From DiscordApp.com to Discord.com: How Dropping "App" Closed a Door Phishers Loved
How Discord launched in 2015 on DiscordApp.com because Discord.com was taken, quietly bought the bare word, and in 2020 made discord.com its primary home — partly for brand cleanliness, partly because the "discordapp.com" vs "discord.com" split was a gift to phishers and malware crews.
- domains
- branding
- startups
- domain-upgrades
Before Discord was a verb for "hop on the server," it lived at a slightly longer address: DiscordApp.com.
The "App" was not a branding choice. It was a workaround. When Jason Citron and Stanislav Vishnevskiy launched their voice-and-chat tool in May 2015, the exact-match domain — Discord.com — already belonged to someone else, registered back at the turn of the millennium. So the product shipped onto the web wearing a modifier. Per Wikipedia, Discord was publicly released in May 2015 under the domain name discordapp.com. One write-up of the early days puts it plainly: Discordapp.com was Discord's official URL in its first launch year.
That gap between the name a company wants and the name it can get is one of the most common problems in startup branding. The product was already called Discord. The world just couldn't reach it at Discord.com yet.
What makes Case 13 different from the usual "buy your exact match" story is the seam the workaround left behind. For five years, Discord ran on two addresses at once — the brand it used (discordapp.com) and the brand it wanted (discord.com) — and that two-domain split turned out to be exactly the kind of ambiguity that phishers, scammers, and malware crews feed on. This is the story of a domain upgrade that was partly about brand cleanliness and partly about closing a security hole the company had been living with since launch.
2015: the tool that needed a name it couldn't have
Discord did not start as a consumer phenomenon. It started as a fix for a specific annoyance.
Citron came to it with money and scar tissue. He had founded the social gaming network OpenFeint, and — as Wikipedia records — later sold it to GREE in 2011 for $104 million, which he used to found Hammer & Chisel, a game development studio, in 2012. The studio's game didn't take off, but the chat tool the team had built to coordinate raids did. The fix became the product.
The name was settled early, and for ordinary reasons. According to Wikipedia, the name "Discord" was chosen because it "sounds cool and has to do with talking", was easy to say, spell, remember, and was available for trademark and website. Note the last clause — available for trademark and website. "Available" is doing a lot of quiet work there. The trademark was clear. The bare .com was not.
So the team did what countless startups do: it added a modifier and shipped. "Discord" the brand launched as "DiscordApp" the address. And it worked. The user base snowballed almost immediately. By Wikipedia's account, by January 2016, Hammer & Chisel reported Discord had been used by 3 million people, with growth of 1 million per month, reaching 11 million users by that July and 25 million by year's end.
That curve is the catch. Every one of those millions learned the brand as "discordapp.com." Every invite link, every shared screenshot, every bookmark cemented the workaround a little deeper. The longer a modifier rides along, the more expensive it gets to remove — not in dollars, but in the muscle memory of an audience that has typed the wrong word a hundred times.
The move to Discord.com
Discord didn't have to rename anything. The product was always called Discord. It just had to change its address — from DiscordApp.com to Discord.com — and to do that, it first had to own Discord.com.
It did, quietly, years before it used it. The domain had been registered in 2000, long before the company existed. According to domain-industry coverage, the company acquired the domain Discord.com back in 2017 — but didn't switch to it. For a while, the .com was a redirect to the discordapp.com domain they have used since the start. The company owned the clean name but kept pointing it back at the workaround.
The real flip came in 2020. As one domain analysis notes, while some sources put the purchase in 2017, the only factual statement is that the move to the new domain happened on May 4th 2020. Discord made discord.com primary and — sensibly — decided to keep the old domain up as a redirect, so existing links wouldn't break. The social handles followed the address: the company changed their social media handles from @discordapp to @discord only.
The switch wasn't only cosmetic, either — it reached down into the plumbing. Bot and library developers had to repoint their code, because the API itself was moving. The maintainers of the popular discord.py library opened a tracking issue noting that Discord is moving from discordapp.com to discord.com, with a hard cutover: if the domain used to connect to the discord servers is not changed by November 7th 2020 then clients using the library will be unable to connect. A domain "upgrade" that most users never noticed was, for the developer ecosystem, a deadline.
The backstory: why a two-domain split is a phishing gift
Here is the part that makes Case 13 more than a tidy branding story.
When a company operates under two near-identical domains for years, it trains its own users to accept both as legitimate. "Is discordapp.com the real Discord, or is it discord.com?" Most people couldn't say with confidence — and that uncertainty is precisely the soil phishing grows in. If users will trust two official domains, they'll trust a third that looks almost like them. Slight variations on the name — an extra letter here, a swapped word there — become easy disguises, because the genuine article already came in more than one flavor.
That risk wasn't hypothetical for Discord, and it has a long tail. Discord's content-delivery network still lives on the old name, at cdn.discordapp.com — and that domain became one of the internet's favorite places to stage malware, precisely because it looks trustworthy. Security firm Zscaler documented how an attacker can upload a malicious file on a Discord channel and share its public link with others—even non-Discord users can download it. Worse, they found, a file sent from Discord is there forever, so even if an attacker deletes a file within Discord, its link can still be used to download the malicious file.
The threat-intel firm Intel 471 spelled out why the domain itself is the weapon. Once a file is uploaded, a direct link is generated by the platform, and attackers then can choose to disseminate these links through phishing emails, social media or other channels. The link follows the format https://cdn.discordapp.com/attachments/{channel ID}/{file ID}/{file name} — a real Discord domain, with a real TLS certificate, sailing past filters because if the Discord domain isn't disallowed by security controls, it's an effective way to deliver harmful content. Malwarebytes' research team has tracked the same pattern, warning of a new phishing campaign uses Discord for payload delivery and noting that criminals abuse Discord to host malware because of its robust CDN infrastructure.
Collapsing the user-facing brand onto a single, canonical front door — discord.com — doesn't fix CDN abuse. But it does the one thing branding can do for security: it makes "what does the real Discord look like?" a one-word answer. The fewer official spellings a brand has, the fewer disguises an attacker can hide behind.
The money looked different then
It is tempting to treat Discord buying Discord.com as obvious — of course the company eventually owns its own name. But the decisions were made in a fog, not in hindsight.
Look at the timeline. The team acquired Discord.com in 2017, when Discord was a fast-growing but unproven gaming-chat app, years from its pandemic-era ubiquity and its multibillion-dollar valuation. Then it sat on the clean domain as a redirect for roughly three years before flipping the switch in 2020. That patience is the interesting part. Discord owned the better address and chose, repeatedly, not to disrupt a working product to use it.
That's the real cost calculus of a domain upgrade, and it's rarely the purchase price. The hard part is the migration: re-pointing apps, APIs, OAuth scopes, saved passwords, browser permissions, deep links, and a sprawling third-party bot ecosystem — without breaking the live thing millions of people use every day. Discord could afford to buy Discord.com long before it could afford to move to it. The 2017 purchase secured the option; the 2020 switch exercised it, once the product was stable enough to absorb the churn and the November 2020 developer deadline could be enforced.
Why dropping "App" mattered
The distance between DiscordApp.com and Discord.com is three letters. Strategically, it is the distance between the app and the place.
DiscordApp.com names a piece of software — a thing you download, an application among applications. Discord.com names a destination — a place you go, a community you belong to, a verb people use without thinking. One points at a product. The other simply is the brand. And as Discord grew past gaming into something people use for clubs, classes, and friend groups, "App" started to feel like a relic of how the company first described itself.
| Before | After |
|---|---|
| DiscordApp.com | Discord.com |
| Names "the app" — a downloadable product | Names the brand — a place and a verb |
| Carries a workaround modifier | Carries nothing but the word |
| Two official spellings users must trust | One canonical front door |
| Leaves a seam phishers can imitate | Closes the "which one is real?" gap |
This is the recurring pattern in domain upgrades: early names describe or qualify; great names own. A modifier like "App," "HQ," "Cab," or "The" is a reasonable on-ramp when the clean name is taken. It becomes drag — and, in Discord's case, a small security liability — the moment the company is big enough that the bare word should be the destination.
The sequence: own it first, move when it's safe
The order of operations here is worth slowing down on, because it inverts the usual startup advice to "switch to your exact-match the day you get it."
Discord didn't. The sequence was:
- The name was chosen first — "Discord," settled because it was memorable and the trademark was available, even though the bare .com was not.
- The product launched on a modifier — discordapp.com, because Discord.com was occupied from a registration dating to 2000.
- The exact match was acquired but held in reserve — Discord bought Discord.com in 2017 and ran it as a redirect, not a replacement.
- The switch happened when the product could absorb it — the move to the new domain happened on May 4th 2020, with a developer cutover deadline of November 7, 2020.
The lesson isn't "delay your upgrade." It's that owning the clean domain and migrating to it are two separate projects with two different risk profiles. Discord secured the asset early and cheaply, then chose the moment to move it carefully — keeping the old address alive as a redirect so nothing broke.
The domain became part of the operating system
Premium domains matter for one unglamorous reason: repetition.
A core domain shows up everywhere a company can't fully control — in invite links, OAuth consent screens, email addresses, press coverage, browser bars, search results, and every spoken "join my server." Each repetition either adds friction or removes it. DiscordApp.com asked everyone to carry three extra letters forever, and it quietly taught users that Discord came in two official spellings. Discord.com asked for nothing and answered the trust question in one word.
The brand evolution reinforced the address. When Discord formally repositioned away from gaming in mid-2020 — the same year it moved domains — it told its community, in its own blog post, that we're launching a new website with a new tagline: Your place to talk. It admitted that the way we talked about ourselves sent the wrong signal to the world. A name that called itself "App" sent a narrower signal than a company that wanted to be more welcoming, more inclusive, and more trustworthy. "Trustworthy" is the operative word — and a single canonical domain is part of how a brand earns it.
What founders should learn from Case 13
The easy takeaway — "own your exact-match .com before you launch" — is the wrong one, because Discord couldn't. The more useful lessons are about modifiers, timing, and security:
- A modifier is a fine on-ramp. "App" let Discord launch under its real name while the bare word was held by a registrant from 2000. Launching on DiscordApp.com was not a failure; it was a reasonable way to ship.
- Buying the clean domain and moving to it are different decisions. Discord acquired Discord.com in 2017 and didn't switch until 2020. Securing the asset bought an option; exercising it could wait for a safe moment.
- Count the seams, not just the letters. The cost of running two domains isn't only three extra characters — it's the ambiguity. Two official spellings teach users to trust look-alikes, and look-alikes are what phishers ship.
- One canonical front door is a security feature. Collapsing onto discord.com didn't stop CDN abuse on cdn.discordapp.com, but it made "what does the real Discord look like?" a one-word answer — and that clarity is something attackers can't easily counterfeit.
The domain upgrade didn't make Discord win. Product, timing, the pandemic, and an explosive community did far more. But discord.com made the brand cleaner to type, easier to trust, and harder to spoof — which, for a platform built on links strangers click, is not a small thing.
The Namefi angle
Discord's story is, underneath the branding, a control-and-continuity problem.
The strategic call was never in doubt — of course a platform called Discord should live at Discord.com. The work was everything around the asset: acquiring a premium domain registered two decades earlier, then proving ownership, holding it safely as a redirect, and finally migrating a live product — apps, APIs, OAuth, saved credentials, and a third-party bot ecosystem — onto it without breaking anything or, crucially, opening a window for impersonators during the cutover. That last point is the security thread running through the whole case: ambiguity about which domain is really yours is exactly what attackers exploit.
Namefi is built around the idea that domains should behave like internet-native assets. Tokenized ownership can make domain control easier to verify, transfer, and integrate into modern workflows while staying compatible with DNS — turning the slow, trust-heavy parts of a deal like this (confirming who owns what, moving the asset, and keeping continuity through a migration) into something closer to a clean, auditable transaction. When ownership of a name is provable and portable, "is this the real Discord?" gets easier to answer — for the company and for everyone clicking its links.
Discord.com looks inevitable now because Discord became enormous. But the lesson lands earlier: when a name is going to carry the business — and especially when a workaround domain leaves a seam that scammers can crawl through — the domain isn't decoration. It's the front door, and you only want one.
Sources and further reading
- Wikipedia — Discord (software)
- The Domains — Discord now using Discord.com, the domain is no longer just a redirect
- Domainer — How the Discord.com Domain Sale Reshaped the App
- GitHub (discord.py) — Change of Discord domain from discordapp.com to discord.com (Issue #4063)
- Discord Blog — Your Place to Talk
- Zscaler — Discord CDN: A Popular Choice for Hosting Malicious Payloads
- Intel 471 — How Discord is abused for cybercrime
- ThreatDown by Malwarebytes — New phishing campaign uses Discord for payload delivery
- Remote Tools — When was Discord made?
- Discord Support — Discordapp.com is now Discord.com
About the author(s)
Related guides
- From Box.net to Box.com: The ~$1M Upgrade That Dropped the ".net" and Bought the Exact MatchHow Box launched in 2005 on Box.net because Box.com was taken, pivoted from consumer storage to the enterprise, and in 2011 paid Digimedia close to $1 million for the exact-match Box.com — a .net-to-.com upgrade that landed right as the company became simply "Box."
- From BufferApp.com to Buffer.com: The 624-Day, Bank-Statement-Open Domain DealHow Buffer launched in 2010 on BufferApp.com because Buffer.com was taken, then spent 624 days acquiring the exact-match domain — even showing the seller its bank balance — and why a company famous for radical transparency stayed quiet on the one number everyone wanted: the price.
- From Ctrip.com to Trip.com: How China's Travel Giant Bought a 1996 Domain to Go GlobalHow Ctrip, China's largest online travel agency, acquired the premium Trip.com domain in 2017 from a startup called Gogobot, relaunched its global brand around it, and in 2019 renamed the entire parent company Trip.com Group to expand internationally.
- From del.icio.us to Delicious.com: The Cleverest Domain Hack on the Web — and Why Yahoo Untangled ItHow the pioneering social-bookmarking site launched in 2003 as the famous domain hack "del.icio.us," why those dots became a permanent tax on every mention, and how Yahoo moved it to the cleaner Delicious.com in 2008.