Cyber Threat Actor: SonnySpooks

SonnySpooks is athreat actor known by the alias SonnySpooks and has been associated with operations originating from Russia. The actor has been linked to a series of incidents involving the compromise of various websites, including fijilive.com, paypalsucks.com, buzzmachines.com, sevendollarclick.com, threedollarclick.com, acparadise.com, fourdollarclick.com and pingpong.su. These activities have been documented in public leak sources and threat intelligence reports spanning from March to July 2016.

The actor’s observed objectives vary across incidents. In several cases the motive is described as personal gain or financial benefit, with the attacker seeking to exploit the targeted organization for monetary advantage. For the paypalsucks.com defacement reported in May 2016, the attackers were explicitly motivated by notoriety and revenge rather than financial gain. Other summaries note that the threat actor’s motive was personal gain, with the attack likely involving exfiltration from an end host. These statements indicate that SonnySpooks pursues both financially driven and reputation‑based goals depending on the target.

Regarding tactics, the reported incidents frequently involve the exfiltration of data from an end host, with the attacker likely using phishing or credential compromise to gain access to sensitive information. The actor has dumped large collections of usernames and hashed passwords, as seen in the fijilive.com breach (91,460 records), the paypalsucks.com breach (82,169 records) and the buzzmachines.com breach (approximately 37,000 records). In addition to data theft, SonnySpooks has performed website defacements, altering the site’s content to convey a message. No specific malware families or tooling suites are mentioned in the available material.

Attribution details are limited to the geographic indicator of Russia; no public sources explicitly tie SonnySpooks to a state‑sponsored program or a known criminal consortium. The actor appears to operate independently or within an unspecified loose network, based solely on the location information provided.

Representative operations include the May 2016 hijacking of fijilive.com resulting in the release of over ninety thousand credential pairs, the May 2016 compromise of paypalsucks.com that yielded both a data dump of more than eighty thousand records and a defacement motivated by notoriety, and the March 2016 breach of buzzmachines.com where nearly thirty‑seven thousand usernames and passwords were exposed. These examples illustrate the actor’s pattern of targeting web‑based services to harvest credentials and, at times, to disrupt or embarrass the victim. The available evidence shows a consistent focus on stealing authentication data and leveraging it for personal or financial gain, while occasionally pursuing reputational damage through site alteration.