Goatse Security is a loosely organized hacking group, described in the content as a subdivision of GNAA and created as a vehicle for GNAA members to publish security research. The group is best known for identifying and exploiting a 2010 AT&T iPad 3G web application/API flaw that exposed approximately 114,000 customer email addresses and associated ICC-IDs. Reporting states the group used scripts, including a PHP script, to enumerate iPad hardware identifiers/ICC-IDs against an AT&T web endpoint that returned associated email addresses, and in some accounts used an iPad-style user agent header. Exposed victims reportedly included executives, media figures, government personnel, and military personnel. The group provided information about the incident to Gawker/Valleywag, which published partially redacted samples, and the incident prompted an FBI investigation. Content also attributes Andrew "weev" Auernheimer and Daniel "JacksonBrown" Spitler as members involved in the operation; Auernheimer is repeatedly described as a key member. Internal discussions cited in the content indicate members discussed publicity, phishing, spam, and even shorting AT&T stock before disclosure, and acknowledged potential legal exposure. The group is also described in reporting as aiming to expose security vulnerabilities, and separate reporting notes prior media attention for exposing Firefox-based IRC attacks and flaws in Amazon’s rating system, as well as finding flaws in Safari and Firefox.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Goatse Security appears only in a generic Wikipedia navigation list of hacking groups, without any discussion tying it to the PoisonIvy content.
Groups Anonymous associated events Avalanche Crime Boys GNAA Goatse Security Insanity Zine Corp. GhostNet Level Seven PLA Unit 61398 Prime Suspectz RBN ShadowCrew World of Hell Sandworm
Associated with collecting and disclosing AT&T iPad users' email addresses obtained by querying a web panel tied to ICC-IDs; members discussed possible phishing use of the data before disclosure.
Groups Anonymous associated events Avalanche Crime Boys GNAA Goatse Security Insanity Zine Corp. GhostNet Level Seven PLA Unit 61398 Prime Suspectz RBN ShadowCrew World of Hell Sandworm
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.