Cyber Incident Victim: TrueStresser
Date:
Sep 2017
Location:
United States of America
Summary
A dissatisfied customer breached the DDoS-for-hire service TrueStresser, exfiltrating and leaking its database contents on public text-sharing platforms. The exposed data included API calls linking to infrastructure provider Defcon.pro, credentials for 331 user accounts (with 16 passwords in cleartext), and database access details for the service's attack control panel. A security researcher confirmed the leak's authenticity by successfully logging into a compromised account but was immediately targeted by an ICMP flood attack, suggesting ongoing monitoring by the perpetrators. The breach revealed operational ties to Defcon.pro, which advertised extensive attack capabilities and historical attack volumes. This incident mirrored prior compromises involving similar booter services and their upstream providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late August or early September 2017, an unidentified dissatisfied customer breached the servers of TrueStresser, a DDoS-for-hire service, and exfiltrated its database. The attacker subsequently leaked portions of the stolen data across two public text-sharing platforms—Pastebin and Hastebin—on the night preceding September 1. The Pastebin upload contained API documentation matching Defcon.pro, an upstream DDoS infrastructure provider, alongside credentials for 331 TrueStresser user accounts (including usernames, hashed passwords, and email addresses). Notably, 16 of these accounts had passwords exposed in cleartext. The Pastebin entry also linked to a Hastebin file purportedly holding TrueStresser's config.php configuration file, which included database credentials for the service's attack control panel. Security researcher Derrick Farmer discovered the Pastebin leak through the platform's recent uploads list and verified its authenticity by successfully logging into a compromised account using one of the leaked cleartext passwords. Shortly after this test, Farmer's IP address was targeted by an ICMP flood attack, suggesting TrueStresser operators monitored the breached accounts for unauthorized access attempts.
Analysis of the leaked API calls confirmed TrueStresser relied on Defcon.pro's infrastructure to execute attacks, with documentation matching Defcon.pro's control panel specifications. Defcon.pro advertised extensive DDoS capabilities, listing 14 "NORMAL" attack types (including DNS, NTP, and SYN floods) and 20 "PREMIUM" methods targeting specific gaming platforms and protocols like Steam, Minecraft, and TCP-AMP. At the time of reporting, Defcon.pro claimed over 7,700 customers and 117,000 total attacks, with 3,900 recorded on September 1 alone. The incident paralleled a 2016 breach involving PoodleStresser and its infrastructure provider vDos, where leaked data similarly exposed links between booter services and larger attack platforms. Neither TrueStresser nor Defcon.pro responded to requests for comment regarding the breach or its operational ties. The leak exposed TrueStresser's customer base to account compromise and potential retaliation while revealing technical dependencies within the DDoS-for-hire ecosystem.