Flippy, the admin of Torrentz told us that he noticed some worrying changes when he checked his website late last night. There were banners from Adbrite at the top and bottom of the site, banners that didn’t belong there. It turns out that “the hacker” we mentioned before, managed to change the nameservers of the torrentz.com domain. In the middle of the new page torrentz.eu was now loading in a frame, so the site was usable apart from the extra ads.

When Flippy added some Javascript to the torrentz.eu site to prevent it from loading inside the frame, the .com domain suddenly linked to some fresh warez forum and an image hosting site. The warez forum, warez2share.com, was apparently hosted on a shared hosting account, and it didn’t take long before the account was suspended because of the traffic overload.

The hacker didn’t stop there of course, and he soon changed the page to a single Adbrite banner. And as if that wasn’t enough, he decided to email Flippy, to tell him how good of a hacker he is. “So, I emailed him back, and informed him that I have a lawyer who will subpoena Adbrite first thing in the morning, to get the account’s details,” Flippy told us.

After some emails back and forth, the hacker suddenly changed his tone. After Flippy reminded him that forging a US driver’s license is a serious crime, he suddenly became surprisingly cooperative. Instead of bragging about his hacker skills, he was suddenly willing to change the nameservers back. At the time of publication, the domain details have indeed been reverted, and until the changes clear, torrentz.com is being redirected to the backup domain, torrentz.eu.

It is not over yet though, as Flippy told us that he will do everything he can to find out the identity of the ‘hacker’, so stay tuned.

Update: The hacker is from California and forged a CA drivers license, which he can be put in jail for. Flippy, however, decided not to go after him, since it would be very costly to do from Poland, and it’s not worth it for 4 hours downtime.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Soon it became known that a shadowy group known as MediaDefender-Defenders appeared to be behind the attack – they host the Media Defender emails on their website to this day, but little was known about the chain events, or who was behind them – until now.

In an interview with portfolio, the hacker (using the pseudonym ‘Ethan’) explains how things led up to the leak. Ethan, a polite high-school student who lives with his family, was on his Christmas break when he first gained access to the anti-piracy companies servers by exploiting a weakness in their firewall. This was the end of 2006, at a time when business was still good for Media Defender, with revenue standing at nearly $16m.

The interviewer, Daniel Roth, says he communicated with Ethan on pre-pay phone to ensure security. Meeting after school in a local bookstore, Ethan handed over a flash drive holding confidential Media Defender information, explaining that the initial security breach hadn’t amounted to much and that he had difficulty in gaining the interest of fellow hackers. However, a few months later Ethan decided to go back and take a second look – which bore more fruit – giving him access to the company’s email, it’s networked resources and even its telephone system. He then explains how he passed on some of the information to a fellow hacker who gained access to Media Defender servers and used them for denial-of-service attacks.

Logging in a handful of times each month through the summer of 2007, Ethan started to get bored with ‘Monkey Defenders’ – his pet name for the anti-piracy outfit. Deciding to go out with a bang, he and the Media Defender-Defenders gathered thousands of the company’s internal emails and published them on web.

A text file included with the emails stated: “By releasing these emails we hope to secure the privacy and personal integrity of all peer-to-peer users. The emails contains information about the various tactics and technical solutions for tracking p2p users, and disrupt p2p services,” and “A special thanks to Jay Maris, for circumventing there entire email-security by forwarding all your emails to your gmail account”

Just days later, slamming the anti-piracy company again and again seemed to be the aim of Ethan and friends, as they released a private telephone conversation with the New York attorney general’s office, a P2P tracking database, followed a few days later by all of Media Defender’s anti-piracy tools.

Ethan said that he didn’t set out to ruin Media Defender: “In the beginning, I had no motivation against Monkey Defenders” he said. “It wasn’t like, ‘I want to hack those bastards’. But then I found something, and the good nature in me said, These guys are not right. I’m going to destroy them.”

Ethan, who is now sought after by the FBI because of the leaked emails, is getting close to this goal. It all went downhill for MediaDefender after the leaks got out. In November it turned out that MediaDefender’s parent company ArtistDirect lost almost $1,000,000 because of the hack, and their stock price plunged soon after that.

To make it even worse, a week after the sensitive information was made public, the Pirate Bay launched a counterattack against their arch rival. They decided to use the information from the emails to file charges against some of MediaDefenders customers including Paramount Home Entertainment, Twentieth Century Fox and Universal Music Group for corrupting and sabotaging their BitTorrent tracker.

There is no doubt that the pirates have won this battle, and it will be very hard for MediaDefender to regain their credibility. To quote MediaDefender CEO Randy Saaf: “This is really fucked…”. Yes, I’m afraid it is Randy.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

Users of What.cd were in for more than a little shock today. Members of one of the OiNK replacement sites started receiving worrying emails from the music file-sharers arch nemesis – the mighty RIAA.

The email reads:

Date: 12 Nov 2007 11:35:46 +0100
Message-ID: <2007111XXXXXXX.XXXXX.qmail@bitient.org>
To: XXXXXXX
Subject: Music Piracy
From: piracy@riaa.org
Reply-To: piracy@riaa.org
X-Originating-IP: [76.74.24.143]
X-Originating-Email: [piracy@riaa.org]
X-Mailer: Internet Mail Service

Dear registered user of the site What.cd,

We have recently been investigating the activities of the users of the site http://www.what.cd/ and we have found that this site exists for the sole purpose of music piracy.

Pirating music is a criminal offence and we believe it should be obvious to you that the results outweigh the benefits – hard working artists won’t be rewarded for their work and will stop producing music, ultimately leading to a severely reduced selection of music both in the shops and for download.

The RIAA had hoped that the disabling by the police of the large illegal music site, Oink.cd, would stop a lot of people from engaging in piracy, as they don’t want to be seen as criminals. However, this appears to not be the case, as two large new sites have sprung up in its place.

This email is the final warning to all of you who were members of Oink.cd and are current members of What.cd. If we find you to be committing any more criminal acts of piracy then we will have to press charges against you, as representatives of the major record companies of
America.

Yours Faithfully,

The RIAA

Worrying, especially as the IP address in the email seems to indicate it really is from the RIAA. Visitors to the What.cd site were then greeted with this message:

This week has been terrible. After we did two code audits and fixed our security issues, our wonderful attackers couldn’t get in (yay!), so they turned to brute force. After having been hit by several port scans and a rather fearsome DDoS attack (traffic reaching almost 80 megabits per second (note: that’s 10 megabytes per second)) our server pretty much went to hell. After an extended downtime (ending a couple hours ago) during which we tweaked firewall settings, etc., we decided that it was safe enough to bring the site back up.

Pretty much immediately after the site came back up we had someone trying to brute force our (well passworded) ssh accounts (they’ve now met the hot burny side of the firewall).

What have we learned from all this? That there is a person or a group of people somewhere that wants us to disappear. We originally thought that the attacks were by bored kids, but whoever was behind the DDoS appears to be much more serious than that. We aren’t going to publicly speculate on who is behind the attacks – we’ll leave that to you guys.

Despite these attacks, we are still up and running, and we hope to stay this way for a very long time. We have plans for this site, and we aren’t going to flush them down the drain just because some people don’t like what we’re doing. The first of our plans involves a very cool freeleech plan, but we’re going to wait until we’re sure the tracker’s relatively stable for
that. For the time being, we’re keeping freeleech on until further notice.

But what about the emails? Is the RIAA really sending them out? If not, then who is and how did they get the What.cd user database? What.cd think they have the answer in a post on their site, replicated on this Pastebin page.

Other sites are already publishing the information above and a quick Google search does indeed reveal some interesting details. Apparently, the person held responsible for the hacking and the RIAA email is only 14 year old and not as much as a threat some believed him to be. The alleged hacker’s date of birth, his hometown, hobbies and much more are detailed on Google.

Before today, he probably enjoyed telling the world about himself on social networking sites too.

He’s also mentioned on this Pastebin page full of haxor code – along with what.cd.

The youth of today….what’s the world coming to?

Update: It appears someone claiming to be ‘biscuit’ offered the database for sale and even threatened to send it to the RIAA. After deciding that he should keep it – for later ‘blackmail’ purposes he hopefully considered this link and realized it’s not worth it, deleted the database and forgot all about it.

Update: biscuit wrote that he’s not responsible for the hacking and claims that the bash log is doctored.

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.