During the past few hours TorrentFreak has been absolutely overwhelmed with hundreds of emails asking about the possible resurrection of the infamous Demonoid BitTorrent tracker. After tracking down the owner of the new domain but being met with silence, we have now been informed by the site’s host that at the very least the site was hosting some kind of malware. The site has now been suspended, pending full shutdown.
In July 2012 the popular semi-private BitTorrent tracker Demonoid suffered a huge DDoS and hacker attack.
It soon became clear that the authorities were interested in the site as part of an investigation into the site’s alleged Mexico-based owners. Demonoid’s servers in Ukraine were seized shortly after.
With a site admin reportedly arrested then released as the case against the site stalled in Mexico, ex-users of the site have remained hopeful it would one day return. A fake site, Demonoid.mk, already caused serious confusion but now a new development has really stirred things up.
Overnight a new site – D2.vu – appeared claiming to be Demonoid resurrected. Former members of the site received the news via email, suggesting that someone with access to database of Demonoid users had indeed set up the site. Emails received by TorrentFreak are somewhat of a mixed bag – some believe their emails were registered at Demonoid, others aren’t so sure.
“The heart and soul of Demonoid lives on!” the email exclaimed. “Through an amazing sequence of unlikely events, the data on those Ukrainian servers has made its way into the safe hands of members of our community and has now been re-launched as d2.vu.
“Invitations to return are being sent out only to existing Demonoid members, which is the reason you have received this email. For the foreseeable future d2.vu will remain a semi-private site and no new invitations to join will be issued until we are certain that the system is stable. To login, click here and authenticate using your old Demonoid username and password.”
The D2.vu domain claimed to be registered in Hong Kong via a Hushmail address. We tracked down the owner by other means and connected him to other Chinese-registered sites. We contacted him on his personal email account but thus far he has remained silent.
Of course, for former users the email offers tempting news and we know for a fact that dozens of people tried to log in as the email suggested. According to information obtained by TorrentFreak, that was probably the wrong decision.
The D2.vu site was hosted on a server owned by a company called RamNode in the United States, which in itself set off alarm bells. Then we discovered it was on a VPS, another warning sign. We contacted RamNode and received the following.
“I’m not sure what was going on with that VPS, but it was at the very least hosting some malware. As such, we have already suspended it and will probably terminate it soon,” RamNode’s Nick informs TorrentFreak.
When pressed on what type of malware, RamNode couldn’t help us further.
“I don’t have any further information to offer at this time unfortunately. Once we had a sense of what might be going on, we took the VPS down immediately,” Nick concludes
TorrentFreak is aware that Demonoid was breached by hackers at least once, possibly twice or even three times in the past few years. We do not know what was taken, if anything, but the events of the past few hours suggest that a database, or part of one, from a date unknown, appears to be available.
Update: New information just in suggests that if you logged into the fake Demonoid and used the same user/password combo on any other site (torrent, email, Steam, PayPal) you should change them immediately.
Update 2: “The malware may not have been intentionally hosted on this VPS,” says Nick at RamNode in an update just received by TF. “It is possible that one of the ad banners running on the site triggered the malware alert. The server will still be removed from our network to prevent any further issues related to my company.”