360_F_905875198_esGkYgaUuVWwlWQfXS3DfzdbBaHkcibc

New Security Measures Due To Recent Hacking Attacks

Ce texte est disponible en français ici : https://www.pirate-punk.net/discussion-du-forum/attaque-de-hackers-et-comptes-de-faux-administrateurs.83399/

On Wednesday evening, Pirate-Punk.net was attacked by hackers. Around forty fake “Administrator” accounts appeared and sent a massive number of private messages to users with a link to an infected website. Each member then received an email notifying them of a new private message. The fake accounts used real email addresses with residential IP addresses for registration, before a network of Russian bots took over for the coordinated attack.

The content of the private messages sent to members led to an infected link:

Example of a fake administrator account on the forum:

Thanks to our technical team spread across different countries, the attack was detected and blocked in just 11 minutes, allowing us to limit the damage very quickly.

The immediate measures taken 11 minutes after the start of the attack:

  1. Pirate Punk was temporarily shut down and the domain was suspended to isolate it from the server.
  2. Mail servers temporarily closed on Servers 3 and 11 to prevent spam.
  3. Activation of our pre-established cybersecurity procedures.
  4. Our priorities before reopening: analyze the attack vector, secure other forums before they are also attacked, and notify the moderation teams.
  5. Preventive closure of registrations on Libertaire.net and Anarcho-Punk.net, assuming that the attack vector is potentially reproducible.
  6. Cloudflare’s “Under Attack” mode has been deployed.

Despite everything, those 11 minutes were enough to create approximately 40 fake administrator accounts and send over 1,500 private messages. Without our swift intervention, more than 54,000 members would have received this spam.

Our North American admins began the initial investigation the evening of the attack, and our colleagues in Europe took over upon waking, allowing us to provide 24/7 monitoring of the servers. Around 6:00 AM, the team reactivated traffic on Pirate-Punk.net, including the forum, which remained in maintenance mode throughout the day.

After our thorough analysis (server logs, email logs, forum activity tracking, verification of attack types, network activity analysis, database analysis, etc.), the tech team is confident in stating that:

  1. No forum data has been compromised.
  2. No accounts have been hacked.
  3. Your passwords are secure.
  4. The attackers did not gain access to moderation.
  5. Moderator accounts are secure, especially since the mandatory addition of multi-factor authentication and Cloudflare Access.


Details of the attack:

  • The logs indicate simple HTTP, GET, and POST requests while browsing the forum normally, outside the admin area. No security vulnerabilities appear to have been exploited.
  • Most of the IP addresses were associated with the Russian ASN “Aleksandr Valerevich Mokhonko”.
  • We had previously detected Russian bots improperly scanning the member list, possibly for reconnaissance purposes for this operation. The team then hid the member list from unregistered users.
  • Earlier this week, two hackers registered on the forum to test our system: Alextop and Amaliarad connected to the same IP addresses and using email addresses linked to other attacks.
  • Simultaneously, for some time now, several attacks have been targeting our various newsletters (a separate announcement will follow on this subject)

Mitigation measures taken by the team:

  1. All fake administrator accounts are banned, and their messages are deleted. The ASN is blacklisted from all our sites.
  2. Each new member must be manually approved by the moderators, regardless of whether a bot is detected or not.
  3. Disabling creating new private conversations for new members, who can still receive messages, or ask an active member to initiate a private conversation.
  4. New limit on the number of new private conversations per week, with temporary blocking. Replies to existing conversations are unlimited and allowed at all times.
  5. Reactivation of the anti-flood timer; a 5-minute wait is required between each message for new members.
  6. Cloudflare anti-bot protection enabled on the private messaging page, not just on the registration and login page.
  7. Blocking the use of “Administrator” or a similar word as a username.

Conclusion: no damage was done thanks to the quick intervention of the admins and our proactive measures.

  1. During a security audit in 2024, a risk was identified: the full content of private messages was included in notification emails, which could spread malicious links and harm our servers. We therefore proactively disabled the display of the full text, preventing the worst from happening yesterday.
  2. We had already coded a security measure that alerts our admins when spam is sent repeatedly; this one alerted us first.
  3. Thanks to the quick intervention and the forum being closed after 11 minutes, no member opened the private message that contained the malicious link, which has now been deleted.

We take cybersecurity incidents very seriously, and we are committed to full transparency.