Cyber Incident Victim: EscortForumIt.xxx

In October 2019, a Bulgarian hacker using the alias InstaKilla breached two European escort forums—EscortForumIt.xxx in Italy and Hookers.nl in the Netherlands—and offered stolen user data for sale on cybercrime forums. Both platforms, used by sex workers and clients to exchange experiences and tips, confirmed unauthorized access to their systems. The attacker exploited a critical zero-day remote code execution vulnerability (CVE-2019-16759) in outdated vBulletin forum software, which had been publicly disclosed with proof-of-concept exploit code in late September 2019. Security researchers observed active exploitation of this flaw by botnets and threat actors shortly after its disclosure, with InstaKilla likely leveraging the same vulnerability due to the forums’ failure to apply security updates. The Dutch Hookers.nl database contained approximately 250,000 records including usernames, hashed passwords, email addresses, and IP addresses, while the Italian EscortForumIt.xxx breach exposed 33,000 user records.

The Dutch news outlet NOS first reported the Hookers.nl breach after receiving an anonymous tip, verifying that the hacker priced the database at $300 in underground markets. Analysis by ZDNet confirmed the hacker also accessed Hookers.nl’s internal paid subscription system, though no financial data appeared in the obtained sample. Both forums’ outdated software left them vulnerable to the exploit, which allowed remote execution of malicious code. The incident exposed sensitive personal information of sex workers and clients, creating risks of harassment, extortion, or identification. No containment measures or victim notifications were detailed in available reports, though the breaches were acknowledged by the affected websites. A third forum catering to zoophilia enthusiasts was also compromised by the same threat actor, though its name remained unspecified in source material.