It’s no secret that scammers are constantly trying to trick torrent users into downloading malicious content.
These files are generally easy to spot and swiftly removed from well-moderated sites. As such, they are mostly a nuisance for novices.
But, when a well-known uploader with a “trusted’ status on some torrent sites gets involved, things change. Last week we reported that “CracksNow,” who shared tens of thousands of cracked software titles in recent years, had been banned from several sites after posting torrents with ransomware.
While we have reported on the torrent ecosystem for more than a decade, a reputable uploader ‘going rogue’ was something we had never seen before. Was it another sign of a decaying torrent community? Or perhaps an uploader who wanted to “cash in” on his work?
To find out more, we reached out to “CracksNow” days before we published our article. We initially received no response, but this week the uploader contacted us, explaining that there was no malicious intent on his part.
The ransomware was real and it did harm the computers of an unknown number of downloaders. However, CracksNow says he didn’t upload these malicious files. In fact, he went to quite a bit of trouble to ensure that his releases did not trigger any alarm bells.
“I had a person who checked all the files for malware before they were uploaded. All the files were run in a sandbox and were dynamically analyzed for malware,” CracksNow tells us.
When the malware reports kept coming in, resulting in bans for the uploader, the files were checked again. That’s when he noticed that some uploads were different.
“When I was demoted on TorrentGalaxy, I was testing all the files again for malware to see which torrents were infected. During my testing, I discovered that the infohash of the torrent file on my server was different from those on the torrent sites.”
An admin at TorrentGalaxy shared some of the account logs which revealed that CracksNow torrents were being deleted and replaced with new files. These newer files, presumably uploaded by someone else, came with the ransomware which caused all the trouble.
TorrentFreak reached out to TorrentGalaxy admin LRS, who confirmed that the site logs indeed showed that torrents were deleted and reuploaded.
However, by then the damage had already been done. After an admin at 1337x helped TorrentGalaxy by pointing out the ransomware issues, both sites banned the Cracksnow account.
The upload irregularities could mean that CracksNow’s accounts were compromised by an outsider. While this is impossible to verify independently, it sounds like a plausible explanation.
The uploader has no idea how someone managed to get his credentials but he doesn’t want to hide behind any excuses either. Even if someone else uploaded the malware, CracksNow takes full responsibility for what happened.
“It’s my responsibility to keep my account secure and I failed in that. A lot of users who trusted CracksNow got infected and got their files encrypted. I feel really bad about this and I am sorry to everyone who got infected,” CracksNow says.
The result is that the uploader lost his accounts with thousands of torrents at several popular sites, but he understands this as well. There was no way to check which uploads were infected, so deleting everything was the logical option.
“I fully support the decision. All the torrents should be deleted so that nobody else gets infected. I don’t want anyone to get infected because of me. The damage done to the reputation of CracksNow is irreversible. I will never be able to upload on the torrent sites again and I understand that.”
The good news for the uploader is that he still has his own site. However, this was also affected by last week’s news. The site was hacked over the past week and infected with malware. As a result, Google’s ominous red warning banner is now showing up in many web browsers.
While we felt obliged to report CracksNow’s side of the story, we are not passing any judgment one way or the other. It’s impossible to verify the complete backstory. This means that, as always, people should tread with caution, which applies anywhere on the web.