Epik Breach Exposed Customer Data and Far-Right Site Operators
Epik, a U.S. domain registrar and hosting provider known for servicing deplatformed far-right platforms including Gab, Parler, 8chan, Proud Boys and QAnon-linked sites, suffered a major breach that attackers publicly claimed in September 2021. Reporting said roughly 180 GB of company and customer data was stolen, including customer lists, passwords, home addresses, payment histories, encryption keys and, in some cases, unencrypted credit card numbers. After initially disputing reports of a compromise, Epik later told customers that some systems had been breached and urged them to monitor payment methods, email accounts and passwords.
The leaked material was widely reported as authentic and exposed serious security weaknesses at Epik, while also stripping anonymity from users of the company’s privacy services. Researchers and activists used the data to identify administrators and operators tied to Proud Boys, Oath Keepers, QAnon and other extremist or scam-linked sites, intensifying scrutiny of Epik’s role as infrastructure for extremist ecosystems. The fallout continued well beyond the intrusion, contributing to reputational and operational turmoil that preceded Epik’s later sale to Registered Agents Inc., whose new owners said they were trying to rebuild trust and move the registrar in a different direction.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Registered Agents Inc. acquires Epik
On 2024-02-09, TechRadar reported that Registered Agents Inc. had acquired Epik and was repositioning it toward entrepreneurs and small businesses. The new owner said Epik had changed terms of service, removed a small number of problematic clients, and worked through a difficult accreditation transfer while maintaining service continuity.
Epik CEO says company needs security improvements after breach
By 2021-12-09, CEO Rob Monster acknowledged the breach’s impact and said Epik needed to improve its security. He attributed some problems to outdated code and said new funding and hires would be used to strengthen infrastructure.
Reporting confirms leaked Epik data appears authentic and highly sensitive
By 2021-09-20, news reports said the leaked Epik material appeared genuine and exposed highly sensitive information, including unencrypted credit card numbers and data that deanonymized users of Epik’s privacy services. Researchers and activists used the leak to identify administrators tied to Proud Boys, Oath Keepers, QAnon, and scam-linked sites.
Epik notifies customers that some systems were compromised
On 2021-09-18, after initially denying a compromise, Epik told customers that an intrusion had affected some of its systems. The company advised users to monitor payment methods, email accounts, and passwords.
Hacktivists publicly claim major breach of Epik
On 2021-09-13, a message attributed to Anonymous claimed responsibility for breaching Epik and stealing about 180 GB of company and customer data, including customer records, encryption keys, and payment histories. The operation was framed by the attackers as part of “Operation Jane.”
Sources
5 references tracked. Mallory keeps watching after this page renders.
The world's most controversial domain registrar has a new owner - and apparently it is “forging a new path” | TechRadar
techradar.com
Open sourceEpik is a refuge for the deplatformed far right. Here’s why its CEO insists on doing it | CNN Business
cnn.com
Open sourceAnonymous hack of Epik web services reveals who’s behind Proud Boys websites - The Washington Post
washingtonpost.com
Open sourceEpik, l’hébergeur Web favori de l’extrême droite américaine, victime d’un piratage d’ampleur
web.archive.org
Open sourceEpik, l’hébergeur Web favori de l’extrême droite américaine, victime d’un piratage d’ampleur
lemonde.fr
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anonymous Leak of Epik Data Exposed Far-Right Sites and Federal Records
Hacktivists claiming to be **Anonymous** said they breached web host and domain registrar **Epik**, a provider used by sites including **Gab**, **Parler**, **QAlerts**, and other far-right platforms, and released what they described as roughly a decade of internal and customer data. Reports said the dump included domain registration and transfer records, account credentials, emails, payment history, employee mailbox contents, and more than **500,000 private keys**, affecting data tied to more than **15 million people and websites**. Epik CEO **Rob Monster** initially downplayed the incident, then later acknowledged in a public video session that company backup data appeared to have been compromised and said information from the breach was allegedly used in an attempt to target his Coinbase account. Subsequent reporting said the leaked records exposed internal support tickets, subpoenas, and preservation requests for customer information, including requests that appeared linked to investigations after the **Jan. 6 Capitol riot** and at least one FBI request tied to a domain allegedly connected to malware used in the **SolarWinds** intrusion. The data also reportedly helped trace efforts by figures such as **Ali Alexander** to obscure domain ownership and digital infrastructure, while additional releases expanded scrutiny of how hosting and registrar services supported extremist networks online. The breach became one of the most consequential hacktivist leaks involving internet infrastructure providers because it revealed both customer identities and sensitive law-enforcement-related records.
May 25, 2026
Discord User Data Exposed via Third-Party Customer Support Breach
Attackers gained unauthorized access to a third-party customer service system used by Discord, resulting in the exposure of sensitive user data. The breach, which occurred on September 20, 2025, did not compromise Discord’s core infrastructure but targeted a helpdesk provider that managed customer support and Trust and Safety interactions. The attackers obtained personally identifiable information, including real names, Discord usernames, email addresses, and IP addresses of users who had contacted Discord’s support teams. In addition to contact details, the breach exposed partial payment information, such as the last four digits of credit cards and payment types, as well as purchase history for some users. Notably, a subset of affected users had submitted government-issued identification documents, such as driver’s licenses and passports, for account appeals or age verification, and these scanned IDs were also accessed by the attackers. The attackers demanded a ransom from Discord, threatening to leak the stolen information if their demands were not met, indicating a financially motivated campaign. Discord responded by immediately revoking the support provider’s access to its ticketing system, launching an internal investigation, and engaging a leading computer forensics firm to assist with remediation. Law enforcement agencies were also notified and involved in the investigation. The company publicly disclosed the incident and notified affected users, emphasizing that full credit card numbers and account passwords were not compromised. The breach highlights the risks associated with storing sensitive data, such as government IDs, in third-party systems, especially as regulatory requirements push platforms to collect more personal information for age verification. Security experts note that customer support platforms often become attractive targets for cybercriminals due to the concentration of sensitive user data. The incident underscores the importance of minimizing data retention and ensuring that sensitive information is not stored longer than necessary in support systems. Discord’s experience mirrors previous breaches at other major platforms where helpdesk systems were exploited to access user data. The company’s swift response aimed to contain the breach and prevent further unauthorized access. The exposure of government-issued IDs is particularly concerning, as it increases the risk of identity theft for affected users. The breach serves as a cautionary tale for organizations relying on third-party vendors to handle sensitive customer interactions. Ongoing investigations are expected to provide further insights into the attackers’ methods and the full scope of the compromised data. Discord has committed to reviewing and strengthening its data handling and vendor management practices in the wake of the incident.
Mar 21, 2026
BreachForums Breaches Expose User Data After MyBB Zero-Day Compromise
BreachForums suffered repeated compromises that exposed member data across multiple iterations of the cybercrime forum. An earlier breach leaked details on about **4,000 members**, while a later incident tied to the forum's reboot reportedly spilled data on roughly **325,000 users**, underscoring the scale of exposure affecting one of the most prominent underground marketplaces. Reporting on the more recent compromise said the forum was hit through a **MyBB `0-day`** affecting unpatched software, with forum administrators claiming the intrusion was also linked to a broader law-enforcement crackdown. The incident disrupted the platform, prompted leadership changes including the emergence of a new admin, and highlighted how even criminal forums remain vulnerable to the same software flaws, operational failures, and data-security lapses that they routinely exploit in others.
May 25, 2026