Last updated:

💬 Discord OSINT

Discord hands you something almost no other platform does: an unspoofable account creation timestamp, baked into every ID. Here's how snowflakes work, how to resolve them without logging in, what you genuinely can't get, and where Discord "OSINT" quietly stops being OSINT.

Quick answer: Everything on Discord has a snowflake ID — a 17–19 digit number that encodes its creation timestamp and cannot be spoofed or changed. Get it via Settings → Advanced → Developer Mode, then right-click → Copy ID. Resolve it with Discord Lookup, Discord Utils or the Lanyard API — no login needed, public fields only. What you cannot get: server membership, private messages, or a username directory. Usernames change; the ID never does, so anchor on the ID.

The one thing to take away: the creation date is free, permanent and unfalsifiable. It defeats the most common lie in online investigations — claimed account age — before you open a single tool. Our timestamp converter decodes Discord snowflakes directly.

Snowflakes: the whole game

Discord borrowed Twitter's snowflake scheme. Every user, server, channel, message and role gets a 64-bit integer, and the creation time is inside the number. Discord's epoch is 1 January 2015 (Unix 1420070400000 ms). The first 42 bits are the millisecond offset from that epoch.

timestamp_ms = (snowflake >> 22) + 1420070400000

That is the entire trick. A user can change their username, display name, avatar, banner and server nickname as often as they like — the ID and its embedded timestamp never move. It is the most reliable artefact available on the platform because it is not a field someone filled in; it is a property of the identifier.

What that buys you
  • Account age, unfalsifiable. "I've been here for years" against a snowflake dated six weeks ago ends the conversation.
  • Throwaway detection. An account created hours before an incident is a throwaway, and the ID says so.
  • Cluster detection. Several accounts whose IDs fall within minutes of each other were almost certainly created by one person in one sitting. This is how sockpuppet rings surface.
  • Message timing. Message IDs carry timestamps too — useful when a message is deleted but its ID survives in a link or a log.
  • Server age. Servers have snowflakes as well. A "long-established community" created last month is not one.

Getting the ID

  1. Enable Developer Mode. Settings → Advanced → Developer Mode → on. Works on desktop, web, and both mobile apps.
  2. Right-click anything — user, server, channel, message, role — and choose Copy ID.
  3. Or read it from a URL. Profile and message links contain the snowflakes directly.
  4. Decode it. Paste into our timestamp converter, or use Snow Stamp / Discord Utils. Unfurl extracts timestamps from Discord URLs including attachments.

Tools

ToolWhat it doesLogin?
Discord Lookup / Discord UtilsResolve an ID to username, display name, avatar, banner, badges, bot flag, creation date. The standard first stop.No
Lanyard APIapi.lanyard.rest/v1/users/<id> — JSON presence and profile data. Only covers users in the Lanyard Discord, so misses are common.No
Snow StampSnowflake → timestamp, nothing else, does it well.No
UnfurlExtracts embedded timestamps from Discord URLs — users, channels, servers, file attachments.No
ToolsCordAll-in-one toolbox for servers, bots and users.No
Disboard / Discord.mePublic server directories. Find servers by topic — the closest thing to a server search.No
doxcordScans servers for social links carrying tracking parameters (Instagram, TikTok, Facebook), organised by user and server. Those parameters often leak the sharer's own identifiers.Varies
Maigret / SherlockTake the handle and find it on Steam, Twitch, Reddit and hundreds more. Gamers reuse usernames heavily — this is the strongest Discord pivot.No

What you cannot get — and who's lying about it

Discord does not expose server membership. There is no legitimate public way to list the servers a user is in. Any service advertising "find all servers a user is in" is doing one of three things, all of them bad: using breach-derived data, using bot tokens harvested across servers in breach of Discord's terms, or simply making it up.

The same goes for messages. You cannot read private servers or DMs. Sites hosting leaked server messages — DiscordLeaks being the best known, focused on white-supremacist and neo-Nazi servers — are breach-derived, not open source. They have a genuine place in extremism research and journalism, but they are a different legal and ethical category from reading a public server, and treating them as ordinary OSINT is how people get into trouble. See Is OSINT legal?

  • No username directory. The 2023 unique-handle migration killed discriminators and there is no lookup by name. Anchor on the ID.
  • No email or phone. Not exposed. If a tool offers it, it is breach data.
  • No IP. Anyone offering Discord IP resolution is selling a scam or a grabber — and deploying a grabber is an active technique with real legal exposure, especially in the EU.

A workflow that holds up

  1. Get the snowflake. It is the only stable identifier. Everything else the user controls.
  2. Decode the creation date before anything else — it is free and it frequently ends the question immediately.
  3. Resolve the public profile via Discord Lookup for current handle, display name, avatar and badges.
  4. Reverse the avatar. Profile images get reused across platforms constantly — run it through reverse image search.
  5. Pivot the handle outward with Maigret/Sherlock to Steam, Twitch, Reddit, GitHub. This is where Discord investigations are actually won: the gaming identity graph is dense and people reuse handles.
  6. Check public server directories (Disboard, Discord.me) for communities matching your subject's interests.
  7. Archive with IDs intact. Message IDs are timestamps — preserve them, not just screenshots.

Frequently asked questions

What is a Discord snowflake ID?

A snowflake is the 17–19 digit number Discord assigns to every user, server, channel, message and role. It is a 64-bit integer — a concept borrowed from Twitter — that encodes the creation time directly in its structure, counting from Discord's epoch of 1 January 2015 (Unix 1420070400000 ms). This is the single most valuable artefact in Discord OSINT, because the timestamp is baked into the identifier itself: it cannot be edited or spoofed after account creation, no matter how many times the user changes their username, display name or avatar.

How do I find someone's Discord ID?

Enable Developer Mode: Settings → Advanced → Developer Mode. Then right-click any user, server, channel or message and choose Copy ID. The ID is also visible in profile URLs. Unlike usernames and display names — which users change freely — the ID is permanent, which makes it the correct anchor for any investigation.

Can I look up a Discord user by ID without logging in?

Yes. Several public tools resolve a snowflake to public profile data — username, global display name, avatar, banner, badges, bot flag and the derived creation date — without you authenticating. Discord Lookup and Discord Utils are the common ones, and the Lanyard API (api.lanyard.rest/v1/users/ID) works for users in the Lanyard Discord. Only public fields come back; private and restricted data does not.

Can you find a Discord user by username?

It is unreliable, and that is by design. Discord's 2023 move to unique @handles removed the old discriminator system, and there is no public directory of usernames. The practical routes are: search the username across other platforms with Maigret or Sherlock, since gamers reuse handles heavily; look for it in server member lists you can already see; or dork for it. If you have the ID, use the ID — it is stable and the username is not.

How do I find what servers someone is in?

You generally cannot, and any tool claiming otherwise is either using leaked data or lying. Discord does not expose server membership publicly. What you can do is search public server directories like Disboard and Discord.me for servers matching a topic, then check member lists in servers you have legitimate access to. Server membership is not public data, and treating it as if it were is where a lot of Discord "OSINT" crosses into something else.

What is DiscordLeaks?

DiscordLeaks is a platform hosting leaked messages from servers that were compromised, with a focus on servers associated with white supremacist and neo-Nazi organising. It is used in journalism and extremism research. Note the category difference clearly: this is breach-derived data, not public data. Using it engages very different legal and ethical considerations than reading a public server, and it should not be lumped in with ordinary OSINT sources.

Is Discord OSINT legal?

Reading public servers and resolving public profile data from a snowflake is straightforwardly lawful — you are reading information Discord publishes. The lines are: joining a private server under false pretences, scraping in breach of Discord's terms while logged in, and using breach-derived datasets. Note that any tool needing a bot token or your account makes you an authenticated user bound by a contract you accepted — a weaker position than anonymous ID resolution. See our guide on whether OSINT is legal.

Why is the account creation date so useful?

Because it is unfalsifiable and it exposes the most common lie in online investigations: account age. Someone claiming a long history on a snowflake dated last month is done. It also spots throwaways created immediately before an incident, and clusters — several accounts created within minutes of each other are almost certainly one operator. You get this for free from the ID, without any tool at all.

What is doxcord?

An OSINT tool that scans Discord servers for social media links containing tracking parameters, identifying Instagram, TikTok and Facebook links that carry tracking identifiers, and organising them by user and server. It is useful because those tracking parameters often leak the sharer's own account identifiers — people paste links straight from their own apps without realising the URL carries their fingerprint.