When the System Protects the Attacker

Brady Frey’s daughter was 12 when she created her Discord account, listing herself as over 18. When her account was hijacked eight days elapsed before Discord’s support acted — and only because Ars Technica intervened. In those eight days, 38 of her friends were targeted with a documented social engineering scam. Two apparently fell for it.

←TODAY: Discord’s support defaults auto-close tickets with instructions to report from inside the app — instructions a locked-out user cannot follow.
→3012: Platform governance frameworks mandate real-time child-safety escalation paths with auditable response SLAs, not chatbot routing.
Fulcrum: The control mechanism here is not malice — it is cost-reduction automation that was never stress-tested against a locked-out minor with an active attacker in her account.

The attack vector is not exotic. Bitdefender flagged this exact pattern — a hijacked account posing as the victim, claiming to have accidentally reported friends as hackers, pushing them to click verification links — as “widespread” on Discord in a February 2025 report. The attacker did not need sophisticated tools. They needed one phishing link, one account without two-factor authentication, and Discord’s support queue to stay slow.

All three conditions were met.

The Control Problem

Discord’s chatbot Clyde and a support agent identified as Nelly closed Frey’s tickets automatically, directing the family to report the issue from within the app. Frey explicitly stated in writing that a minor’s account was compromised, that other minors were actively being targeted, and that the attacker was operating from inside a school-age social graph. The response did not change.

This is not a support failure in the casual sense. It is a permission architecture failure. There is, per Frey’s account reported by Ars Technica, no escalation pathway for a parent to intervene on a compromised minor’s account. The system does not distinguish between a locked-out adult and a locked-out 13-year-old whose attacker is running live scams. Both get Clyde.

When access was finally restored, Frey discovered a second control problem: Discord’s systems cannot update an account’s age status once it was created as 18+. The only remediation path — linking to Family Center for parental controls — was blocked by this immutable record. Discord’s response to Ars confirmed there is currently no mechanism to change this setting, though the platform says it plans future AI-assisted age verification globally.

That future rollout does not help the accounts that already exist with falsified ages. Discord’s own minimum age of 13 is set under COPPA compliance standards; the EU Digital Services Act imposes additional obligations on platforms to protect minors actively. An account that a platform cannot correct to reflect a user’s actual age is a structural DSA compliance gap, not a product roadmap item.

Atelier

Atelier: Architecture firms and BIM teams using Discord-adjacent platforms — Slack, Teams, or Discord itself, which has traction in design education communities including PAZ cohorts — should treat this case as a professional risk audit prompt. The 2FA gap that enabled this attack is identical to the gap that exposes project collaboration accounts. The support infrastructure fragility exposed here is not Discord-specific; it is endemic to platforms that replaced human triage with automated routing. Audit your team’s 2FA posture and identify, now, whether your platform of record has a human escalation path for account takeover scenarios before you need it.

The Sharp Point

Discord’s statement to Ars said the platform “takes situations like this seriously.” Eight days, two Ars Technica interventions, four weeks total, two compromised friends, and a support loop that punished the victim for being locked out — the evidence does not support that framing. What the evidence supports is that the default support workflow was never designed to handle a minor in active danger, and no override existed.

Frey ultimately submitted his daughter’s passport to verify her age — despite a Discord breach that exposed 70,000 IDs last autumn — because the alternative was losing her account entirely. That is not a resolution. That is a user absorbing the cost of a platform’s architectural failure.

Run 2FA on every professional account you hold. Require it for every collaborator on your project platforms. The attack surface Frey’s daughter left open is the same one protecting your BIM model access and your client data.

Source: Ars Technica