Anonymous Expanded Operation Payback From Anti-Piracy Targets to WikiLeaks Backers
Anonymous used distributed denial-of-service (DDoS) attacks under the banner of Operation Payback to hit anti-piracy groups and related legal entities including the RIAA, MPAA, BPI, AFACT, BREIN, Websheriff, and the law firm Dunlap, Grubb and Weaver. The campaign escalated after the shutdown of LimeWire, with Anonymous publicly planning another attack on the RIAA and portraying the action as retaliation against copyright enforcement. Earlier attacks also coincided with the takedown of ACS:Law, where hundreds of megabytes of internal emails were exposed after the firm was knocked offline.
The operation later widened into a pro-WikiLeaks campaign branded Operation Avenge Assange after PayPal, Visa, MasterCard, and Amazon cut services to WikiLeaks following the publication of US diplomatic cables. Anonymous launched prolonged attacks that disrupted PayPal and targeted other firms seen as censoring WikiLeaks, while police in the UK opened investigations, monitored threats against government sites, and examined the use of the Low Orbit Ion Cannon by participants. The campaign showed how Anonymous evolved from anti-piracy retaliation into politically motivated online disruption aimed at organizations viewed as restricting access, speech, or digital distribution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
20 events from the most recent confirmed update back to the earliest known activity.
SN_Blackmeta claims responsibility for Internet Archive attack
During the ongoing Internet Archive disruption, an anonymous group calling itself SN_Blackmeta claimed responsibility for the DDoS campaign. The claim had not been independently verified at the time of reporting.
Internet Archive comes under sustained multi-day DDoS attack
Beginning on Sunday before May 29, 2024, the Internet Archive experienced a sustained, targeted DDoS attack that caused intermittent disruption to its online library and Wayback Machine. The organization said its collections and web archives remained safe despite the impact.
UK court convicts AnonOps admin 'Nerdo' over Operation Payback
On 2012-12-14, UK authorities announced the conviction of Christopher 'Nerdo' Weatherhead for conspiracy to impair computers in connection with Anonymous's Operation Payback attacks on PayPal and others. Prosecutors said investigators used IRC logs, open-source intelligence, and computer forensics to prove he helped organize the campaign through AnonOps.
Anonymous and LulzSec call for PayPal boycott
On 2011-07-27, Anonymous and Lulz Security publicly urged users to boycott PayPal and close their accounts, citing the July 19 arrests of alleged participants and PayPal's continued withholding of WikiLeaks-related funds. The campaign marked a shift from earlier DDoS retaliation to a public economic protest tied to Operation Avenge Assange.
Arrests and police investigations follow Anonymous attacks
By mid-December 2010, authorities had begun investigating the WikiLeaks-related DDoS campaign, including a Metropolitan Police probe in the UK, and arrests had already been reported. Officials were also monitoring possible further attacks, including threats against UK government sites.
Swedish prosecution website hit during Assange proceedings
Amid Julian Assange's extradition proceedings, the Swedish prosecution office website was subjected to an 11-hour DDoS attack linked to the same Anonymous campaign. The attack broadened the target set beyond payment and hosting companies.
Visa, MasterCard, and PayPal targeted over WikiLeaks ties
Anonymous-linked DDoS attacks expanded to companies including Visa, MasterCard, and PayPal after those firms cut ties with WikiLeaks. The attacks were conducted under the Operation Payback banner as retaliation for actions against the leak site.
Operation Payback broadens into Operation Avenge Assange
By 2010-12-06, reporting described Operation Payback as expanding beyond anti-piracy targets into 'Operation Avenge Assange' in response to actions against WikiLeaks. The shift marked a reorientation of Anonymous-linked DDoS activity toward companies seen as cutting off support for WikiLeaks.
PayPal website hit by prolonged DDoS attack
As part of Operation Avenge Assange, Anonymous carried out a DDoS attack against a PayPal website that reportedly lasted about eight hours and caused repeated service disruptions. The attack marked one of the first major actions in the pro-WikiLeaks phase of the campaign.
Operation Avenge Assange launches after firms cut off WikiLeaks
In early December 2010, Anonymous shifted Operation Payback toward support for WikiLeaks after PayPal stopped processing donations and Amazon withdrew hosting. The campaign was framed as retaliation against perceived censorship of WikiLeaks.
Anonymous plans renewed DDoS attack on the RIAA
Anonymous publicized plans to attack the RIAA on October 29, 2010 at 4:00 PM EST, framing it as retaliation for LimeWire's shutdown. The planned action was presented as part of Operation Payback and followed an earlier RIAA targeting on September 19.
Anonymous hits UK IPO and acapor.pt in fresh Operation Payback wave
On 2010-10-18, Anonymous launched a new round of Operation Payback DDoS attacks that reportedly knocked the UK Intellectual Property Office and Portuguese music industry site acapor.pt offline. The action was framed as retaliation for anti-piracy measures and followed earlier attacks on copyright-enforcement organizations.
Anonymous targets Gene Simmons websites
Anonymous reportedly disrupted GeneSimmons.com and SimmonsRecords.com in apparent retaliation after Gene Simmons publicly called for more aggressive lawsuits against music file sharers. The action was framed as part of the broader Operation Payback campaign against copyright-enforcement supporters.
Anonymous targets Spain's SGAE and Promusicae
On 2010-10-07, Anonymous expanded Operation Payback to Spain, launching DDoS attacks against copyright society SGAE and music industry site Promusicae. Reports said SGAE's website crashed before the announced start time, and Panda Security observed hundreds of participants using LOIC, including about 200 in Spain.
Anonymous targets Ministry of Sound and related firms
On 2010-10-04, Anonymous-linked Operation Payback DDoS attacks disrupted the websites of the Ministry of Sound, its payment provider, and solicitors Gallant Macmillan. The action was framed as retaliation for legal efforts tied to identifying and suing alleged music uploaders.
Anonymous targets Dunlap, Grubb and Weaver
By the end of September 2010, Operation Payback participants were also attacking the law firm Dunlap, Grubb and Weaver, which was associated with the US Copyright Group. Anonymous said the attacks would continue until they were no longer angry.
ACS:Law data exposed after Operation Payback attack
During the early Operation Payback campaign, ACS:Law was taken offline and several hundred megabytes of private emails were exposed. The incident became one of the most notable escalations in the campaign beyond simple service disruption.
Operation Payback begins targeting anti-piracy groups
By late September 2010, Anonymous participants had launched a week-long DDoS campaign under Operation Payback against anti-piracy organizations and related entities. Reported targets included the RIAA, BPI, MPAA, AFACT, BREIN, Aiplex, and Websheriff.
RIAA website taken offline in early Operation Payback attack
On 2010-09-19, the RIAA reportedly became one of the earliest successful Operation Payback targets when its website was knocked offline in a DDoS attack. The incident followed the earlier MPAA action and preceded the broader late-September wave against multiple anti-piracy organizations.
4chan users organize DDoS action against the MPAA
On 2010-09-17, participants linked to Anonymous/4chan reportedly organized a 'surgical strike' DDoS campaign against the MPAA as retaliation tied to anti-piracy actions against The Pirate Bay. This represents an early precursor phase of Operation Payback before the broader late-September wave against multiple anti-piracy groups.
Sources
19 references tracked. Mallory keeps watching after this page renders.
'Anonymous' Plans DDoS Attack on RIAA on Friday | PCMag
pcmag.com
Open sourceThree-day DDoS attack batters the Internet Archive
theregister.com
Open sourceGene Simmons gets kiss of death from notorious web forum | Filesharing | The Guardian
theguardian.com
Open sourceUK cops: How we sniffed out convicted AnonOps admin 'Nerdo'
theregister.co.uk
Open source4chan launches DDoS against entertainment industry
theregister.co.uk
Open sourceRIAA Goes Offline, Joins MPAA As Latest Victim Of Successful DDoS Attacks | TechCrunch
techcrunch.com
Open source4chan Users Organize Surgical Strike Against MPAA - MediaCenter Panda Security
web.archive.org
Open sourceACS:Law Anti-Piracy Law Firm Torn Apart By Leaked Emails | TorrentFreak
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Used LOIC DDoS Campaign to Hit RIAA and Payment Sites
Anonymous organized **distributed denial-of-service (DDoS)** attacks under its **Operation Payback** banner, using the **Low-Orbit Ion Cannon (`LOIC`)** tool and publicly coordinating participants through channels including **4chan's `/b/` board** and the operation's website. In one of the campaign's prominent actions, the group targeted the **Recording Industry Association of America (RIAA)**, saying it was protesting what it viewed as abusive copyright enforcement by industry lobbyists and law firms; the RIAA site was reportedly forced offline within minutes, although some related pages remained reachable. The same campaign later expanded to organizations linked to pressure on **WikiLeaks**, with Anonymous supporters redirecting attacks toward **PayPal** and briefly knocking **Moneybookers** offline after deciding against a planned action on **Amazon**. Participants said the Amazon attack was dropped because they lacked sufficient numbers and did not want to disrupt holiday shoppers, while the group also acknowledged internal disagreements and attempted to distance itself from a figure known as **Coldblood** without signaling any broader collapse of the operation.
May 25, 2026
Anonymous Sudan Claims DDoS Attacks on AP, Cloudflare, and AO3
Anonymous Sudan, also tracked as **Storm-1359**, claimed distributed denial-of-service attacks that disrupted parts of **The Associated Press**, **Cloudflare’s website**, and **Archive of Our Own (AO3)**. AP said **APNews.com** and some links suffered technical issues while its mobile apps continued to operate, and Cloudflare confirmed intermittent connectivity problems on `www.cloudflare.com` but said its products and customer-facing services were unaffected because they run on separate infrastructure. AO3 experienced intermittent `503 Service Unavailable` errors as volunteer administrators worked to restore access. The group framed the operations as part of a broader campaign against U.S.-registered organizations and, in AO3’s case, paired ideological messaging about LGBTQ+ and NSFW content with a **$30,000 bitcoin ransom** threat to prolong the outage. The incidents fit a wider pattern of high-profile DDoS activity attributed to Anonymous Sudan against targets including Microsoft, X, PayPal, Reddit, Tumblr, Kenya’s digital government portal, and ChatGPT, while multiple researchers and vendors have assessed that the group is likely **pro-Russian** and shares similarities with **Killnet**, despite presenting itself as a Sudanese Islamist hacktivist collective.
May 25, 2026
Anonymous Expanded From Arab Spring Operations to Anti-ISIS Cyber Campaigns
Anonymous shifted from prank-driven activity into overtly political hacktivism by targeting state and extremist online infrastructure during major geopolitical crises. During the Arab Spring, participants launched operations against Tunisian and Egyptian government websites, using **DDoS attacks**, defacements, and censorship-circumvention support as protests spread. Reporting tied **OpTunisia** to efforts to bypass surveillance and keep information flowing after the uprising sparked by Mohamed Bouazizi’s self-immolation, while **OpEgypt** targeted Egyptian government sites and reacted after Hosni Mubarak’s regime shut down internet access during the Tahrir Square demonstrations. The collective later turned its attention to the Islamic State through **#OpISIS**, a decentralized campaign aimed at disrupting propaganda, recruitment, and communications online. Anonymous-linked volunteers and affiliated groups including **GhostSec** and the **@CtrlSec** network used mass reporting, bot-assisted account tracking, website takedowns, **DDoS**, **SQL injection**, and intelligence gathering to target ISIS-linked Twitter accounts, videos, forums, and websites. Accounts of the campaign said activists flagged roughly **101,000** Twitter accounts, identified **5,900** propaganda videos, dismantled about **149** websites, and in some cases passed intelligence to authorities, even as the effort exposed internal debate over free speech and the limits of hacktivist counterterrorism.
May 25, 2026