The latest articles on DEV Community by yuax (@yuaxx). https://dev.to/yuaxx https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3948329%2F9309baac-4d66-4fd7-9aea-188a41a02fcb.jpeg https://dev.to/yuaxx en yuax Sat, 23 May 2026 22:49:03 +0000 https://dev.to/yuaxx/how-i-detect-discord-selfbots-without-reading-a-single-message-1k31 https://dev.to/yuaxx/how-i-detect-discord-selfbots-without-reading-a-single-message-1k31 <h3> The Problem </h3> <p>Discord selfbots - automated user accounts - are used for spam raids, phishing, and coordinated attacks. Traditional moderation bots scan message content, but that requires the MESSAGE_CONTENT privileged intent and raises privacy concerns.</p> <p>I wanted to catch bots without reading what people type.</p> <h3> The Insight </h3> <p>Discord's gateway broadcasts a <code>TYPING_START</code> event every time someone begins typing. This is metadata - it tells you WHO started typing, WHERE, and WHEN.</p> <p>A human needs 300-500ms just to switch focus between two Discord channels. A selfbot fires parallel HTTP requests and can trigger typing in multiple channels within 5-50ms.</p> <p>That gap is massive. A hard threshold of 150ms catches every bot without touching a single real user.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Selfbot Human ┌─────┐ ┌─────────────────┐ │5-50ms│ │ 300-500ms+ │ └─────┘ └─────────────────┘ ▲ ▲ │ │ CAUGHT SAFE </code></pre> </div> <h3> Beyond Typing: Ghost Detection </h3> <p>Some selfbots disable typing events entirely (using "silent typing" plugins). So I added the inverse detection:</p> <p><strong>If a message arrives WITHOUT a preceding TYPING_START - that's suspicious.</strong></p> <p>Normal Discord desktop clients always fire a typing event before sending. No typing + message = likely automation.</p> <h3> Channel Sequence Fingerprinting </h3> <p>Selfbots often iterate channels programmatically - by ID order (ascending or descending). Humans jump between channels randomly based on interest.</p> <p>If I see typing events hitting channels in perfect numeric ID order - that's a bot fingerprint.</p> <h3> The Stack </h3> <ul> <li> <strong>Rust</strong> - lock-free DashMap correlator, sub-millisecond detection</li> <li> <strong>Twilight</strong> - lightweight Discord gateway library (not discord.js)</li> <li> <strong>SQLite</strong> - persistent detection history, incident timeline</li> <li> <strong>Zero privileged intents</strong> - no MESSAGE_CONTENT, no GUILD_MEMBERS, no PRESENCE</li> </ul> <h3> What It Cannot Do </h3> <ul> <li>Read messages (by design)</li> <li>Catch 100% of threats (behavioral signals are probabilistic)</li> <li>Replace Discord AutoMod (it complements it - AutoMod for content, Wiretrip for behavior)</li> </ul> <h3> Try It </h3> <p><a href="https://wiretrip.lol" rel="noopener noreferrer">https://wiretrip.lol</a> - free, safe defaults (log-only mode), 30-second setup.</p> rust discord security webdev