course of previous surveillance practices, it means we are headed toward a digital resurgence of neighbors spying on neighbors,” said Vitka. “Meanwhile, we have no way of knowing how many private chat rooms are already infiltrated or to whom those spies are selling information, which will ultimately lead to a severe erosion of trust online." 

Image via Boris Zhitkov/Getty Images.