Advertisement

The Discord servers at the center of a massive US intelligence leak

The intelligence files related to the Ukraine war that appeared online aren't the first sensitive military documents shared on video game forums.
LANGLEY, VA - JULY 9: The CIA symbol is shown on the floor of CIA Headquarters, July 9, 2004 at CIA headquarters in Langley, Virginia. Earlier today the Senate Intelligence Committee released its report on the numerous failures in the CIA reporting of alleged Iraqi weapons of mass destruction. (Photo by Mark Wilson/Getty Images)

Over the past few days, U.S. investigators and digital security researchers alike have probed what would seem to be the most unlikely of places to determine the origin of a major leak of classified intelligence documents: video game-focused chat servers.

A series of video game servers have emerged as key distribution points for a cache of perhaps as many as 100 intelligence documents containing secret and top secret information about the war in Ukraine. The documents first appears on a server known as “Thug Shaker Central” and were then reposted on servers known as “WowMao” and “Minecraft Earth Map,” according to an investigation by Bellingcat, an investigative journalism outfit based in the Netherlands, that provides the most thorough account to date of how the documents made it into the public domain. 

The documents mostly date from February and March, but may include material from as far back as January. At least one set of the files circulating online includes a photograph of a handwritten character sheet of a roleplaying game — Doctor Izmer Trotzky. 

Last week’s leaks represent a stark departure from how classified information has reached the public in recent years. “When you think of these big leaks, you think of whistleblowers like Snowden, hack and dumps from Russia,” Aric Toler, who has investigated the Discord leaks for Bellingcat, wrote in an email to CyberScoop. “This is just a guy in a tiny Discord server sharing hundreds of insanely sensitive [files] with his gaming buddies.” 

Advertisement

After being posted, the files appear to have sat dormant for about a month, until they were shared last week on 4chan and Telegram, where they received greater attention. “Since Discord isn’t really publicly archived, indexed, or searchable (as 4chan and, to a lesser degree, Telegram are), then it’s not like you can easily scrape and analyze these sources,” Toler said. “So it’s a bit of a perfect storm.”

The release of classified material on online gaming forums is not as novel as it might seem. In the last two years, fans of the free-to-play combat game War Thunder have repeatedly posted classified material in the game’s online forum — on one occasion to settle an obscure argument about the design details of a tank depicted in the game. 

Highly sensitive classified information repeatedly appearing on online gaming forums has intelligence experts exasperated. “The idea of paying a source to dead-drop this stuff when it’s popping up unsolicited on Minecraft and world of tanks seems quaint,” says Gavin Wilde, a senior fellow at the Carnegie Endowment for International Peace and a 10-year veteran of the National Security Agency. 

A furious effort inside the Department of Defense is now attempting to verify this most recent cache documents circulating online, assess the damage and prevent further fallout. The Department of Justice has opened an investigation into the leak that aims to determine its source, a probe that will likely scrutinize the online communities where the material appears to have originated. 

The leaked documents are photographs of briefing slides that appear to have been folded up. They are photographed mostly against what appears to be a low table. In the background of some of the photographs can be seen a bottle of Gorilla Glue and what appears to be a strap with the Bushnell brand, a popular maker of outdoor optics and rifle scopes. 

Advertisement

The documents amount to one of the most serious leaks in the history of the U.S. intelligence community, on par with the WikiLeaks disclosures and material made public by the group known as the ShadowBrokers, according to intelligence experts. The material spans the U.S. intelligence community, including information obtained by the CIA, the NSA and the National Reconnaissance Office, which operates America’s fleets of highly secretive spy satellites.

The material includes timetables for the delivery of munitions to Ukraine by South Korea, references to sensitive American satellite surveillance capabilities, and indications that the United States has managed to penetrate the Russian military to such an extent that it has been able to warn Ukraine about the site of upcoming artillery and missile strikes. 

The cache also includes reference to communication between a cybercriminal group and an officer of Russia’s powerful domestic intelligence agency, the FSB, claiming that the group had gained access to the computer systems of a Canadian pipeline and that it could use that access to disrupt a pipeline. That claim has not been confirmed, and it is fully possible the communications intercepted by U.S. intelligence services amount to not more than bluster by the hacking group. 

Ukrainian officials have cautioned that the leaked document may include falsified information or may be entirely fabricated, but so far, the documents appear to be mostly authentic with only minor alterations that appear to have occurred after the documents began circulating more widely last week on 4chan and Russian telegram channels. 

“We are very fortunate that this leak has received such a skeptical reception,” said John Hultquist, the head of threat intelligence at Mandiant.

Latest Podcasts