Cyberespionage. Ransomware heists. Spyware. And hacking campaigns by government agencies to advance strategic interests. The frequency of cybersecurity breaches over the past year has only been eclipsed by their severity. Then there was the re-emergence of hacktivism – activist hackers looking to make a political score. Hacktivism returned to the spotlight again this month with the targeting of Epik, the domain registrar and web hosting company known for providing services to websites that host far-right and other extremist content. Anonymous is back.

1. Introduction

On September 13, 2021, Anonymous announced that it gained access to a large quantity of Epik data including account credentials, logins and payment history. A dataset consisting of 180 gigabytes was released exposing more than 15 million email addresses. The hackers claimed they obtained “a decade’s worth of data” including customer data and records for all domains hosted or registered through the company. On September 29, 2021, a second trove of information was released containing bootable disc images. Described as the “Panama Papers of hate groups” and “a Rosetta Stone to the far right”, it appears that Epik’s entire database was exposed containing account usernames, passwords and credit card numbers stored in plaintext.

2. Who’s Who?

Epik was founded in 2009 by Robert Monster and is based in Sammamish, Washington, a suburb of Seattle. It is known as a safe harbour for the far-right because it provides services to websites that have been denied by other internet service providers. Some of its high profile clients have included the alt-right organization, the Proud Boys and the paramilitary organization, the Oath Keepers. The Proud Boys are self-described “western chauvinists”. According to the Anti-Defamation League, the organization promotes hatred of women, transmen, transwomen, and immigrants although the group denies that it is racist. In 2017, Proud Boy Jason Kessler assisted in the organization of the Unite the Right Rally in Charlottesville, Virginia. The Oath Keepers is an anti-government militia group comprised of former and present military personnel and police officers claiming to defend the Constitution of the United States. Members of the organization, wearing military fatigues, were prominent during the unrest in Ferguson, Missouri, in 2014 and 2015, and were observed climbing the steps of the U.S. Capitol Building in hand-to-shoulder tandem during the riot on January 6, 2021.

Anonymous is a shadowy international hacktivist movement known for cyber attacks against corporations and government agencies. It emerged in 2003 on the imageboard 4chan as a collective hive-mind of online users. Members are recognizable in public by wearing the distinctive Guy Fawkes mask depicted in the graphic novel and film V for Vendetta. The collective has been called almost everything from digital freedom fighters to a cyber lynch mob. The presence of Anonymous began to fade in 2018 but became more visible again during the George Floyd protests. In an article titled The Return of Anonymous published by The Atlantic on August 11, 2020, Dale Beran described a video that appeared online depicting a black-clad figure wearing the group’s signature Guy Fawkes mask: “Greetings, citizens of the United States,” the figure said. “This is a message from Anonymous to the Minneapolis Police Department. We will be exposing your many crimes to the world. We are legion. Expect us.” (here)

3. The Breach

On September 14, 2021, Claire Goforth reported for The Daily Dot that Anonymous issued a press release disclosing that it gained access to a stockpile of data from Epik. (here) It was an eye-catcher because Epik’s customers also included mainstream conservative groups like the Texas Republican Party. According to the press release, called Operation EPIK FAIL, Anonymous said the data included domain registrations, domain transfers, passwords, account credentials for all of Epik’s customers, logins and more than half a million private keys. “This dataset is all that’s needed to trace actual ownership and management of the fascist side of the Internet that has eluded researchers, activists, and, well, just about everybody,” they said. In a post to Twitter, Mr. Monster called the breach a “non-story”. Based on timestamps in the leaked data, the hack was executed on February 28, 2021. (here and here)

On September 16, 2021, Mr. Monster finally acknowledged the hack during a video conference that tech reporter Mikael Thalen described as “bizarre and chaotic” in an article published the next day by The Daily Dot. (here) According to Mr. Thalen, Epik told reporters the day after the story broke that it was “not aware of any breach”. An email was then sent by Mr. Monster to Epik’s customers admitting it was investigating “an alleged security incident”. By September 20, 2021, the breach garnered world-wide attention when Le Monde, one of France’s newspapers of record, described Mr. Monster’s three-hour live stream as “possibly one of the strangest responses to a computer security incident in history.” (here)

4. The Fallout

In an article titled Huge hack reveals embarrassing details of who’s behind Proud Boys and other far-right websites published in The Washington Post edition of September 21, 2021, Drew Harwell, Craig Timberg and Hannah Allam said that researchers combing through the trove indicate that the “most crucial findings” concern the “key role” Epik played in keeping material online that might have vanished from the internet. (here) “The company played such a major role in keeping far-right terrorist cesspools alive,” said Rita Katz, executive director of SITE Intelligence Group, which studies online extremism. “Without Epik, many extremist communities – from QAnon and white nationalists to accelerationist neo-Nazis – would have had far less oxygen to spread harm, whether that be building toward the Jan. 6 Capitol riots or sowing the misinformation and conspiracy theories chipping away at democracy.”

Emma Best, co-founder of Distributed Denial of Secrets, a nonprofit whistleblower group, said some researchers describe the hack as “the Panama Papers of hate groups”, a reference to the leak of millions of documents that exposed a rogue offshore finance industry. Sifting through the trove is labour intensive. “A lot of research begins with naming names,” Ms. Best old the Post. “There’s a lot of optimism and feeling of being overwhelmed, and people knowing they’re in for the long haul with some of this data.” Gabriella Coleman, a professor of anthropology at Harvard University and author of Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous, told Sean Lyngaas of CNN that the Epik data dump “confirmed a lot of the details of the far-right ecosystem.” (here) The Epik breach will force some of these actors to find service providers outside North America to “set up their security game”.

In a follow-up article titled Fallout begins for far-right trolls who trusted Epik to keep their identities secret published by The Washington Post on September 25, 2021, Drew Harwell, Hannah Allam, Jeremy B. Merrill and Craig Timberg said the Epik breach “has cast a spotlight in a long-hidden corner of the Internet’s underworld”. (here) Heidi Beirich, co-founder of the nonprofit Global Project Against Hate and Extremism, described the dataset as “the mother of all data lodes” because Epik was at the centre of extremist websites. “Epik was the place of last refuge for a lot of these sites,” Ms. Beirick said. “And as the data is analyzed and looked at more deeply, we’re going to see this ecosystem in a way that was simply not possible before.” The identities of administrators, web developers and the money flow are details that have challenged “even the most veteran hate trackers.”

Aubrey Cottle, a security researcher and co-founder of Anonymous, declined to share information with the Post about the hack but said it was “fueled by hackers’ frustrations” over Epik serving as a haven for far-right extremists. “Everyone is tired of hate,” he said. “There hasn’t been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now the tide is turning, and there’s a swell moving back in their direction.”

On September 29, 2021, Anonymous released another Epik dataset described as “The/b/Sides,” or part two of Operation EPIK FAIL. In a further report published on the same day for The Daily Dot titled New leak of Epik data exposes company’s entire server, Mr. Thalen described the leak as “several bootable disk images of assorted systems” in a roughly 70GB torrent file. (here) The data included API keys and plaintext login credentials for Epik’s system as well as Coinbase, PayPal, and the company’s Twitter account. The second leak came just days after the Oath Keepers site was allegedly hacked exposing the paramilitary group’s emails, internal chats and data on members and donors including those who work for the U.S. government and military. The hackers responsible for the Oath Keepers leak did not assert any connection with Anonymous or the Epik breach.

The hack provoked ridicule from researchers about Epik’s failure to implement strong security protocols. Some marveled at its failure to use basic precautions such as routine encryption that may have protected personal data from public disclosure. Similar failings by other companies have drawn the attention of the U.S. Federal Trade Commission which probed the dating service, Ashley Madison, following the hack of its site in 2015. Professor David Vladeck of Georgetown University Law Center, and a former head of the FTC’s consumer protection bureau, told the Post that Epik would be an FTC target particularly if the company was warned but failed to take protective action. “[T]he FTC wouldn’t care about the content – right wing or left wing,” Professor Vladeck added. “[T]he questions would be the possible magnitude and impact of the breach and the representations the company may have made about security.”

5.  Conclusion

What, then, does the Epik breach say about Anonymous? That question is analogous to the one Mr. Beran asked in his piece for The Atlantic last year. Anonymous began with teens hanging out in chat rooms. “They put on the mask of the anti-fascist superhero for fun, but over time learned to play the role first with style, then conviction,” Mr. Beran wrote. Some members now work quietly without publicizing what they do. Making a lot of noise was a mistake that landed some of them in jail. They are now more wary – cautious about who among them may be an informant or an undercover police officer. They no longer organize on Internet Relay Chat preferring end-to-end encrypted platforms. And age has brought its tempering influence. “We’ve grown up a lot – at least I have – since the beginning of all this,” an Anonymous activist said. “Back in 2010-2012, we would have decimated anything we could to make a point; now we realize how we could inadvertently affect people in negative ways.” It appears that Anonymous might be with us perennially, Mr. Beran concluded, “blooming in revolutionary moments, when it feels as if one big push might effect change.”