I was having a relatively ordinary morning, until I got a Twitter DM. "Hey, is this you on Discord," a streamer asked.
This story originally appeared in July 2018.
Their name was Ulti, a streamer on Mixer and a member of a Discord community promoting mindfulness, healthy living and general fitness. We'd never crossed paths before, and most likely wouldn't have if this was any other day.
But someone had messaged the streamer. They said they were a writer and an "aspiring journalist", conducting a survey on how Discord communities function.
"Contributors who participate in this study will receive credit," the message read, which Ulti relayed back to me. In subsequent messages, the person described themselves as a "writer for Kotaku Australia" and, later on, that they were "very new to journalism and interviewing", were "hired last month".
Their supposed name: Alex Walker.
The rest of the morning became a mission to unpack what the hell was going on. Why was someone impersonating me, the site, and what were they after?
As Ulti quickly described, the "study" on Discord communities was really just a trap. At the end of the basic questions, all through Discord chat, the user asked them for one last detail.
"Would you be willing to provide us with your token so new users reading the article can connect to your server," the user using my identity asked. This wasn't the invite code for the server, or even a permanent invite link, but a special token ID.
This token ID, they described, was contained in local storage by Discord. It could be found through the Inspector dev tools accessible through Chrome.
"Once you provide the token, we can embed it into the syntax of the article," they wrote.
Fortunately for me, the red flags started going up for Ulti. He kept pushing back, pressing for more information, until the user said they'd written a story about the recent Steam sales. That was enough for Ulti to find me directly on Twitter.
After a slightly panicked PSA, I started thinking about what the best course of action was. Do you get HR involved? Do the lawyers get involved? Do you file a police report at some point?
That's probably one path, I thought. But that wasn't a road I wanted to walk just yet.
So I asked Ulti: did he still have this person's details, at least on Discord? Maybe I could talk to them. At least find out what the hell is going on.
They did, and so I sent a short message. Why are they doing this?
Initially it was just having a conversation with a troll. I'd ask something, they'd ask why I cared. I'd say I just wanted to understand, and surely they could appreciate that; they'd reply that they could understand why some people wanted to eat badgers.
After a bit of back and forth, they began to describe the point of all this. "The token can take control of someone's account," the user said. "And all I was going to do was transfer ownership ... to take control of a ton of servers. A couple of friends and I work together."
As far as they saw it, once control had been transferred to them they were untouchable — as far as the compromised user was concerned, anyway. I asked whether they were worried about Discord doing anything, but they said they could just ban the owner from their original server, make new Discord accounts, and start over.
"I've owned my own server and had a couple hundred people on there. But gave up on it, so I decided to do this," they said.
I'd thought it was already clear, but it wasn't until some random chat about soccer — I relayed the story about breaking my wrist last year — that my impersonator realised they were talking to the person whose identity they were stealing. "Lol you don't work for Kotaku ... wait lol, are you actually the one who wrote that article," they asked.
Apparently, they thought they were talking to the same person they tried to "troll" earlier in the day. "Bro I didn't take your name, no disrespect to you," they said. Ulti had asked for a name, so they pulled up a random article, and simply used the site and my name to keep the illusion going.
"Sorry mate, didn't think I'd actually talk to the writer."
It's probably pretty rare that someone puts their head into the lion's mouth too, so to speak. Chatting to them like a normal person doesn't really have any upsides. Imagine the worst case scenario. Lawyers get involved, conversations get read out in court.
That's not fun. That's the sort of thing that fucks up a person's life, although the flipside of looking at it is that they're doing the exact same thing to me by leveraging my identity in the first place.
It doesn't help that the person in question was also identified as a HypeSquad member. HypeSquad is described as a way for people to represent Discord — the application form asks if you run events, or could attend or help out — and in turn, Discord will "support your gaming community". Approved members get access to a special server, a t-shirt if they volunteer at conventions and other events, and an exclusive profile badge.
And that's the problem: members have that Discord-sanctioned logo on their profile. That insignia isn't worth anything monetarily, but the degree of credibility becomes incredibly useful in situations like this.
"It takes a while to get approved so there's a vetting period for it," Ulti explained. "The fact that this scammer had a HypeSquad tag isn't great."
I filed a report to Discord's Trust and Safety team, and reached out to Discord directly as well. I asked what happens if someone has had control of their account or server transferred in this way, and what Discord can and does do about the situation.
A Discord representative got back to me on Twitter, but the best they could do was recommending a report to the Trust and Safety Team (which I'd already done). I asked if there was a better contact that might be able to help, but hadn't heard back at the time of writing.
On the positive side, I couldn't see anything online indicating that anyone else had been caught out. That doesn't mean others haven't been affected, and perhaps the publication of this piece might reveal more people who have been caught out by this approach, or something similar.
Without escalating things further, there was one last thing to do. I'd been chatting to the person responsible for a couple of hours. We'd had a relatively placid conversation. They weren't trying to troll me, and even after realising they were talking to the person they were potentially impacting, they didn't seem to want to do any further damage.
So I asked: could they, possibly, stop using my name? They agreed, although I'm not sure how much I believe their answer. "It was only for one thing, didn't realise [Ulti] would actually say something," they said.
I wonder what would have happened if they didn't.