Hacker group Anonymous has released a massive trove of names, passwords and addresses of far-right website administrators that experts are calling the ‘Panama Papers of hate groups.’
The intrusion targeted Epik, a Washington-based domain registrar that provides a safe haven to far-right websites, some of which had been turned away from more mainstream web hosting services.
The 150 gigabytes of data are a ‘who’s who’ of Internet – and real-life – trolls. Epik has hosted QAnon home base 8chan, neo-Nazi news site The Daily Stormer and the far-right social media platforms Gab and Parler.
Experts say that the vast amount of data could take years to sift through.
‘It’s massive. It may be the biggest domain-style leak I’ve seen and, as an extremism researcher, it’s certainly the most interesting,’ Elon University computer science professor Megan Squire told the Washington Post.
‘It’s an embarrassment of riches – stress on the embarrassment.’
The Anonymous data breach targeted Epik, a domain registrar known for hosting websites that promote far-right conspiracy theories like QAnon. Above, a QAnon rally in New York in 2020
Epik was also used by Ali Alexander, a far-right activist who reportedly tried to hide his involvement in websites promoting January 6 protests before the Capitol riot broke out
The breach was first reported by freelance journalist Steven Monacelli on September 13.
Earlier this month, Epik briefly hosted the website ProLifeWhistleblower.com, which was removed by GoDaddy because it asked for the names of doctors who performed abortions in defiance of Texas’s new restrictive pro-life law.
Epik was founded in 2009 by Rob Monster, who has defended his work as keeping the internet free and open.
The data leak revealed the lack of cybersecurity undergirding Epik, which some say should have known better considering the sensitive material it hosts.
Anonymous made the data available for download with a note saying it would help researchers trace the ownership and management of ‘the worst trash the Internet has to offer.’
The files include years of website purchase records, internal company emails and customer account credentials that reveal who administers some of the biggest far-right websites in the world.
The data includes client names, home addresses, email addresses, phone numbers and passwords.
Ali Alexander, an activist who organized one of the rallies that led to the January 6 Capitol riot, tried to hide his creation of ‘Stop the Steal’ websites after the riot.
Epik was founded by Robert Monster in 2009. Its based in a suburb of Seattle, Washington
Several domains from the Epik leak are directly tied to Alexander, according to an analysis by technology site Daily Dot.
‘A lot of research begins with naming names,’ said Emma Best, the co-founder of whistleblower group Distributed Denial of Secrets who likened the leak to the Panama Papers, the 2016 leak of more than 11 million documents from Panamanian law firm Mossack Fonseca that showed where the wealthy hide their money.
‘There’s a lot of optimism and feeling of being overwhelmed, and people knowing they’re in for the long haul with some of this data,’ she told the Washington Post.
A Twitter account by the handle @epikfailsnippet is already posting unverified revelations from the breach, including the name of a Proud Boys forum administrator who is a former employee of Drexel University.
The Proud Boys are a neo-fascist extremist group that believe that men and Western culture are under attack, according to the International Centre for Counter-Terrorism. They’ve been banned from Facebook, Instagram, Twitter and YouTube.
A former Epik employee told Bloomberg Businessweek that he quit after Monster, the company’s founder, opened a meeting by telling his staff to watch a video of the 2019 Christchurch mosque shootings in New Zealand that killed 51 people, saying that the video would prove they were fake.
Two days after hackers announced the breach, Monster said in an email to customers that the company had fallen victim to an ‘alleged security incident’ and asked customers to report back any ‘unusual account activity.’
‘You are in our prayers today,’ Monster wrote last week.
‘When situations arise where individuals might not have honorable intentions, I pray for them. I believe that what the enemy intends for evil, God invariably transforms into good. Blessings to you all.’
Monster addressed the leak in a live stream last week, saying: ‘If you have a negative intent to use that data, it’s not going to work out for you. I’m just telling you. If the demon tells you to do it, the demon is not your friend.’
The hack also exposed personal records from Anonymize, a privacy service Epik offered to customers who, ironically, wanted to conceal their identity.
The Federal Trade Commission has previously enforced financial penalties on companies that didn’t take enough steps to protect their customers.
In 2016, dating website Ashley Madison had to pay $1.6 million to settle a FTC investigation and state charges related to a huge 2015 data breach that exposed its customers identities, many of whom were married and having affairs.
‘Given Epik’s boasts about security, and the scope of its Web hosting, I would think it would be an FTC target, especially if the company was warned but failed to take protective action,’ David Vladeck, a former head of the FTC’s consumer protection bureau, told the Washington Post.
‘I would add that the FTC wouldn’t care about the content – right wing or left wing; the questions would be the possible magnitude and impact of the breach and the representations … the company may have made about security.’