Cyber Threat Actor: Dhostpwned
| Actor Type | Location | Known Incidents |
Hacker
|
United States of America
|
1 incident |
|---|
Profile
Dhostpwned is a threat actor known by the alias Dhostpwned and has been publicly linked to operations originating from the United States of America. The actor’s observed activity focuses on dark web infrastructure, specifically targeting shared hosting services that support illicit marketplaces and forums. In the documented incident, the actor’s actions resulted in the exfiltration of data from multiple hosted sites and the claimed compromise of numerous dark web platforms, indicating an objective centered on acquiring sensitive information and causing service disruption. The actor also demonstrated a secondary effect of unintentionally disrupting a specific marketplace’s operations through a separate virtual private server breach, showing that operational impact can extend beyond the primary target. No public sources attribute the actor to a state sponsor or a formal criminal consortium, and no affiliations have been established beyond the individual alias.
The actor’s typical initial access involves registering a legitimate shared hosting account and then exploiting an unblocked PHP function to execute limited commands on the server, a technique that allowed command execution without deploying traditional malware. In a separate but related event, the actor gained access to a virtual private server by using default credentials, which led to accidental disruption of a marketplace’s operations. These tactics highlight a reliance on exploiting misconfigurations and weak credential management rather than employing custom malware families or sophisticated exploit chains. The actor’s tooling style appears to favor the use of built‑in server functionalities and readily available access methods, reflecting a pragmatic approach to achieving objectives. The 2017 dark web hosting service breach remains the most prominently reported operation associated with Dhostpwned, providing the primary evidence for the actor’s behavior and impact. No additional campaigns or malware families have been publicly linked to this alias in the available sources.
