Menu
Browse

Cyber Threat Actor: Disco

Actor Type Location Known Incidents
 Icon
Criminal
United Kingdom
1 incident
Profile

Disco is a threat actor known by the alias Disco and has been associated with the United Kingdom as its base of location. The actor first came to public attention through involvement in a breach of the OGUsers forum, a platform used for trading compromised social media accounts. Prior to the incident, Disco had been a member of OGUsers who was banned from the community and subsequently promoted a rival forum. This background shows that Disco retained knowledge of the forum’s internal dynamics after expulsion.

The OGUsers forum breach occurred on 2020-11-25 and involved the defacement of the site’s homepage and a claim of access to its user database. During the incident, Disco characterized the intrusion as an act of retaliation against the forum’s administrator. At the same time, the attackers demanded payment to exclude certain profiles and private messages from a threatened data leak. Although the demand suggests a financial motive, Disco publicly denied any intention to release or sell the stolen information.

The initial access vector exploited in the breach was an outdated site plugin, which allowed the attackers to gain entry to the forum’s web infrastructure. No specific malware families were reported in connection with this operation, indicating that the compromise relied primarily on web‑application exploitation. The defacement of the homepage served as a visible demonstration of the successful intrusion. The extortion‑style demand for payment to prevent data exposure represents the primary tooling style observed in this activity.

Attribution details link Disco to a pair of actors described in reporting as “Chinese” and “Disco,” with the latter being the UK‑based individual previously banned from OGUsers. The association with a rival forum suggests a possible affiliation with a competing cybercrime community rather than a state‑sponsored group. No public evidence connects Disco to any nation‑state intelligence service or official military unit. Consequently, the actor is presently understood as a financially motivated cybercriminal operating within the underground forum ecosystem.

The OGUsers breach remains the most significant publicly reported operation attributed to Disco, highlighting the actor’s ability to exploit outdated web components to achieve impact. The incident contributed to a broader pattern of security failures at a forum that has been linked to high‑profile account takeovers, SIM‑swapping schemes, and cryptocurrency‑related fraud. While no further campaigns have been documented in open sources, the case illustrates how personal grievances and rivalries within hacking communities can translate into disruptive cyber attacks. This profile is limited to the facts presented in the available reporting and does not extend beyond those confirmed details.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources