Cyber Incident Victim: Sapphire Secure
Date:
Feb 2021
Location:
United Kingdom
Summary
A hacker compromised two interconnected UK-based pirate IPTV providers, including SapphireSecure.net, displaying takeover messages on their homepages and threatening to disclose subscriber data to law enforcement. The attacker demanded a ransom payment while offering an alternative to avoid payment: permanently shutting down both services, refunding customers, and ceasing operations entirely. This incident resulted in unauthorized system access, extortion attempts, and potential exposure of user information, consistent with the hacker's pattern of targeting similar providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around February 9, 2021, UK-based IPTV providers SapphireSecure.net and KS-Hosting.com suffered a coordinated cyberattack conducted by an individual hacker with a documented history of targeting pirate IPTV services over the preceding years. The attacker compromised both platforms simultaneously, forcing them offline and replacing their homepages with messages declaring the services had been seriously breached. Evidence suggested the two platforms shared common ownership, making them vulnerable to a unified attack. The hacker issued a blackmail demand threatening to disclose customer data to law enforcement authorities unless a ransom was paid. This extortion attempt leveraged the illicit nature of the pirate IPTV services, exploiting the operators' fear of legal repercussions from exposing subscriber information.
The attack disrupted service availability for both platforms, directly impacting their user bases. Beyond the ransom demand, the hacker presented an alternative ultimatum: permanent cessation of operations with no possibility of revival, coupled with refunds to subscribers for unfulfilled service periods. This refund condition was framed by the attacker as compensating users for disruptions "as this is not their fault," indicating a strategic effort to pressure the operators by aligning demands with consumer interests. The incident highlighted operational interdependencies between SapphireSecure.net and KS-Hosting.com through their shared compromise and the attacker's treatment of them as linked entities. Public exposure of the breach via defaced homepages damaged the platforms' credibility, while the threatened data leak posed significant legal risks to both operators and subscribers engaged in unauthorized IPTV access.