Cyber Incident Victim: jkanime.net
Date:
Jun 2016
Location:
Mexico
Summary
A popular anime streaming site with millions of monthly visitors was compromised via malicious script injections redirecting users to the Neutrino Exploit Kit, leading to CryptXXX ransomware infections. The exploit kit delivered CryptXXX 3.0, which demanded a ransom payment of approximately $900 in Bitcoin and encrypted local files, attached storage devices, and network-shared resources. Researchers estimated potential infections exceeding 20,000 users during the two-day compromise period, noting Neutrino's dominance following the decline of rival kits Angler and Nuclear. The incident reflected broader criminal migration to Neutrino for distributing CryptXXX, which had recently enhanced its encryption capabilities and incorporated credential-stealing functionality.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late June 2016, the anime streaming site Jkanime.net, which attracted approximately 33 million monthly visitors primarily from Mexico and South America, was compromised by malicious actors. Between June 22 and June 24, attackers injected the site with a script that loaded a JavaScript file, triggering an iFrame redirect to Neutrino Exploit Kit landing pages. This exploit kit delivered CryptXXX 3.0 ransomware to vulnerable visitors. Security researchers at Forcepoint identified the infection chain, estimating that if only 1% of the site’s visitors were impacted during the two-day compromise, at least 20,000 malware infections would have occurred. The attack leveraged infrastructure associated with the Afraidgate campaign, which previously used Angler Exploit Kit but had shifted to Neutrino. By the time Forcepoint disclosed the incident on June 24, Jkanime.net no longer exhibited signs of active compromise, though the full scope of affected users remained unconfirmed.
The incident occurred during a transitional period in the exploit kit landscape, with Neutrino emerging as the dominant threat following the decline of Angler and Nuclear exploit kits. Angler’s disappearance coincided with Russian arrests linked to Lurk malware operations, while Nuclear’s activity ceased after Check Point Software exposed its infrastructure in April 2016. Neutrino’s adoption by multiple threat actors included CryptXXX distribution, which demanded ransoms of 1.2 Bitcoin (~$900) per infection. CryptXXX 3.0 encrypted local files, attached storage devices, and network resources via port 445 scans, while its updated 3.1 version incorporated the StillerX credential-stealing module. Proofpoint’s contemporaneous analysis indicated Neutrino accounted for 75% of all exploit kit traffic in mid-2016, primarily distributing CryptXXX, with Cerber ransomware comprising another 10% through Neutrino and Magnitude exploit kits. The Jkanime compromise exemplified the widespread impact of malvertising and exploit kit operations during this period, though no specific remediation actions by the site operators were documented in available reports.