Vigilante hacking campaign blocks victims from visiting The Pirate Bay, other piracy sites

A hacker doesn’t appear to be happy with the amount of digital piracy out there.
Supporters of the web site 'The Pirate Bay', one of the world's top illegal filesharing websites, demonstrate in Stockholm, on April 18, 2009. The site still enjoys name recognition more than a decade after its heyday. (FREDRIK PERSSON/AFP via Getty Images)

A hacker doesn’t appear to be happy with the amount of digital piracy out there.

A wave of malicious software downloads from October 2020 to January 2021 blocked users from visiting websites that host pirated versions of video games, Microsoft Office and other programs, analysts at antivirus firm Sophos said Thursday. One malware strain borrowed name recognition from The Pirate Bay, a notorious portal that directs users to copyrighted material while also serving up malicious software and nefarious advertisements.

The vigilante disguised their malicious code as pirated software on Discord, a popular chat service, and on file-sharing service BitTorrent, Sophos said in a blog post. But instead of getting a bootlegged version of a video game like Minecraft, targets of the campaign downloaded malicious code that prevented their machines from visiting websites for pirated software.

In some cases, the attacker made the malicious code appear as if it came from a popular file-sharing account on BitTorrent, according to Sophos.


It’s unclear who is behind the malware.

Sophos said the list of blocked websites is so long it is hard to discern any pattern from it. But it’s a curious example of an often-overlooked aspect of cyberspace: malicious activity aimed at other, digital illicitness. A much different example came in January 2020, when security firm FireEye said that an unidentified hacker was exploiting a vulnerability in widely used Citrix software to break into networks and clean up other signs of malware on them.

Andrew Brandt, principal researcher at Sophos, said the piracy-themed malware surfaced last October. The domain that was collecting information on infections went quiet in January, but the malware is still circulating online, Brandt said. The website-blocking code uses a “crude,” but effective technique that Brandt said he came across more than a decade ago in another case of BitTorrent-related malware.

The newly discovered malware also downloads an additional malicious file that doesn’t seem to do much other than chew up resources on a computer.

“It just seems to be a resource hog out of … spite? Who knows? Retribution?” Brandt wrote in an email. “It’s really hard to divine a motive beyond making it hard for people to browse the websites where things like pirated software, software license keys or copy-protection cracks are offered.”


The piracy ecosystem may have changed since the late-1990s era of ripping files from Napster, but piracy is still a thorn in the side of many corporations. Global online piracy costs the American economy at least $29.2 billion in lost revenue each year, according to a 2019 study by the U.S. Chamber of Commerce.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts