Operation Payback is a coordinated, decentralized group of attacks on opponents of internet piracy by internet activists using the "Anonymous" moniker - originating from the website 4chan. Operation Payback started as retaliation to distributed denial of service (DDoS) attacks on torrent sites; piracy proponents then decided to launch DDoS attacks on piracy opponents. The initial reaction snowballed into a wave of attacks on major pro-copyright and anti-piracy organizations, law firms, and individuals. Following the United States diplomatic cables leak in December 2010, the organizers commenced DDoS attacks on websites of banks who had withdrawn banking facilities from WikiLeaks.

Background and initial attacks

In 2010, several Bollywood companies hired Aiplex Software to launch DDoS attacks on websites that did not respond to software takedown notices. Piracy activists then created Operation Payback in September 2010 in retaliation. The original plan was to attack Aiplex Software directly, but upon finding some hours before the planned DDoS that another individual had taken down the firm's website on their own, Operation Payback moved to launching attacks against the websites of copyright stringent organisations Motion Picture Association of America (MPAA) and International Federation of the Phonographic Industry, giving the two websites a combined total downtime of 30 hours. In the following two days, Operation Payback attacked a multitude of sites affiliated with the MPAA, the Recording Industry Association of America (RIAA), and British Phonographic Industry. Law firms such as ACS:Law, Davenport Lyons and Dunlap, Grubb & Weaver (of the US Copyright Group) were also attacked.

Attacks on the recording industry

Law firms

On 21 September 2010, the website of ACS:Law was subjected to a DDoS attack as part of Operation Payback. When asked about the attacks, Andrew Crossley, owner of ACS:Law, said: "It was only down for a few hours. I have far more concern over the fact of my train turning up 10 minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish."

When the site came back online, a 350MB file which was a backup of the site was visible to anyone for a short period of time. The backup, which included copies of emails sent by the firm, was downloaded and made available onto various peer-to-peer networks and websites including The Pirate Bay. Some of the emails contained unencrypted Excel spreadsheets, listing the names and addresses of people that ACS:Law had accused of illegally sharing media. One contained over 5,300 Sky broadband customers whom they had accused of illegally sharing pornography, while another contained the details of 8,000 Sky customers and 400 Plusnet customers accused of infringing the copyright on music by sharing it on peer-to-peer networks. This alleged breach of the Data Protection Act has become part of the ongoing investigation into ACS:Law by the Information Commissioner's Office.

On 30 September, the Leesburg, VA office of Dunlap, Grubb & Weaver law firm – also doing business as the "U.S. Copyright Group" – was evacuated by the police after an emailed bomb threat was received. It's believed the event could be connected to Anonymous. Non-related copyright or law firms sites, such as websheriff.com, were also attacked. These attacks were originally organized through an Internet Relay Chat channel. The attacks also became a popular topic on Twitter.

Australian pro-copyright organization

On 27 September 2010, the DDoS attack on the Australian Federation Against Copyright Theft (AFACT) unintentionally brought down 8,000 other small websites hosted on the same server.

ACAPOR

In September 2010, in an attempt to ensure that Portuguese citizens can’t access thepiratebay.org, Associação do Comércio Audiovisual de Portugal (ACAPOR) has filed a complaint against The Pirate Bay. The complaint was filed with the General Inspection of Cultural Activities, which is part of the Portuguese Ministry of Culture. According to the movie rental association, The Pirate Bay is directly responsible for about 15 million illegal downloads in Portugal every year. By installing a Pirate Bay block at all ISPs, ACAPOR hopes to decrease the financial damage they claim it causes.

On 18 October 2010, the ACAPOR website was defaced, presenting a speech from Operation Payback and a redirect to The Pirate Bay after a few seconds. In addition to defacing the website, they also managed to grab a copy of the email database of ACAPOR and uploaded it to thepiratebay.org. The leaked e-mails so far revealed ACAPOR's methods of denunciation, their dissatisfaction with the Portuguese government and justice system, their perception of the copyright debate as war, and their antagonism with the ISPs. ACAPOR claimed that "the business of ISPs is illegal downloading."

More attacks

On 4 October 2010, Operation Payback launched an attack on the Ministry of Sound website and the Gallant Macmillian website.

On 7 October 2010, they attacked the website of the Spanish copyright society, sgae.es. As of 7 October 2010, total downtime for all websites attacked during Operation Payback was 537.55 hours.

On 15 October 2010, Copyprotected.com was SQL injected and defaced, and three days later Operation Payback launched a DDoS attack against the UK Intellectual Property Office.

Production companies SatelFilm.at and Wega-Film.at were hit by "drive-by" DDoSes during October 21, 2010, in response to their efforts to gain a court injunction against an ISP that refused to block a movie streaming website, and Operation Payback then knocked porn website Hustler.com offline the following day.

Musician and copyright advocate

During the 2010 MIPCOM convention, Gene Simmons of KISS stated:

Make sure your brand is protected...Make sure there are no incursions. Be litigious. Sue everybody. Take their homes, their cars. Don't let anybody cross that line.

In response to Gene Simmons' comments, members of Operation Payback switched their attentions to his two websites SimmonsRecords.com and GeneSimmons.com, taking them both offline for a total of 1 day and 14 hours. At some point during the course of this DDoS, GeneSimmons.com was hacked and redirected to ThePirateBay.org, In response to the attack Simmons wrote:

Some of you may have heard a few popcorn farts re: our sites being threatened by hackers.

Our legal team and the FBI have been on the case and we have found a few, shall we say "adventurous" young people, who feel they are above the law.

And, as stated in my MIPCOM speech, we will sue their pants off.

First, they will be punished.

Second, they might find their little butts in jail, right next to someone who's been there for years and is looking for a new girl friend.

We will soon be printing their names and pictures.

We will find you.

You cannot hide.

Stay tuned

This led to additional attacks and subsequently more downtime for his websites. Later, Simmons's message was removed from his website.

RIAA

On October 26, 2010, LimeWire was ordered to disable the "searching, downloading, uploading, file trading and/or file distribution functionality" after losing a court battle with the RIAA over claims of copyright infringement. The RIAA also announced intentions to pursue legal action over the damages caused by the program in January to compensate the affected record labels. In retaliation, members of Operation Payback announced that they will attack RIAA's website on October 29, despite that the group typically doesn't hit targets twice. On October 29, riaa.org was taken offline via denial-of-service attack. After the attack, riaa.com and riaa.org sites became unavailable from Europe. Operation Payback's main site was attacked later that day and they moved their website from tieve.tk to anonops.net.

November 5

Around October 28, 2010, the group set up a new website with the intention of coordinating protests around the world to raise awareness of their cause. The date for the protest activities were on November 5, the intended day of the Gunpowder Plot, which Anonymous heavily affiliates with through its use of Guy Fawkes masks. After that event, Operation Payback took a break from attacking websites to organize.

FBI investigation

After an attack on the United States Copyright Office, the FBI launched an investigation. FBI representatives did not respond to interview requests. They later arrested eleven people accused of taking part in the attack on Paypal.

Sarah Palin

On December 8, Sarah Palin announced that her website and personal credit card information were compromised. Palin's team believed the attack was executed by Anonymous, though Anonymous never tweeted anything about choosing Palin as a target for the DDoS attack. An Anonymous member has stated "We don’t really care about Sarah Palin that much, to be honest. I don’t really know what she’s trying to accomplish or what attention she is trying to gain. We personally don’t care about Sarah Palin" Her technical team posted a screenshot of a server log file showing the wikileaks.org URL Visa attacks had been denial of service attacks, but credit card data was not compromised. It is unknown whether Palin's card was compromised as part of a broad attack on Visa or a specific attack on the Palins. Sarah Palin's email had already been hacked by a member of Anonymous in 2008.

Operation Avenge Assange

In December 2010, WikiLeaks came under intense pressure to stop publishing secret United States diplomatic cables. Corporations such as Amazon, PayPal, BankAmerica, PostFinance, MasterCard and Visa either stopped working with or froze donations to WikiLeaks due to political pressures. In response, those behind Operation Payback directed their activities against these companies for dropping support to WikiLeaks. Operation Payback launched DDoS attacks against PayPal, the Swiss bank PostFinance and the Swedish Prosecution Authority. On 8 December 2010, a coordinated DDoS attack by Operation Payback brought down both the MasterCard and Visa websites. On 9th December 2010, prior to a sustained DDoS attack on the Paypal website that caused a minor slowdown to their service, Paypal announced on its blog that they would release all remaining funds in the account of the Wau Holland Foundation that was raising funds for WikiLeaks, but would not reactivate the account. Regarding the attacks, WikiLeaks spokesman Kristinn Hrafnsson denied any relation to the group and said: “We neither condemn nor applaud these attacks. We believe they are a reflection of public opinion on the actions of the targets.” On the same day, a 16-year-old boy was arrested in The Hague, Netherlands, in connection with the distributed denial-of-service attacks against MasterCard and PayPal. The boy was an IRC operator under the nickname of Jeroenz0r.

On 10 December 2010, The Daily Telegraph reported that Anonymous had threatened to disrupt British government websites if Assange were extradited to Sweden. Anonymous issued a press release in an attempt to clarify the issue.

Electronic Frontier Foundation co-founder John Perry Barlow described the attacks as "the shot heard round the world—this is Lexington."

The following is a list of sites and domains known to have been targeted:

! Target	! Site	! Attack time	! Ref.
PostFinance	postfinance.ch
	aklagare.se
EveryDNS	everydns.com
Joseph Lieberman	lieberman.senate.gov
MasterCard	mastercard.com
Claes Borgström	advbyra.se
	visa.com
[[Sarah Palin	sarahpac.com
PayPal	thepaypalblog.com
	amazon.com
PayPal	api.paypal.com:443
MoneyBookers	moneybookers.com
Conservatives4Palin	conservatives4palin.com

Operation Payback's attempt to take down Amazon.com was aborted after they failed to recruit enough users to their botnet.

In late December the FBI began to raid suspected participants in Operation Payback.

At the beginning of 2011, Operation Payback brought down Zimbabwean government websites after the Zimbabwean President's wife sued a newspaper for US $15 million for publishing a WikiLeaks cable that linked her with the alleged trade in illicit diamonds. On January 27, 2011, five males aged between 15 and 26 were arrested in early morning raids in the U.K. on suspicion of involvement and 40 search warrants were executed on the same day by the FBI.

Criticism

The United Kingdom Intellectual Property Office said that when its site was attacked, those responsible were depriving British citizens of access to information they have a democratic right to see, and by taking offline KISS member Gene Simmons' sites, Operation Payback members were depriving him of his right to free speech.

A spokesman for the MPAA said: "It's troubling that these groups seem more concerned about the rights of those who steal and copy films, music, books, and other creative resources than the rights of American workers who are producing these products."

There was also some criticism from the Pirate Party UK and United States Pirate Party, who in a joint public statement urged the group to "Immediately cease the Distributed Denial-of-Service (DDoS) attacks and to instead seek out a legal method to express your frustration and disquiet with the copyright industry, and their perversions of copyright law for personal gain”

While acknowledged that the DDoS attacks on credit card and banking web sites serve as political protests, cyber experts have said that Operation Payback has not done any long-term damage: most sites are back online, these attacks have not penetrated and brought down entire banking systems used to conduct transactions, and people are still continuing to use their credit cards to make payments. "This is more like a noisy political demonstration, like a mob surrounding a bank and refusing to let anyone in or out" said one cyber expert.

Tools and communication

Operation Payback members use a modified version of the Low Orbit Ion Cannon (LOIC) to execute the DDoS attacks. In September 2010, a "Hive Mind" mode was added to the LOIC. While in Hive Mind mode, the LOIC connects to IRC, where it can be controlled remotely. This allows computers with LOIC installed on them to behave as if they were a part of a botnet. Utilising this tool, the coordinators of Operation Payback were able to quickly take down websites belonging to anti-piracy groups. Botnets of all sizes have also been used.

Communication consists of an IRC channel where targets are decided upon, after which "attack posters" are produced and posted on the various imageboards (4chan/7chan/711chan/420chan/808chan). Media such as Twitter and Facebook have previously been utilised for co-ordination, but on December 8, 2010 Operation Payback's Facebook page was removed and their official Twitter account was suspended. Also, according to Valleywag, Encyclopedia Dramatica was forced to delete their article on Operation Payback.

See also

Chanology

Hacktivism

LulzSec

Operation Leakspin

Operation Titstorm

References

External links

AnonOps – Main coordination website for Operation Payback

Pandalabs.pandasecurity.com – Chronicle of all Operation Payback events

Category:2010 establishments Category:Battles and conflicts without fatalities Category:Denial-of-service attacks Category:Internet activism Category:Kiss (band) Category:PayPal Category:Recording Industry Association of America Category:Sarah Palin Category:WikiLeaks Category:Cybercrime

ca:Operation Payback cy:Operation Payback de:Operation Payback es:Operation Payback fr:Operation Payback gl:Operación Payback it:Operazione Payback