Anonymous Used LOIC DDoS Campaign to Hit RIAA and Payment Sites
Anonymous organized distributed denial-of-service (DDoS) attacks under its Operation Payback banner, using the Low-Orbit Ion Cannon (LOIC) tool and publicly coordinating participants through channels including 4chan's /b/ board and the operation's website. In one of the campaign's prominent actions, the group targeted the Recording Industry Association of America (RIAA), saying it was protesting what it viewed as abusive copyright enforcement by industry lobbyists and law firms; the RIAA site was reportedly forced offline within minutes, although some related pages remained reachable.
The same campaign later expanded to organizations linked to pressure on WikiLeaks, with Anonymous supporters redirecting attacks toward PayPal and briefly knocking Moneybookers offline after deciding against a planned action on Amazon. Participants said the Amazon attack was dropped because they lacked sufficient numbers and did not want to disrupt holiday shoppers, while the group also acknowledged internal disagreements and attempted to distance itself from a figure known as Coldblood without signaling any broader collapse of the operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
FBI arrests 14 alleged Anonymous members over PayPal DDoS
On 2011-07-19, the FBI arrested 14 alleged Anonymous members in connection with the Operation Payback distributed denial-of-service attack targeting PayPal. The arrests marked a significant U.S. law enforcement response to the 2010 campaign.
Anonymous addresses internal disputes during campaign
By 2010-12-10, Anonymous publicly acknowledged internal disagreements and distanced itself from a member known as Coldblood. The group said the dispute did not threaten the overall structure of the campaign.
Moneybookers briefly knocked offline
Early on 2010-12-10, elements of Anonymous briefly disrupted Moneybookers as part of the broader Operation Payback campaign. The outage was described as temporary.
Operation Payback shifts focus to PayPal
On 2010-12-09, Anonymous redirected its campaign toward PayPal after dropping the Amazon plan. PayPal's systems were reported to have experienced intermittent performance issues during the attack activity.
Anonymous abandons planned attack on Amazon
On 2010-12-09, Anonymous supporters considered targeting Amazon as part of the WikiLeaks-related Operation Payback campaign but called off the plan. Participants cited insufficient numbers and concern about harming consumers during the holiday shopping period.
Anonymous launches DDoS attack on RIAA website
On 2010-10-29, Anonymous used the Low-Orbit Ion Cannon (LOIC) in a publicly coordinated Operation Payback action against the Recording Industry Association of America. The attack began around 5 PM ET and reportedly took the RIAA site offline within minutes, though some related pages remained accessible.
LOIC variant adds 'Hive Mind' remote-control capability
By 2010-09-27, a modified version of the Low Orbit Ion Cannon (LOIC) DDoS tool was reported to include a 'Hive Mind' feature that let it act as a remotely controlled voluntary botnet client over IRC. The change enabled more centralized coordination of participants and raised concerns that the tool could be abused on third-party systems without users' knowledge.
Sources
4 references tracked. Mallory keeps watching after this page renders.
'Anonymous' DDoS Attack Takes Down RIAA Site | PCMag
pcmag.com
Open sourceFBI Arrests 14 Alleged 'Anonymous' Members For PayPal DDoS Attack | CRN
crn.com
Open sourceAnonymous Wikileaks supporters explain web attacks - BBC News
bbc.co.uk
Open sourceAnonymous DDoS Tool Gets Botnet Capabilities
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Expanded Operation Payback From Anti-Piracy Targets to WikiLeaks Backers
Anonymous used **distributed denial-of-service (DDoS)** attacks under the banner of **Operation Payback** to hit anti-piracy groups and related legal entities including the **RIAA, MPAA, BPI, AFACT, BREIN, Websheriff**, and the law firm **Dunlap, Grubb and Weaver**. The campaign escalated after the shutdown of LimeWire, with Anonymous publicly planning another attack on the RIAA and portraying the action as retaliation against copyright enforcement. Earlier attacks also coincided with the takedown of **ACS:Law**, where hundreds of megabytes of internal emails were exposed after the firm was knocked offline. The operation later widened into a pro-WikiLeaks campaign branded **Operation Avenge Assange** after **PayPal, Visa, MasterCard, and Amazon** cut services to WikiLeaks following the publication of US diplomatic cables. Anonymous launched prolonged attacks that disrupted PayPal and targeted other firms seen as censoring WikiLeaks, while police in the UK opened investigations, monitored threats against government sites, and examined the use of the **Low Orbit Ion Cannon** by participants. The campaign showed how Anonymous evolved from anti-piracy retaliation into politically motivated online disruption aimed at organizations viewed as restricting access, speech, or digital distribution.
May 25, 2026
Anonymous Sudan Claims DDoS Attacks on AP, Cloudflare, and AO3
Anonymous Sudan, also tracked as **Storm-1359**, claimed distributed denial-of-service attacks that disrupted parts of **The Associated Press**, **Cloudflare’s website**, and **Archive of Our Own (AO3)**. AP said **APNews.com** and some links suffered technical issues while its mobile apps continued to operate, and Cloudflare confirmed intermittent connectivity problems on `www.cloudflare.com` but said its products and customer-facing services were unaffected because they run on separate infrastructure. AO3 experienced intermittent `503 Service Unavailable` errors as volunteer administrators worked to restore access. The group framed the operations as part of a broader campaign against U.S.-registered organizations and, in AO3’s case, paired ideological messaging about LGBTQ+ and NSFW content with a **$30,000 bitcoin ransom** threat to prolong the outage. The incidents fit a wider pattern of high-profile DDoS activity attributed to Anonymous Sudan against targets including Microsoft, X, PayPal, Reddit, Tumblr, Kenya’s digital government portal, and ChatGPT, while multiple researchers and vendors have assessed that the group is likely **pro-Russian** and shares similarities with **Killnet**, despite presenting itself as a Sudanese Islamist hacktivist collective.
May 25, 2026
Anonymous Escalates Project Chanology Against the Church of Scientology
Anonymous launched **Project Chanology** against the Church of Scientology after the church sought removal of a leaked Tom Cruise promotional video from YouTube, triggering accusations that Scientology was using copyright and legal pressure to suppress online speech. The campaign initially featured disruptive cyber activity including **DDoS attacks**, website defacements, prank calls, black-faxing, and other harassment aimed at Scientology websites and offices, while Anonymous circulated videos vowing to “systematically dismantle” the organization and used sites and social platforms to coordinate actions. Scientology responded by branding the group **cyber-terrorists**, linking it to threats and white-powder mailings, and reportedly sought help from law enforcement as some critics of Scientology also condemned the attacks as hypocritical and counterproductive. The operation then broadened from online attacks into a decentralized international protest movement, with masked demonstrators rallying outside Scientology centers in nearly 100 cities across North America, Europe, and Australia. Anonymous publicly promoted a code of conduct emphasizing peaceful demonstrations and legal activism, while protests highlighted allegations of censorship, financial exploitation, “Fair Game,” and retaliation against critics; major actions in February and March drew thousands, with additional rounds continuing later in the year. The campaign became an early example of an internet-born collective translating online mobilization into sustained real-world activism, even as legal scrutiny continued and later court cases produced guilty pleas tied to Scientology-related DDoS attacks.
May 25, 2026