You can edit almost every page by Creating an account and confirming your email.

Pwnp0ny

From EverybodyWiki Bios & Wiki



pwnp0ny (often stylized as pwnp0ny or PWNP0NY) is a cybercrime collective associated with distributed denial-of-service (DDoS) attacks, booter and stresser services, account compromises, swatting, and alleged intrusions into high-profile targets. The group first gained public attention in the mid-2020s and has maintained a presence in underground hacking communities into the 2026. It attracted significant law enforcement interest in 2023 when the U.S. National Security Agency (NSA) publicly identified several associated aliases in connection with cyber threats.

The group is known for fluid membership, extensive use of aliases and rebranded accounts, and a highly public presence on X (formerly Twitter), where it frequently engages in claims of responsibility, online drama, and rival feuds.

History

The @pwnp0ny X account was created in March 2020, collaborating with members from the original Lizard Squad era and sharing cultural and personnel overlaps with post-Lizard Squad splinter groups and crews such as GoonSquad, pwnp0ny developed its own identity focused on booter/stresser operations and provocative public activity.[1]

The group became active in the late 2020s and experienced heightened visibility between 2023 and 2025 through public claims and law enforcement scrutiny. Activity continued into 2026 amid ongoing drama and disassociations.

Key members

Core / Leadership Figures

  • xai — Identified as the original founder.
  • jasperpwnz (also known as NaziSecurity or cosmo.mp3) — Prominent active member.
  • ryan — Long-standing veteran member with connections to earlier scenes (including Lizard Squad, Rustle League, GNAA)
  • taker (also known as TakerTheGoon, 74K3R, takerthegoon, SecurityAnaIyst) — Returned to activity in late 2023. Previously active in 2016–2017 and subject to a 2016 law enforcement subpoena.

Other Associated Individuals

  • shr00ms
  • kitten
  • nearly
  • peIicans
  • mango
  • $urge
  • kahmi
  • antichrist (Floyd Fictoor)
  • zeskoxi (publicly disassociated in 2026)
  • talktothepaw_

Note: Due to the heavy use of pseudonyms and fluid affiliations common in this ecosystem, exact membership is often difficult to verify.

Notable Incidents

  • Nintendo Switch Private Key Dump Claim (August 17, 2023): The account @cvvmen (antichrist) posted “Sigh... @Nintendo bad security.” and attached a Pastebin link titled “[NINTENDO] Switch Private Key Dump! (PRODINFO) (CONSOLE RELATED)”. The post mocked Nintendo’s security and claimed access to sensitive console-related private keys.
  • EA Games Outage Claim (September 18, 2023): The account @cvvmen (antichrist) posted “Bye #EAGames! @pwnp0ny” alongside a DownDetector chart showing a sharp spike in Electronic Arts service outage reports.
  • Government Email Operation (Late 2025 – Early 2026): Members allegedly operated an illegal government mail service. Creating and Distributing credentials for official-looking government domains (e.g., `mail.gov.xx`, with usernames such as `@zaire.gov.xx`). These operations involved the creation and maintenance of fraudulent government identities, which were sold to third parties. Such activities enable identity fraud, phishing campaigns, business email compromise (BEC), and other cyber-enabled crimes by leveraging the perceived legitimacy and trust associated with government email addresses.
  • PWNPONY Ransomware (2025): According to cybersecurity research by CipherTech Solutions[2], pwnp0ny developed and deployed PWNPONY ransomware - a simple Python-based ransomware that encrypts files using basic XOR encoding. It was observed being delivered via a custom loader named NodeDecryptor, alongside other stealers such as ZeroTrace Stealer and a Prysmax Stealer variant. Approximately 50 samples of this loader were identified, indicating active malware distribution operations.
  • Botnet Operations and F5 Exploits: Public discussion within underground communities has referenced pwnp0ny's botnet capabilities, specifically its integration with F5 exploits. In one notable post, a user (@OperatorBlood) alluded to the technical sophistication required for the group's botnet to function with F5 vulnerabilities.
  • NSA Most Wanted Listing (2023): The NSA publicly listed pwnp0ny and several associated aliases (including taker, antichrist, gdkmango, shr00ms, $urge, and ryan) in relation to cyber threats. The official pwnp0ny account shared media coverage of the listing on November 16, 2023.
  • Snapchat-Related Claim (December 24, 2023): The group posted a claim that jasperpwnz was contacting Snapchat headquarters regarding accounts. Leading a lot of people to believe a potential breach had happened. No further information has been posted or confirmed other than multiple OG users on snapchat being reportedly swapped and being sold at the time of the tweet.
  • Swatting Incident (January 10, 2024): Following a post by @zRobinator about police presence near his residence, pwnp0ny claimed responsibility and shared supporting links.
  • Account Compromise and Swatting Claims (August 2025): - August 11, 2025: Content associated with pwnp0ny referenced swatting and hacking activities against Call-of-Duty gamers. - August 12, 2025: A post claimed an account recovery involving @talktothepaw_ (“big hacker kitty”) and @notmango69 (“unarrestable mango”).
  • Flex-N-Gate Internal Systems Breach (2023) The Flex-N-Gate Internal Systems Breach[3] was a 2023 cybersecurity incident in which a hacker known as kahmi, associated with the pwnp0ny collective, gained unauthorized access to multiple internal networks and systems of Flex-N-Gate, a major international automotive and plastics manufacturing company. The breach primarily affected the company’s Plastics Danville facility in Illinois, United States. The intrusion was characterized by low-profile, reconnaissance-focused access rather than destructive or ransomware activity. Details of the breach later circulated via screenshots in private security communities. Compromised Systems The attacker accessed the following internal resources: •  Employee Production Roles System — A legacy interface that exposed employee records, including employee IDs, names, and internal tag numbers. •  FNG IT Help Desk / Global Service Desk — The company’s internal IT support portal. A service account named “ILDN Maintenance” was viewed, showing location details for the Danville facility. •  Corporate Wireless Network (“FNGOffice”) — Configuration details of the internal Wi-Fi network, including WPA2-Enterprise with PEAP authentication. •  Network Asset Inventory — A live view of the internal network showing approximately 85 connected devices, including: •  Microsoft virtual machines (e.g., ILDNSVDC2, ILDNSVFS1, ILDNSVME1) •  Physical servers (e.g., ILDNSVHV1 – Dell PowerEdge R540) •  Other assets on the 10.137.128.0/24 subnet Discovery and Attribution The incident was not publicly announced by Flex-N-Gate. Information about the breach became known through screenshots and data samples shared in underground and security researcher circles. The consistent “ILDN” hostname prefix across compromised systems pointed to the Danville, Illinois location. Significance The 2023 Flex-N-Gate breach is often cited as an example of how legacy operational systems, internal helpdesks, and poorly segmented networks can enable significant internal visibility once initial access is achieved. It highlighted ongoing risks in the manufacturing sector, particularly around OT/IT convergence and exposure of internal administrative tools. Type: Unauthorized access and reconnaissance Impact: Exposure of employee data, network architecture, and asset inventory
  • Alleged Government Network Access: Leaked images circulating from individuals close to the group show certificate management interfaces containing multiple Department of Defense (DoD) root certificates (including DOD SW CA-75, DOD EMAIL CA-70, DOD ID CA-64, and others) installed on Microsoft Local Computer stores. These screenshots have been presented as evidence of sustained backdoor or privileged access to U.S. government systems, including DoD logins, NSA-related portals, Marine Corps networks, Intelink, and RISS systems. The authenticity and extent of any such access remain unconfirmed by public sources.

The group has also been involved in long-running public disputes with individuals and groups linked to HasanBF (BreachForums admin) and Scattered Spider. In October 2016, @TakerTheGoon (Taker) and GDKMango were named in a subpoena from the Polk County, Florida State Attorneys Office related to a false bomb threat investigation (Case PCSO 16-45571).[4]

Operational Characteristics

  • Heavy reliance on public X posts for claiming responsibility.
  • Frequent targeting of gaming companies and consumer platforms.
  • Combination of technical exploits, social engineering, and swatting.
  • Fluid structure makes attribution challenging.

Disclaimer

This is based on open-source intelligence (news, threat reports, and public X activity) Many claims made by the group may be exaggerated for clout or unverified. I do not endorse, assist with, or provide guidance on any illegal activities. Law enforcement agencies (FBI, NSA, etc.) actively investigate these matters. (Note this group is no longer active and all information is publicly available.)

See also

References

  1. "NSA Most Wanted: Hunt For Pwnp0ny Hackers - Reward Offered". 2023-11-16. Retrieved 2026-06-29.
  2. "ACCE Release Notes v2.9.20250602 – Cipher Tech Solutions, Inc". Retrieved 2026-06-23.
  3. "Underground Hacking Exposed | Ctrl-Alt-Del". Underground Hacking Exposed | Ctrl-Alt-Del. Retrieved 2026-06-29.
  4. ATCP (2026-06-08). "May 2026 Dark Web Issue Trend Report". ASEC. Retrieved 2026-06-29.



This article "Pwnp0ny" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Pwnp0ny. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.