Discord’s Age Verification Defeated By a 3D Avatar You Control With a Game Controller
Hours after Discord announced mandatory facial scans, a developer released a free tool that bypasses it using a rigged 3D model controlled by your Xbox or PlayStation controller.
Discord announced mandatory age verification globally. Starting March 2026, all 200 million users default to “teen mode” unless they verify age by uploading government ID or taking a facial scan selfie.
Within 24 hours, developer “PromptPirate” released a free browser-based bypass tool on GitHub. It’s a single HTML file that loads a rigged 3D avatar you control with a gamepad (DualSense, Xbox controller) or keyboard. Point it at Discord’s age verification camera and it passes.
The tool supports VRM, FBX, and GLB model formats with automatic bone detection for head, neck, and jaw movement. You control head rotation with the left stick and mouth opening with the right trigger. There’s even a “morph target tester” to preview facial expressions and adjust mouth movements.
It works because Discord’s facial verification runs client-side—meaning the check happens in your browser, not on Discord’s servers. If the verification logic is on your device, you control what gets verified. The tool literally hijacks your webcam feed and replaces it with a controllable 3D avatar.
Update from the developer: “Discord may be adding blink tests now, so let me know if they are and I’ll map that with an update. Either way, Discord is rooted in the short/long term, time to bail.”
Discord spent months building age verification that forces users to hand over biometrics or government IDs. A developer defeated it in one day with a free HTML file and a PlayStation controller.
This is what happens when you build client-side security and call it “cutting-edge verification.”
If you’re a Discord user concerned about privacy:
The bypass tool exists at
github.com/promptpirate-x/discord-id-bypass-toolbut using it violates Discord’s ToS (account suspension risk)Facial scan is less risky than uploading government ID to third-party vendors
Consider alternatives: Matrix/Element, TeamSpeak, Mumble, or self-hosted chat
Discord’s “age inference model” may auto-classify you as adult based on account age, login patterns, and usage (no verification needed)
For parents:
Teen-by-default settings restrict DMs and block NSFW content (actually protective)
The bypass proves age verification is theater, not real protection
Use Discord’s Family Center to monitor teen accounts legitimately
Talk to kids about what they’re accessing—tech controls alone don’t work
For platform designers:
Client-side verification will always be bypassable
Centralized ID databases are breach honeypots (Discord’s vendor leaked 70K IDs in Oct 2025)
Privacy-invasive solutions that don’t work are the worst outcome
If the security check runs on the user’s device, the user controls the check. This is why DRM fails, why jailbreaks work, and why client-side age verification is security theater.
Discord chose the worst possible implementation: invasive data collection that doesn’t actually work.
The tool was defeated in under 24 hours by a single HTML file anyone can run. No installation, no compilation, just “open in browser and plug in Xbox controller.” It even comes with a demo 3D model to test immediately.
But even if the bypass didn’t exist, forcing users to upload government IDs to third-party vendors—especially after they leaked 70,000 IDs last October—is indefensible from a privacy perspective.
This is the age verification paradox in action: effective verification requires invasive data collection (massive breach risk), while privacy-preserving verification gets bypassed instantly.
Discord tried to thread that needle and failed at both goals.
— Alex