Menu
Browse

Cyber Threat Actor: Obnoxious and Pein

Actor Type Location Known Incidents
 Icon
Sensationalist
United States of America
2 incidents
Profile

Obnoxious and Pein is a threat actor that operates under the aliases Obnoxious and Pein and has been linked to activity originating from the United States of America. The actor gained public attention in June 2016 when it compromised several high‑profile YouTube channels, including WatchMojo, which had over twelve million subscribers, and Redmercy, a gaming commentary channel with nearly one million subscribers. During the intrusion the actors renamed years of uploaded videos to display the message “Hacked by 'Obnoxious and Pein' Twitter (dot) com/poodlecorp,” thereby altering the public facing content of the victims. In the case of Redmercy the compromise extended beyond YouTube to the associated Twitter and PayPal accounts, demonstrating an ability to move across multiple online services. The victims reported that two‑factor authentication was enabled on all affected accounts yet the attackers were able to bypass these protections, a fact they attributed to the reuse of identical passwords across services. No evidence has been presented linking Obnoxious and Pein to a state sponsor, a criminal consortium, or any broader ideological campaign.

The observed tactics of Obnoxious and Pein center on credential reuse as an initial access vector, allowing the actors to log into multiple accounts after obtaining a single set of credentials. Once inside, they employed account takeover techniques to modify video titles, post unauthorized messages, and maintain control over YouTube, Twitter, and PayPal platforms despite the presence of two‑factor authentication. The June 2016 operation against WatchMojo and Redmercy represents the most detailed public campaign attributed to the group, showcasing their capability to affect large‑scale media and gaming channels and to cause noticeable disruption to the victims’ online presence. While the actors restored access to YouTube and PayPal for Redmercy, the compromised Twitter account remained suspended after repeated hijacking attempts, indicating a lasting impact on at least one of the targeted platforms. No additional malware families, tooling suites, or specific exploit tools have been documented in the available reporting.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source