Cyber Incident Victim: Hookers.nl

In October 2019, a Bulgarian hacker using the alias InstaKilla breached two European escort forums—EscortForumIt.xxx in Italy and Hookers[.]nl in the Netherlands—compromising user data subsequently offered for sale on cybercrime forums. The attacks exploited a critical zero-day remote code execution vulnerability (CVE-2019-16759) in outdated vBulletin forum software, following the public disclosure of technical details and proof-of-concept exploit code for this flaw in late September 2019. Security researcher Troy Mursch had observed active exploitation of this vulnerability by botnets shortly before the breaches, suggesting the hacker leveraged the same unpatched weakness. The Dutch Hookers[.]nl database, containing approximately 250,000 user records with usernames, hashed passwords, email addresses, and IP addresses, was advertised for $300. A sample obtained by ZDNet indicated the attacker also accessed the site’s internal paid subscription system, though no financial data was visible in the reviewed material. The Italian forum’s breach exposed 33,000 user records. Both website operators confirmed unauthorized access to their systems.

The incident gained public attention after Dutch news outlet NOS reported the data sale based on an anonymous tip, highlighting risks to sex workers and clients who used the platforms to exchange experiences. A third platform catering to zoophilia enthusiasts, Zooville, was also compromised and had its data marketed alongside the escort forums. The exposure of personally identifiable information, particularly email addresses and IP logs tied to sensitive sexual preferences and activities, created significant privacy risks for affected individuals. No financial remediation or user notification efforts were detailed in available reports. The breaches underscored the consequences of delayed software patching, as both forums remained vulnerable weeks after the vBulletin exploit’s disclosure and active weaponization by malicious actors.