How Honeypot Systems Work (and Why They Become Complex)
Written by RiskyMH
Behind the simple concept of a bait channel is a detection system that has to fight Unicode tricks, image spam, and compromised accounts at scale.
A honeypot may start as a simple bait channel, but modern spam quickly turns it into a more complex detection system. The real engineering lies in the gap between the basic idea and something that works reliably at scale.
This article focuses on Discord, one of the most active platforms that has recently become a huge target for automated abuse.
The simplest possible honeypot
Strip the idea to its minimum: one bait, one trigger, one action.
You create a channel. You make it visible to new members. You do nothing with it. Anyone who sends a message there gets removed.
In the right conditions, this works remarkably well. The reason has nothing to do with content analysis or pattern matching. It works because of what the channel represents: something no legitimate user would ever interact with. A space that is visible but should never be touched. The moment someone touches it, something is wrong.
Why it works: automation is predictable
Human behaviour in online communities follows recognisable patterns. People read before they write. They orient themselves by checking pinned messages, reading recent conversation, and getting a sense of the room. They respond to context and choose where to say something based on what a channel is for.
Spam bots and compromised accounts do not do any of this.
Automated systems optimise for reach, not relevance. A bot running a phishing campaign does not evaluate which channels are appropriate - it sends to every channel it can access. A compromised account spreading a crypto scam does not pause to read pinned messages. The channel name, the posted warning, the existing conversation - none of it registers.
This behavioural gap is the foundation of honeypot detection. The trap does not need to understand the message. It only needs to observe that the sender could not distinguish between a real channel and a bait one. That distinction between a human who reads and a bot that blasts has remained remarkably stable even as spam techniques have evolved significantly in other ways.
The evolution of Discord spam
Understanding why detection systems become complex requires understanding what they are up against. Discord spam has changed substantially over the years, and each wave forced defenders to adapt.
Early raids
The first large-scale Discord spam was blunt: dozens of accounts joining simultaneously, sending identical text in rapid succession. The content was the same across accounts, the timing was the same, the usernames followed the same template. Defenders could write a regex, set a rate limit, and catch most of it.
Content gets smarter
Spammers introduced variation to defeat exact-match filters. The same underlying message would arrive in slightly different forms → different punctuation, different spacing, synonyms swapped in. Unicode became a tool: visually identical characters from different code points could silently break keyword matching. A filter looking for discord.gg/scam would not catch discord.gg/ꜱcam, because ꜱ (U+A731, Latin Letter Small Capital S) is not the ASCII letter s. The messages looked identical to a human reader and invisible to a text filter.
Image-based spam
When text filters improved, spammers moved to images entirely. A message containing no text, just an image promoting a fraudulent scheme, cannot be caught by any text-based rule. This has become increasingly common and remains one of the harder problems for content-based detection to address.
Compromised accounts
Modern Discord spam frequently does not come from freshly created bot accounts, rather it comes from real accounts that have been stolen. A user runs a malicious file and software quietly extracts their session token. Because Discord authenticates via tokens after the initial login, an attacker with a valid token can operate an account immediately, bypassing passwords and two-factor authentication entirely. Discord's own safety documentation confirms this: resetting your password generates a new token and invalidates any stolen one.
The account used to spam your server may be months or years old, with a normal conversation history, already a member of servers with strict verification requirements. Age-based checks, activity thresholds, and manual review all fail against a stolen account that already passed them.
The scale of this problem is documented in Discord's Q2 2022 Transparency Report: in a single three-month window, Discord disabled 27,733,948 accounts for spam or spam-related offences, with 90% of those caught proactively before any user report. That figure is from 2022. The problem has not decreased since.
Discord's own breakdown of spam types, published in their fighting spam article, is useful context. They categorise it into three groups: generated accounts operated entirely through automation; compromised accounts (real users whose sessions were stolen and whose account is then used to spam people who trust them); and human-operated accounts run by actual people. Compromised accounts cause, in Discord's own words, "some of the highest user-impact spam", precisely because the messages arrive from accounts that look legitimate to everyone in the server.
Why simple rules stop working
The instinct when encountering spam is to describe what it looks like and block messages that match. This is keyword filtering and it fails in predictable ways.
False negatives emerge as soon as the attacker observes what is being blocked. The spam changes. The filter misses it. You update the filter. The spam changes again. This is an arms race the defender is structurally behind in, because the attacker sees what gets blocked and adapts, while the defender only sees what gets through.
False positives are the opposite problem. As filters become more aggressive, they start catching legitimate messages. A filter blocking all external links catches spam and also catches every member sharing a resource. A rate limit aggressive enough to stop a raid also catches a moderator trying to respond in real time. Every tightening of a threshold increases the cost to legitimate users.
Content becomes unreliable as a signal. If the spam uses images instead of text, content filters have nothing to scan. If it uses homoglyph substitution, keyword matching fails. If the account sending it has a legitimate conversation history, anomaly detection on account age will not trigger.
Static rules applied to message content always hit this ceiling. The attacker's surface area is the content and content is cheap to change.
Behavioural signals
The alternative is to focus not on what the spam says, but on what the spammer does.
Behaviour is harder to fake than content. A spammer can randomise a message in seconds. They cannot easily randomise the pattern of their movement through a server, or convincingly mimic the pauses, the context-sensitivity, and the selective choices of a real user reading and responding to a conversation. Automation is consistent in ways that humans are not, and that consistency becomes visible if you know where to look.
This is what makes the honeypot channel durable as a signal. It does not ask anything about message content. It asks a single binary question: did this account send a message in a channel that real users never touch? If yes, something is wrong and the confidence in that conclusion is high precisely because the channel has no legitimate use case.
Other behavioural signals sit alongside it. An account that sends to many channels in rapid succession looks automated. One that joins and immediately posts with no dwell time is suspicious. And one that ignores conversational context - sending the same message regardless of what was said before - almost certainly is. Each of these signals is weaker than the honeypot trigger on its own, but they become useful in combination.
Layered detection
Real spam detection systems combine multiple signals, each providing partial evidence, and use the combination to reach a decision.
Think of it as accumulated evidence. A honeypot trigger contributes strong evidence something is wrong. Sending to many channels in quick succession adds moderate evidence. Joining within the last few seconds adds weaker evidence. Prior interactions with the server may reduce the overall weight. When the accumulated evidence crosses a threshold, action is taken. Below it, the account is watched.
This architecture has practical advantages. Weak signals that would generate too many false positives alone become useful when combined with others. The system is harder to game, because defeating one signal does not defeat the rest. And it supports natural escalation: a low-confidence detection might produce a temporary timeout; a high-confidence one produces a permanent ban.
The honeypot channel sits near the top of this confidence hierarchy. Because legitimate users genuinely never interact with it, false positives are rare. It is fast, cheap, and high-signal - and for many servers it is sufficient on its own.
When honeypots make sense
The channel-based approach works well in specific conditions.
Large public communities are the primary targets for automated spam. The larger a server, the more attractive it is - more potential victims, more channels, more damage when a raid lands. These are also the servers where an extra obscure channel goes unnoticed by real users.
Communities that experience raids. When a spam event can expose thousands of members to phishing links in seconds, human moderators cannot react fast enough. Automated, immediate removal is the only practical response at that speed.
Servers with open invites and many unknown members. The approach relies on legitimate users not accidentally triggering it. In large public servers with many new members daily, that risk exists but is manageable - particularly with a visible warning message inside the honeypot channel itself.
When they do not
Private or tight-knit communities. In a small server where every member is known, a false positive matters more. A legitimate user who messages the wrong channel gets removed. In a community built on trust, that is a meaningful cost with real consequences.
Servers where every channel sees active use. If the community uses all its channels regularly, an unused bait channel either stands out and draws curious members, or blends in and attracts accidental interactions. Neither outcome is good.
Servers with very low spam exposure. A small, invite-only server does not need automated spam detection. The overhead and the risk of false positives outweigh the benefit of catching bots that are unlikely to appear.
These are not arguments against honeypots generally; they are reasons to match the tool to the context. A large public server and a private friend group have different threat models, and applying the same approach to both does not make sense.
What this means in practice
Spam detection is ultimately about understanding behaviour more than content. Spam messages change constantly. The way automated systems move through a server changes much more slowly.
That is the lasting strength of the honeypot approach: it exploits a reliable behavioural difference. Automation tends to touch everything it can reach. Real users are selective.
Building this reliably across tens of thousands of servers (while keeping false positives low) is the challenge I tackled with Honeypot.
Further reading
Adjacent notes and related topics.
My Discord Account Got Hacked: How to Recover It and Lock It Down for Good
Token theft, phishing, and social engineering are how Discord accounts actually get taken over. Here is how to recover one and lock it down for good.
What is a Honeypot?
A decoy that catches attackers by doing nothing. From Cold War-era network traps to Discord spam detection, here is how honeypots work and why they have lasted 40 years.