On March 3, 2026, in the quiet of night, YGGTorrent—the largest French-speaking torrent tracker—suddenly went offline. This wasn’t the result of police raids, court orders, or regulatory enforcement. Instead, a single hacker known as Gr0lum orchestrated its collapse.

For nearly a decade, internet service providers, copyright holders, and repeated site blocks had failed to take down YGGTorrent. Ranked among the top 35 most visited sites in France, it generated annual revenues between €5 million and €8.5 million, with a staggering €490,000 in January 2026 alone. Yet, all it took was a few critical vulnerabilities to bring it to its knees.

For more details on this case, read this article:

YggTorrent Shuts Down After Massive Hack: 6.6 Million Accounts Impacted in Dramatic Collapse

How It Happened: A Perfect Storm of Negligence

The attack was surprisingly straightforward:

  • An open SphinxQL port with no authentication
  • An active Directory Listing exposing files to anyone
  • An administrator password stored in plaintext

The results were devastating:

  • Four servers destroyed
  • Seven databases wiped
  • An 11GB archive leaked (around 30GB decompressed)
  • 6.6 million user accounts compromised

But the real story lies in what Gr0lum uncovered behind the scenes.

Inside the YGGLeak: Post-Exploitation Revelations

Gr0lum documented the hack in 15 phases in a public technical report, dubbed YGGLeak, which reads like a professional penetration test with explosive implications:

  • Credit card interception: A Security.php script intercepted full card details (PAN, CVV, expiration, and holder name) before reaching the payment processor—impacting 54,776 cards.
  • Crypto wallet scanning: A disguised script targeted Phantom and MetaMask wallets of visitors.
  • Money laundering network: 36 fake online stores funneled payments through PayPal, Stripe, Tornado Cash, and eventually Monero.
  • Automated DDoS attacks: Competitor trackers were targeted every two minutes via stresscat.ru.

All this occurred while moderators worked voluntarily, unaware of the backdoor chaos.

For more details on “YGGLeak”, read this article:

YggTorrent Shuts Down After Massive Hack: Official Statement Contradicts “YGGLeak” Claims

The Hacker Speaks: Motivation and Method

In an interview with planete-warez, Gr0lum revealed the intentional editorial clarity of the leak: it was designed to be understood by the general public, not just tech specialists. Transparency was key. The hacker wanted the facts verifiable and undeniable.

planete-warez.net

Entry points were basic but effective: a favicon hashed via Shodan, an open SphinxQL port, a visible directory, and a plaintext admin password. Surprisingly, this level of negligence is not uncommon—even among major enterprises. Once inside, the infrastructure’s weaknesses unfolded rapidly, from the tracker to the forum and e-commerce stores.

Gr0lum emphasized:

“The hacking itself was quick. The real work was post-exploitation: collecting, analyzing, and documenting the compromised infrastructure.”

The discovery of private keys confirmed that the entire tracker was compromised, highlighting systemic negligence in security practices.

The Controversy: Financial Interception and Public Perception

While YGG’s admins, led by Destroy/Oracle, denied illegal activity, the leak revealed serious concerns:

  • No credit card data was stored or exfiltrated, but interception mechanisms existed in plain sight.
  • Logs confirmed some financial tracking, but not card cloning.
  • Attempts to shift blame onto the hosting provider failed, as the vulnerabilities were user- and admin-related.

Gr0lum acknowledged some missteps, like partially exposing user pseudonyms in the archive, but clarified that sensitive financial data remained protected.

Parallel Operations and Community Impact

The leak also uncovered the sheer scale of operations behind YGGTorrent: multiple projects like RageTorrent, TheRock, warezfr.com, CocoTV, and CloudTorrent were being managed simultaneously. It was clear that the admins had no intention of shutting down.

Meanwhile, independent projects like U2P quickly resurrected the torrent index, creating a decentralized and functional tracker within 24 hours. This effort demonstrates the resilience of the French warez community and signals that monopolies in torrenting are increasingly fragile.

Looking Ahead: YGG’s Uncertain Return

Despite signs of revival—including a countdown on ygg.guru, Russian bulletproof hosting, and hints of parallel projects—the trust within the community has eroded. Gr0lum remains vigilant, emphasizing support for accessible, free, and ethical torrenting, while rejecting commercial exploitation reminiscent of YGG’s past practices.

“The warez community has always been about sharing—free and open. When commercial greed tries to dominate, the community must push back.”

The hacker continues to monitor developments, safeguard user privacy, and encourage transparency in emerging platforms.

Here is the full interview with Gr0lum; it’s interesting

Note: This interview is intended purely for information and understanding of the case. It does not represent a position taken by planete-warez. The statements reflect only the interviewee’s views, and readers are encouraged to maintain a critical mindset; everyone is free to form their own opinion.

Q: You wrote the report so that everyone could understand it, not just tech specialists. Was this a conscious editorial decision, or did it come naturally?

A: It was completely deliberate. The intrusion part is only half the work; the other half is producing a document clear enough for anyone to understand each step, even non-specialists. That was the main reason for this editorial choice.

The second reason was transparency. I knew some elements would be contested, so precisely documenting the exploitation chain simply made the facts verifiable by anyone.

Q: The entry point was quite basic: a favicon whose Shodan hash reveals the pre-prod server, a SphinxQL on port 9306 with no authentication, an open directory listing. The admin password was stored in plain text in an accessible file. For a site handling half a million euros per month, did you expect that?

A: Yes and no. You see these kinds of oversights even in large companies: a misconfigured server and overly permissive GPOs, and you can compromise the entire infrastructure. These scenarios are common for me, so I wasn’t particularly surprised to find such a vulnerable pre-prod machine.

What did surprise me was that once inside, everything else was just as easy. The tracker, the store, the forum—everything had the same level of neglect. It really felt like security had never been a priority in the infrastructure.

Q: In the report, you write: “The hack part is finished. Everything that follows is post-exploitation.” At what point did you realize you had the keys to the entire operation?

A: The hack itself is short. For me, it boiled down to redirecting a service meant to index data so it would read a password. After that, it’s all collection: FileZilla is very talkative, the browser gives passwords, and pivoting from machine to machine is straightforward.

The store required a bit more work: exploiting a vulnerable CloudPanel and using cross-user FastCGI to access WooCommerce databases. Even then, it was still a fairly direct exploitation chain. The hack itself didn’t take long.

The real work came afterward: collecting, cross-checking, documenting. I realized the entire infrastructure was compromised when the tracker’s private keys appeared. Once discovered, it compromises the integrity of the entire tracker.

Q: Security.php, a 1.6 KB CodeIgniter controller in production, retrieves PAN, CVV, expiration date, and cardholder name, sending them in plaintext via the YGG server before relaying to Singularity through a hidden auto-submitting form, with a silent redirect to google.com if the token is invalid—a classic anti-analysis technique. You can’t confirm for sure it was used for skimming, as you note yourself. But honestly, what do you think?

A: Let me clarify a few things. No credit cards were found stored on any servers, and no banking data was exfiltrated. Destroy kept logs of payments, that’s it. I have no proof that cards were cloned or stored anywhere, which is why I mentioned it clearly in the report.

What I did observe were interception mechanisms. The source code is in the leak, anyone can verify. Bank data passes in plaintext through the YGG server via hidden forms and silent redirects. These are techniques you see in real skimming cases. There’s NO legitimate reason to transmit customer card data in plaintext through your own server before sending it to the payment processor.

To make it simple for non-tech readers: imagine paying at a store like Carrefour. You hand your card to the cashier, but someone else grabs it, checks it, and then gives it back to the cashier. You paid, but someone else had your card in their hands for no reason. That’s exactly what this code does.

Q: Destroy and his team deny everything in their official statement: no banking collection, no MD5, no destroyed databases. But they acknowledge the database leak. How do you read this statement—reputation salvage attempt or legal calculation?

A: Much of his team seems to have distanced themselves. I spoke with several after the leak; few were directly involved in Destroy’s decisions. YGGFlop, his capo, has disappeared since March 3. I know he had serious health issues, and I wish him a full recovery wherever he is. He mainly acted under Destroy’s influence.

Destroy is trying to save his reputation. A legal calculation would have been to remain silent and disappear. He clings because he’s not ready to forfeit YGG’s revenue. He talks about “fabricated elements” and a “disinformation campaign.” The leak is public, the source code is public; anyone can check. Regarding MD5, he claims “it hasn’t been the case for a long time,” yet the source shows two algorithms coexisting during migrations.

He blames the host for a security fault, but the host didn’t leave SphinxQL open on 9306, didn’t leave an admin password in plaintext in sysprep_unattend.xml, didn’t disable the Windows firewall, didn’t leave an open directory listing with .env and JWT keys. These were clearly user actions. On banking collection, I was clear: no stored cards found, but interception mechanisms exist in the code, which he doesn’t address.

Q: You chose to redact personal data, emails, IPs, passwords before publishing the archive. But outlets like Clubic noted some info, like usernames and download histories, remain. Did you debate how far to go in protecting users? Why not anonymize sensitive data completely?

A: Honestly, that was my mistake. During the few days of the operation—maintaining access, exfiltrating data, writing the report—I didn’t think to redact usernames. I didn’t realize that a username linked to a download history could identify a real person. I realized it after the database went public.

Also, I wrote “I keep this safe” regarding user data, which was misinterpreted as implying it could be released later. That’s not what I meant. I meant the data was protected from all third parties except authorities for admin accounts, until I finished research cross-checking admin duplicates and IPs using OSINT.

User data was not made public. I am the only one with a copy, apart from the torrent section, which I will address later. The data will be destroyed after my research ends.

Q: The financial circuit you describe is complex: 36 fake e-commerce stores, payments via PayGate.to, mixing through Tornado Cash, final conversion to Monero. Was this a structured criminal operation, or a dev improvising until it got out of control?

A: Money laundering in this environment is unsurprising. What’s striking is the volume passing through this system. Chrome history shows many forum searches on setups like this: BlackHatWorld, lolz.live. Destroy didn’t improvise; he actively planned it layer by layer, and it worked.

Q: ygg.gratis, the U2P/Utopeer project that recovered the full catalog and recreated a functional tracker—are you behind this, involved, or is it an independent initiative?

A: During the operation, I was assisted by two people to understand the torrent ecosystem. Without them, the torrent rescue attempt wouldn’t have been possible. Together we decided to involve the U2P team for two reasons: their vision, opposite to YGG’s, and their mastery of P2P networks. They set up a functional indexer in 24 hours without sleeping. The catalog exists, though it’s not perfect.

These steps aren’t in the YGG leak report but took considerable time and were arguably the most interesting part. I was literally guided to retrieve the necessary info, sometimes sacrificing discretion and risking access loss. For example, enabling debug mode on the XBT tracker and dumping full pair data: IPs, ports, info_hashes—everything to reconstruct the swarm. Such queries are hardly discreet on a production database.

Q: YGG doesn’t go down easily. On ygg.guru: a countdown, Russian text “it’s too early to bury us”, then Latin: Non omnis moriar, and at some point a raw IP: 185.178.208.155 – DDoS-Guard, a Russian bulletproof host known for phishing and cybercrime. What does this tell you about the returning project and its operators?

A: DDoS-Guard is just a fallback. YGG was on Cloudflare, but the domain was blocked over malware suspicions.

Other projects like torr9, c411, La Cale are already active. Transition periods will occur, but the stacks will eventually run at full capacity as before.

Q: According to the leak, the admin was running at least five parallel projects: RageTorrent, TheRock, warezfr.com, CocoTV, CloudTorrent. They clearly weren’t planning to leave. Did you plan anything if YGG returns in another form?

A: We’ve been fooled once, not twice. The warez community communicates widely—Reddit, Twitter, Discord, forums. It would be hard for Destroy to launch a new project unnoticed.

Trust is broken. He ran the largest French tracker for years, pushed too hard, and burned out. No comeback or redemption is possible, especially with emerging trackers attracting strong upload teams. Bringing them back to a new YGG seems unrealistic.

Q: YGG is coming back—counter, domain, Russian bulletproof host, parallel projects. You published everything, the community is aware. What’s next for you? Move on, monitor, or still have cards to play?

A: I’m not moving on. I continue research with the leak data and will monitor ygg[.]guru.

I align with many others: defend accessible, free, and open warez. I’m open to transparent and ethical monetization: optional donations, discreet ads. Someone has to pay for servers; Sharewood’s closure proves that. But commercializing torrents through mafia-like methods is a different matter. I’ll remain vigilant for similar projects.

Q: Regarding the gr0leak.fun publication on March 12, do you want to comment or clarify anything?

A: I saw their small leak article. We laughed a lot in our “cybercriminal team.” No one will be fooled by email manipulation. You won’t portray yourself as the victim. My goal has been clear from the start. Trying to paint me as a ransomware crook is a very poor strategy.

The young woman accused of being Gr0lum is pleased with the attention. Yes, it’s a woman. You’ll hear her voice soon and can judge your investigation’s relevance.

Regarding ransomware, takedown, reporting: YGG.guru was definitively suspended by the registrar, not just Cloudflare, so, as readers can judge, I may not be entirely innocent.

Q: Last and most direct question: Who are you? Not your identity, but your legitimacy. Ethical hacker, vigilante, whistleblower, disappointed user, competitor… How do you define yourself, and what do you want to remain of this in six months?

A: I’m not a vigilante, competitor, or traditional whistleblower. Let’s say it’s the result of widespread frustration at that time. Turbo Mode was the last straw. I had the skills to look behind the scenes, I did, and what I found deserved to be public. That’s it.

Q: Any final word for the Planete-Warez community and the broader French warez scene?

A: Warez has always been about sharing: free, open, unconditional. When some try to turn it purely commercial, the community must react. The YGG episode showed this, and we must continue to prevent monopolies from imposing their rules.

Thanks to VIOLENCE for the interview.

Conclusion: Lessons from the YGGTorrent Collapse

The YGGTorrent hack is a cautionary tale: even the largest, seemingly untouchable platforms are vulnerable to poor security practices. Beyond the technical revelations, it exposes the tension between profit-driven operations and community trust in the warez scene.

As new trackers emerge and decentralization takes hold, the French torrent community will likely continue to thrive—but with heightened awareness of security and ethics. The YGGLeak will remain a landmark case, reminding both hackers and users that vigilance, transparency, and accountability are critical in digital ecosystems.

Read: The End

YggTorrent Hack Timeline: Data Leak, Failed Relaunch, and Final Shutdown

Did you enjoy this article? Feel free to share it on social media and subscribe to our newsletter so you never miss a post!

And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
Buy Me a Coffee
⚠️ Legal Disclaimer: This website is an informational and educational tech blog. The content provided aims to help users better understand technologies, software, online tools, and digital practices.

We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.

Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.

We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.

Categorized in:

Cybersecurity