top of page

Minor Strikes: Young cyber threat actors are on the rise

Recent findings by leading Cyber Security company Avast have shown a rise in the use of Malware-as-a-Service (MaaS) among teenagers online via services such as Discord.

‘Hacking’ is cool again, and with youngsters using the internet for almost all of their contact with peers, the rise in what has been deemed petty cyber crime among teens is likely to increase further.

A ransomware investigation by Avast has unearthed new trends amongst the younger generation of internet users. What appeared to be “regular” ransomware in use, was further investigated after some unusual findings were identified.

There were a variety of methods being utilised: encryption, cryptominers and information stealers.

There was also a trend for the encrypted files being renamed with the extension “.LUNAR” and the ransom request was often as low as $25. Not the expected extortion tactics of modern-day professional ransomware groups.

When investigating further, the team found that there was a correlation between the ransomware of interest and a common Discord server dedicated to the malware family known as “Lunar”.

Discord is a social media and communication platform, launched in 2015, enabling users to communicate over instant messaging and VoIP (Voice over Internet Protocol). It has become popular with online gamers and programmers keen to talk amongst a likeminded community, learn more and show off their coding abilities.

Malware-as-a-Service products are available to anyone able to contact an available vendor and purchase the services of developers being offered for sale. It’s a common method for threat actors with limited ability to obtain malicious software to utilise in a cyber-attack.

They will in turn pay for these services and potentially promote the successful use of them, aiding the developer of the Malware in generating further revenue.

Within the Discord server, this Lunar Malware was being sold, along with the creator taking suggestions for future development and even hosting give-aways.

It was whilst monitoring these chats that the Avast researchers assessed with confidence that the users were predominately between the ages of 11 and 16.

“We presume that this is exactly the reason why the author of Lunar, known on Discord as Nex, advertises low prices (5-25 EUR) for access to their malware builder,” Avast malware researcher Jan Holman says.

“This hypothesis is also supported by the fact that a lot of the malware’s functionality, and most of the plugins submitted by other members of the community, are aimed at annoying victims rather than causing actual harm.”

Further study of the actions of the service identified alternative uses for the Lunar malware that are a change from the norm of the usual threat actor tactics and objectives.

The seller of the service was promoting features such as how it could steal gaming accounts, delete gaming data folders from popular online games such as Fortnite and Minecraft and even a script to repeatedly open porn sites on a browser.

Whilst likely seen as ‘harmless fun’ or ‘pranks’ carried out my teenagers, the consequences can be far greater than a laugh and a joke. Apart from the criminality (offences against The Computer Misuse Act 1990 in the UK), the young users are providing their credentials or financial details (credz or fullz in Discord speak) to persons already of questionable character.

These could be used for further purchases by those sellers, or the malware being purchased could infect a family computer putting further innocent parties and their data at risk.

Whilst the UK is estimated to only generate around 4% of Discord traffic, Cyber Crime is borderless, and the use of VPNs are likely to skew the figures.

Organisations should look to raise awareness of the use of Discord and the MaaS opportunities it provides, particularly around staff and their families.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page