Cyber Incident Victim: KS-Hosting.com
Date:
Feb 2021
Location:
United Kingdom
Summary
A hacker compromised two connected UK-based IPTV providers, including KS-Hosting.com, defacing their websites with messages indicating a serious breach. The attacker demanded a ransom while threatening to disclose subscriber data to law enforcement, but alternatively offered to forgo payment if the services permanently shut down, refunded customers, and ceased operations entirely. This disruption caused significant service downtime and posed risks of sensitive user information exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 9, 2021, UK-based IPTV providers KS-Hosting.com and SapphireSecure.net experienced a coordinated cyberattack attributed to a single hacker. The attacker compromised both platforms, forcing them offline and replacing their homepages with messages indicating a serious security breach. Evidence suggested the services were linked by common ownership, though specific ownership details were not disclosed. The hacker issued a blackmail demand threatening to disclose customer data to law enforcement authorities unless a ransom payment was made. This threat leveraged the illicit nature of pirate IPTV operations, aiming to exploit legal vulnerabilities for coercive purposes.
The attack caused immediate service disruption, preventing subscriber access to both platforms. The hacker extended an alternative to the ransom demand: permanent cessation of operations coupled with subscriber refunds, framed as compensation for involuntary service termination. This condition explicitly prohibited any future resurrection of the services. The incident reflected a pattern of similar attacks against pirate IPTV providers attributed to the same threat actor over the preceding two years. No verifiable information regarding customer data exfiltration, ransom payment, or platform compliance with the demands was disclosed in the available reporting. The operational status of KS-Hosting.com and SapphireSecure.net following the attack remained unconfirmed in the sourced material.