Data indexed on breach index site LeakedSource

Aug 3, 2016 01:40 GMT  ·  By

The hacking crew that promised to launch DDoS attacks on the Pokemon GO servers on August 1 suffered a minor setback yesterday, after someone hacked their site, dumped the database, and shared it with data breach index service LeakedSource.

The hacking crew's moniker is PoodleCorp, being a relatively new unit on the cyber-crime scene, which has made a name for itself by defacing popular YouTube channels.

DDoS attack on Pokemon GO servers never came

The group had already launched a successful DDoS attack on Pokemon GO servers on July 16 and annoyed much of the Pokemon GO fanbase.

Seeing the huge media attention they received from that attack, two days later, on July 18, the group promised to launch another DDoS attack on Pokemon GO, much bigger than the first one, but on August 1.

August 1 came and went. Pokemon GO players didn't report anything. However, today, PoodleCorp's name surfaced online again after LeakedSource announced they added details from PoodleCorp.org domain to their massive database of breached sites.

PoodleCorp launches DDoS attack on LeakedSource

PoodleCorp responded to LeakedSource's announcement with what they knew best, a DDoS attack.

A LeakedSource spokesperson told Softpedia that the attack lasted exactly 45 minutes and 9 seconds and was mitigated from its first waves, an indication why PoodleCorp stopped after less than an hour.

During the time it took your reporter to write this article, LeakedSource reported several smaller 2-3-minute-long DDoS attacks, but nothing big enough to take down their website.

PoodleCorp data analysis

LeakedSource was kind enough to share some of the data with Softpedia. You can see the database schema embedded at the end of this article.

Based on the data's structure, the database is for PoodleCorp's DDoS botnet control panel, which the gang is renting to others, an opinion shared by both LeakedSource and Softpedia. LeakedSource said they received the PoodleCorp data from an anonymous source.

The database contains tables that hold information on the botnet's slaves (bots), control panel logins, logs, payment details, payment plans, support tickets, servers, and attack gateways.

"We can see who attacked, for how long and which method. We can see what IPs the purchasers attacked as well," LeakedSource told Softpedia. "The server list was not stored on their site, but we can see an endpoint they use to initiate attacks."

Attacking LeakedSource was a bad idea in hindsight

LeakedSource also says the group hadn't been successful at monetizing their botnet. "They didn't make much money," LeakedSource said, revealing that the group made only $335 in PayPal sales from renting their botnet. This may be because PoodleCorp is still relatively new.

One thing LeakedSource staff spotted was that the first payment recorded in the botnet's control panel was of $1 while payments for the same package plan were of $19.99.

This looked like a test payment, most likely made by the person who set up the botnet's rental payment service. The data dump contained enough information to identify the individual behind this initial payment in LeakedSource's own data stores. The team discovered a full name and email address, which they remembered seeing before.

"Looks like that guy tried to spread the leak of a rival competitor booter," LeakedSource told Softpedia in a Twitter conversation.

Following this discovery, LeakedSource said they also managed to identify "full address information on 3 members, which we plan on reporting to the relevant authorities."

"It's a terrible idea to attack a business that knows something about virtually everybody," LeakedSource also added. Softpedia reached out to PoodleCorp and PoodleCorp member XO for additional comments.

UPDATE: PoodleCorp provided some answers to why they didn't attack Pokemon GO servers on August 1, and how their botnet database ended up in LeakedSource's possession. Apparently, a partner that had root access on the same server had stolen their database. YouTube video, after 01:37.  

PoodleCorp.org database schema
PoodleCorp.org database schema

Photo Gallery (2 Images)

PoodleCorp.org website
PoodleCorp.org database schema
Open gallery