Anonymous Leak of Epik Data Exposed Far-Right Sites and Federal Records
Hacktivists claiming to be Anonymous said they breached web host and domain registrar Epik, a provider used by sites including Gab, Parler, QAlerts, and other far-right platforms, and released what they described as roughly a decade of internal and customer data. Reports said the dump included domain registration and transfer records, account credentials, emails, payment history, employee mailbox contents, and more than 500,000 private keys, affecting data tied to more than 15 million people and websites. Epik CEO Rob Monster initially downplayed the incident, then later acknowledged in a public video session that company backup data appeared to have been compromised and said information from the breach was allegedly used in an attempt to target his Coinbase account.
Subsequent reporting said the leaked records exposed internal support tickets, subpoenas, and preservation requests for customer information, including requests that appeared linked to investigations after the Jan. 6 Capitol riot and at least one FBI request tied to a domain allegedly connected to malware used in the SolarWinds intrusion. The data also reportedly helped trace efforts by figures such as Ali Alexander to obscure domain ownership and digital infrastructure, while additional releases expanded scrutiny of how hosting and registrar services supported extremist networks online. The breach became one of the most consequential hacktivist leaks involving internet infrastructure providers because it revealed both customer identities and sensitive law-enforcement-related records.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Epik hack cited as part of wider hacktivist disclosures affecting tech firms
By October 7, coverage of the Epik breach placed it alongside other major hack-and-leak incidents, including Twitch, as examples of hacktivists exposing internal corporate data and infrastructure. This reflected the broader significance of the Epik disclosures beyond the initial victim alone.
A second tranche of stolen Epik data is reportedly leaked
On September 30, reporting indicated that another batch of stolen Epik data had been released, extending the fallout from the original breach. The new dump suggested the attackers continued publishing material beyond the initial archive.
Leaked Epik tickets reveal subpoenas and preservation requests
Internal ticketing records from the breach exposed subpoenas, grand jury requests, and 90-day preservation demands for customer information, including requests apparently tied to investigations after the January 6 Capitol riot. The leaked records also showed an FBI preservation request and subpoena in late 2020 for an Epik-hosted domain allegedly linked to malware used in the SolarWinds attack.
Broader coverage says Epik breach exposed data on millions of people and sites
By September 21, mainstream reporting described the Epik hack as exposing information tied to more than 15 million people and websites. Coverage also highlighted Epik's role as a service provider for far-right and extremist-linked platforms, increasing the public impact of the breach.
Reporting links leaked Epik data to Jan. 6-related digital traces
Analysis of the leaked Epik records showed how figures such as Ali Alexander appeared to have tried to obscure their online footprint after the January 6 Capitol riot. The reporting used the breach data to connect domains and infrastructure to post-riot activity.
Epik CEO publicly acknowledges the breach in a live video Q&A
During a chaotic public video session, Rob Monster acknowledged that Epik had been breached after earlier denials and described it as involving a compromised company backup. He also said a hacker nearly stole about $100,000 from his Coinbase account using information exposed in the incident.
Researcher warned Epik of critical account-takeover flaw before breach
Weeks before the hack became public, a security researcher reported a critical flaw in Epik's website that exposed customer account data and could allow account takeover. The report said Epik did not promptly fix the issue before the later breach disclosures.
Epik CEO initially dismisses the reported incident
After the breach claim surfaced, Epik CEO Rob Monster publicly downplayed it on Twitter, calling the matter insignificant and questioning the authenticity of the leaked material. This marked the company's first public response to the incident.
Anonymous claims breach of Epik and begins releasing stolen data
Anonymous said it hacked web host and domain registrar Epik and obtained roughly a decade of internal and customer data, including domain records, credentials, payment history, employee mailboxes, and hundreds of thousands of private keys. Early reporting on the leak appeared on September 14, 2021, as the group said it was working to make the archive more accessible.
Sources
8 references tracked. Mallory keeps watching after this page renders.
New hacks reveal tech secrets in spreading guerrilla war - The Washington Post
washingtonpost.com
Open source'Anonymous' reportedly leaks more stolen Epik data
theregister.com
Open sourceEpik Hack Reveals Websites Under Subpoena Investigation
dailydot.com
Open sourceEpik hack: ‘Anonymous’ claims to hit website hosting firm popular with Proud Boys | CNN Politics
cnn.com
Open sourceHow Ali Alexander Tried To Hide His Digital Footprint Following Capitol Riot
dailydot.com
Open sourceEpik CEO Responds To Hack in Video Q&A Overrun By Hackers
dailydot.com
Open sourceWeb host Epik was warned of a critical security flaw weeks before it was hacked | TechCrunch
techcrunch.com
Open sourceAnonymous: Group Alleges It Hacked Far-Right Web Host Epik
web.archive.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Epik Breach Exposed Customer Data and Far-Right Site Operators
Epik, a U.S. domain registrar and hosting provider known for servicing deplatformed far-right platforms including Gab, Parler, 8chan, Proud Boys and QAnon-linked sites, suffered a major breach that attackers publicly claimed in September 2021. Reporting said roughly **180 GB** of company and customer data was stolen, including customer lists, passwords, home addresses, payment histories, encryption keys and, in some cases, unencrypted credit card numbers. After initially disputing reports of a compromise, Epik later told customers that some systems had been breached and urged them to monitor payment methods, email accounts and passwords. The leaked material was widely reported as authentic and exposed serious security weaknesses at Epik, while also stripping anonymity from users of the company’s privacy services. Researchers and activists used the data to identify administrators and operators tied to Proud Boys, Oath Keepers, QAnon and other extremist or scam-linked sites, intensifying scrutiny of Epik’s role as infrastructure for extremist ecosystems. The fallout continued well beyond the intrusion, contributing to reputational and operational turmoil that preceded Epik’s later sale to Registered Agents Inc., whose new owners said they were trying to rebuild trust and move the registrar in a different direction.
May 25, 2026
Anonymous Breach of Stratfor Exposed Customer Data and Millions of Internal Emails
Anonymous-affiliated attackers breached private intelligence firm **Stratfor**, stealing subscriber records, payment data, and a vast archive of internal correspondence. Reporting on the intrusion said the attackers accessed administrative systems, expanded into databases and mail servers, and exfiltrated data affecting about **860,000 user accounts** and more than **60,000 credit cards**; some reports said card numbers were stored in plaintext, while passwords were protected with weak **unsalted MD5** hashes. The attackers defaced Stratfor’s website, deleted server contents, published stolen card data, and used some of the payment information for fraudulent charitable donations, contributing to losses that reports put at at least **$700,000** and broader damages of roughly **$2 million**. The breach escalated when **WikiLeaks** began publishing roughly **5 million Stratfor emails**, exposing the firm’s client relationships, source-handling practices, monitoring of activist groups, and sensitive geopolitical claims contained in internal messages. Subsequent reporting said the FBI had visibility into parts of the operation through informant **Hector Xavier Monsegur ("Sabu")** and later built its case against alleged participant **Jeremy Hammond**, while Stratfor faced delayed customer notification and legal fallout. Years later, researchers also warned that some documents in the leaked Stratfor archive contained live malware, including files exploiting **`CVE-2010-3333`**, creating additional risk for journalists and researchers who downloaded the material.
May 26, 2026
Anonymous Breached HBGary After CEO Claimed He Identified Members
Anonymous-affiliated attackers breached **HBGary Federal** after CEO **Aaron Barr** publicly claimed he had identified key members of the collective and was preparing to share findings with the FBI. The intrusion reportedly combined website exploitation, password reuse, and social engineering, leading to the defacement of HBGary systems, takeover of Barr’s Twitter account, theft of more than **50,000 emails**, and exposure of company financial and internal documents. Reporting on the operation described participants from AnonOps and highlighted disputed claims around a hacker using the alias **"Kayla"**, while leaked IRC logs later portrayed Anonymous as more coordinated than its public image suggested, with figures such as **Sabu** directing activity and discussing the HBGary attack. The leaked HBGary emails triggered wider fallout by exposing proposals tied to campaigns against **WikiLeaks** and critics, including plans reportedly prepared for clients connected to **Bank of America** and a law firm, and renewed scrutiny of the firm’s ties to federal agencies. Subsequent reporting said former Anonymous supporters provided chat logs and alleged identities to investigators, and later arrests brought the hacking saga closer to a conclusion. The episode became a defining early example of hacktivist retaliation escalating into a major corporate breach, reputational crisis, and law-enforcement investigation.
May 26, 2026