Showing posts with label CyberSecurity. Show all posts
Showing posts with label CyberSecurity. Show all posts

Monday, June 29, 2026

Underground Hacking Exposed | Ctrl-Alt-Del

 MonkeyMafia: Inside the British Teen Swatting Ring That Terrorized Streamers and Public Institutions

In the shadowy corners of online chat groups, a loose collective known as MonkeyMafia emerged as a notable player in the dangerous world of swatting. Operating primarily from the UK, this group of young individuals turned hoax emergency calls into a twisted form of entertainment and status-seeking. Between late 2022 and mid-2023, they orchestrated false reports that sent armed police scrambling to homes and institutions, all in pursuit of online notoriety. liverpoolecho.co.uk 

Swatting involves fabricating urgent threats—such as active shooters, bombings, or violent incidents—to provoke a heavy law enforcement response. For MonkeyMafia, success often meant watching the chaos unfold in real time, especially during live streams. What started as edgy online banter escalated into coordinated campaigns that crossed international borders and drew serious legal consequences. bbc.com 

Origins and Core Participants

MonkeyMafia was never a tightly structured organization with formal leadership. Instead, it resembled a fluid Discord or Telegram community where members drifted in and out. Some actively planned calls, while others simply observed or cheered from the sidelines. The group leveraged platforms like Telegram, X, and Discord for coordination and bragging rights. warringtonguardian.co.uk 

Two teenagers became central figures in public scrutiny:

•  Dylan Ash, from the Warrington area (later associated with Deal, Kent), stood accused of deep involvement, including efforts to keep activities alive after initial crackdowns.

•  Kieron Ellison, from St. Helens in Merseyside, faced allegations tied to the group’s peak period.

A third individual, Liam White, was mentioned in connection with later revival attempts but did not appear in the main trial alongside the others. Court accounts described participants as often young and isolated, drawn into the scene for the thrill and sense of belonging it provided. warringtonguardian.co.uk 

The syndicate occasionally intersected with wider networks involved in similar disruptions, sometimes promoting paid “services” for swatting requests. vice.com 

Campaigns of Disruption: Targets and Tactics

MonkeyMafia focused on high-visibility targets to maximize impact and attention. They repeatedly went after popular American livestreamers, timing calls during broadcasts to heighten the spectacle. Notable figures included streamer Kai Cenat and Adin Ross, with the apparent aim of having tactical teams burst into their homes on camera. liverpoolecho.co.uk 

Beyond celebrities, the group hit a range of institutions across the US and Canada. False alarms claimed armed threats or explosions at universities, schools, hospitals, and hotels. In the UK, they made local calls, such as one alleging a machete fight outside a McDonald’s. liverpoolecho.co.uk 

Callers used spoofing techniques to mask their locations while providing convincing details to dispatchers. The objective ranged from personal humiliation of targets to broad societal disruption—triggering lockdowns, evacuations, and fear. Group members often celebrated their “wins” publicly, treating the resulting panic as a badge of honor in their circles. sthelensstar.co.uk 

These actions carried real-world peril: SWAT responses involve armed officers operating under high stress, and any miscalculation could lead to tragedy. Even without physical injuries in every case, the emotional toll on victims and the drain on emergency services were substantial.

Law Enforcement Response and Court Battles

Authorities eventually caught up. Arrests in June 2023, including Ellison’s, appeared to fracture the original setup. UK police worked with US counterparts, gathering evidence such as call recordings, chat logs, and digital footprints. liverpoolecho.co.uk 

In 2026, Ash and Ellison, then both 19, went on trial at Liverpool Crown Court. Prosecutors charged them with multiple counts of conspiring to pervert justice and bomb hoaxes. Ash faced an additional allegation of continued involvement into 2024. The case highlighted recordings of the hoax calls and their targeting of specific individuals. bbc.com 

The trial faced a setback when the jury was discharged in June 2026 due to an unforeseen issue, leading to a retrial scheduled for July 2027. Both young men denied the charges. bbc.co.uk 

Attempts at Revival and Rebranding

Like many online groups facing heat, MonkeyMafia members allegedly tried to reinvent themselves. After the initial arrests, efforts surfaced to launch successor operations under fresh banners such as “Kat Squad” and “Syndicate Squad.” These phoenix-like rebrands aimed to sustain the swatting hobby while dodging attention. liverpoolecho.co.uk 

Some channels went dark, with occasional posts from administrators claiming they were moving on with their lives. However, the pattern reflects a persistent challenge: dispersed digital networks can regenerate quickly even after key disruptions.

The Bigger Picture

MonkeyMafia illustrates a modern strain of online mischief that blends trolling culture with genuine criminal risk. Easy access to communication tools allows small groups of determined youths to create outsized international problems. Their story aligns with broader waves of swatting incidents affecting schools, events, and public figures in recent years. justsecurity.org 

Law enforcement agencies continue pushing back through cross-border cooperation and improved tracing of digital calls. For society, it serves as a reminder that “harmless pranks” in the digital age can endanger lives and erode trust in emergency systems.

As legal proceedings continue, the full scope of MonkeyMafia’s reach may become clearer. In the meantime, their case underscores the need for vigilance—both from platforms hosting these communities and from individuals tempted to join them. Swatting isn’t a game; it’s a reckless gamble with someone else’s safety on the line.​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Underground Hacking Exposed | Ctrl-Alt-Del

2023 Compromise of Flex-N-Gate Internal Systems

In 2023, a member of the pwnp0ny collective known as kahmi reportedly gained unauthorized access to several internal systems belonging to Flex-N-Gate, a global automotive and plastics manufacturing company. The intrusion was not publicly disclosed at the time, but screenshots and data samples later circulated in private security channels.


Scope of Access

The attacker obtained access to multiple internal resources at the company’s Danville, Illinois facility:


1. Employee Production Roles System

A legacy interface titled “Set Employee Production Roles” was accessed, revealing employee records that included:

•  Employee numbers

•  First and last names

•  Internal Emp_Tag# values

•  Assignment details (many listed under DFT class/group)


2. Internal IT Helpdesk Portal

Access was achieved to the FNG IT Help Desk/IS Global Service Desk. A profile for an account named “ILDN Maintenance” was viewed, listing the location as FLEX-N-GATE PLASTICS DANVILLE and timezone as USA – Central Time.


3. Corporate Wireless Network

Network configuration details for the SSID “FNGOffice” were captured, showing WPA2-Enterprise with PEAP authentication running on a Dell laptop (asset tag ILDNENLT07).


4. Network Asset Discovery

Most significantly, the attacker viewed a live inventory of the internal network, which listed 85 connected devices on the FNGOffice segment. Visible assets included:

•  ILDNSVDC2 – Microsoft Virtual Machine (10.137.128.1)

•  ILDNSVHV1 – Dell PowerEdge R540 server

•  Multiple additional Microsoft virtual machines (ILDNSVFS1, ILDNSVME1, ILDNSVUT1, ILDNSVDB1, etc.)

All hostnames followed a consistent “ILDN” naming convention, further confirming the geographic scope of the breach. 


Timeline and Context

This activity took place in 2023. The intrusion demonstrated a methodical approach: starting with operational systems, moving laterally to IT service portals, and eventually achieving visibility into network infrastructure and active assets. There was no evidence of data destruction, ransomware deployment, or public defacement — characteristics often associated with pwnp0ny operations.


Lessons from the 2023 Incident

The compromise highlights several persistent risks in industrial and manufacturing environments:

•  Legacy production systems frequently remain accessible with weak controls.

•  Internal helpdesk and administrative portals can serve as valuable pivot points.

•  Flat network segments combined with enterprise Wi-Fi allow broad visibility once initial access is obtained.

•  Asset naming conventions and exposed hostnames can significantly aid reconnaissance.

Organizations in the manufacturing sector should treat this case as a reminder that even seemingly isolated operational technology (OT) and IT systems can provide pathways to broader network awareness.

While Flex-N-Gate has presumably taken remediation steps since the 2023 incident, the event underscores the importance of network segmentation, regular credential hygiene, timely system modernization, and continuous internal monitoring.


Note:

*This post is for educational and awareness purposes in the cybersecurity community.*​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​

Underground Hacking Exposed | Ctrl-Alt-Del

  pcpcats: A Cloud-Native Cybercrime Operation pcpcats is a financially motivated hacking group that emerged in late 2025, known for large-...