Menu
Browse

Cyber Threat Actor: InstaKilla

Actor Type Location Known Incidents
 Icon
Hacker
Bulgaria
2 incidents
Profile

InstaKilla is a Bulgarian threat actor known for compromising online platforms containing sensitive user data, with operations publicly documented in late 2019. The actor's sole attributed alias remains consistent across reporting, with no evidence of additional monikers or confirmed affiliations with state-sponsored groups or criminal syndicates. Activity centers on exploiting software vulnerabilities in web forums to exfiltrate membership databases for financial gain through underground sales, rather than disruptive attacks or espionage objectives. Geographic focus emerged through targeting regionally specific escort communities in the Netherlands and Italy, though technical execution demonstrated broader applicability to any vulnerable platform.

Targeting concentrated on adult-oriented forums utilizing outdated content management systems, particularly those serving niche communities like sex workers, their clients, and specialized interest groups. The 2019 campaign against EscortForumIt.xxx and Hookers.nl exemplified this pattern, where compromised data included usernames, email addresses, hashed passwords, and IP addresses—elements enabling credential-stuffing attacks and privacy violations against high-risk populations. Technical execution relied exclusively on exploiting CVE-2019-16759, a critical zero-day remote code execution vulnerability in vBulletin software. This flaw allowed unauthorized access to unpatched systems, with InstaKilla leveraging publicly disclosed proof-of-concept exploit code shortly after its release. The actor’s operational security included rapid exploitation before administrators could apply patches and before competing threat actors could hijack vulnerable servers, as observed in contemporaneous botnet activity targeting the same vulnerability.

InstaKilla’s only publicly documented operation involved breaching multiple European escort forums on October 10, 2019, compromising approximately 250,000 Dutch accounts and 33,000 Italian accounts. The attacker extracted not only forum membership databases but also accessed Hookers.nl’s internal subscription management system, though available samples lacked direct evidence of financial data exfiltration. Stolen datasets were monetized via cybercrime platforms, with the Dutch database priced at $300. The incidents highlighted systemic risks in poorly maintained online communities, particularly those handling sensitive memberships, as outdated vBulletin installations permitted trivial compromise. Forensic analysis of the breaches confirmed alignment with widespread exploitation patterns of CVE-2019-16759 rather than novel tradecraft, emphasizing opportunistic rather than highly sophisticated intrusion methods. Impact extended beyond immediate credential exposure, enabling potential blackmail, targeted harassment, and reputational damage within vulnerable communities reliant on pseudonymous participation.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source