Cyber Incident Victim: What.cd
Date:
Jan 2014
Location:
United States of America
Summary
A distributed denial-of-service attack targeted a prominent music-focused private BitTorrent tracker and two other major private BitTorrent trackers, causing extended downtime. The sustained attacks overwhelmed the sites, prompting one to implement IP null-routing to mitigate bandwidth costs. No individual or group claimed responsibility, and the perpetrators' motivations remained unclear, though historical context suggested possible grudges related to anti-piracy sentiments, competition, or personal grievances. The incident mirrored previous attacks linked to an individual denied access to similar platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 4 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early January 2014, three prominent private BitTorrent trackers—What.cd (music), Broadcasthe.net (BTN, TV), and PassthePopcorn.me (PTP, movies)—experienced sustained distributed denial-of-service (DDoS) attacks that rendered their services unavailable for multiple days. The attacks began over the preceding weekend and continued through the reporting date of January 6, 2014, exceeding the typical duration of such incidents against torrent platforms. All three trackers operated invite-only membership systems but maintained tens of thousands of active users who were unable to access the sites during the outage. What.cd implemented a null-routing of its IP address to mitigate bandwidth consumption costs caused by the attack traffic, with a staff member confirming the measure was taken specifically to avoid financial strain from the "significant and sustained" assault. No individual or group claimed responsibility for the attacks at the time of reporting, and staff from both What.cd and PTP stated they had received no prior threats or communication from the attackers.
The incident bore similarities to previous DDoS campaigns in November 2012 when an individual using the alias "Zeiko" targeted the same three trackers after reportedly being denied an invite to one platform, later expanding attacks to public torrent sites like The Pirate Bay. However, no evidence linked the 2014 attacks to Zeiko or any specific perpetrator. The operational impact included extended downtime for all three trackers, disrupting their tightly controlled user communities and necessitating infrastructure countermeasures. What.cd's null-routing decision highlighted the financial consequences of prolonged DDoS mitigation efforts for volunteer-run platforms. While the attacks clearly targeted private tracker communities, the precise motivation—whether anti-piracy sentiment, competitive disputes, or personal grievances—remained undetermined according to available information from site administrators and public statements.