september 2023

AnonFiles shutdown sends shockwaves through cybercrime community

The operators of the well-known anonymous file-sharing service AnonFiles announced that they shut down the platform due to extensive misuse, seeking a buyer for the domain. This event has been a significant blow for cybercriminals, who relied on the platform to distribute and download compromised data, stolen credentials, and copyrighted material. Cybersixgill collected several underground posts on which threat actors lamented the news and sought alternative platforms.


Due to relentless abuse by its users, AnonFiles, a well-known platform for anonymous file

sharing, recently announced its shutdown. For several years, AnonFiles has enabled users and cybercriminals to share files without logging their activity, eventually gaining notoriety among threat actors for disseminating compromised data, stolen credentials, and copyrighted content.

On August 11, 2023, a group of AnonFiles users noticed timeouts while trying to upload files on the platform. In reality, the operators of AnonFiles had officially ceased the service, attributing the shutdown to their proxy[1] provider discontinuing services and their 1 inability to manage the substantial influx of malicious content uploaded on the site.

Although AnonFiles served as a valuable file-sharing platform, users raised concerns about the site's questionable advertisers, which frequently led to malware redirects, tech support scams, and suspicious Chrome and Firefox browser extensions. For instance, users trying to download a file via the platform found themselves redirected to sites that seemingly downloaded an ISO[2] file with an identical name to the intended download file. These ISO files harbored diverse forms of malware, including data-stealers, remote access trojans, and ad clickers.

Trouble regarding AnonFiles' malvertising[3] surfaced in 2021 when a security researcher detected the platform distributing a well-known stealer malware[4]. Researchers identified additional malvertising on AnonFiles, promoting threats such as search hijacking extensions[5], botnets[6], and even ransomware. AnonFiles’ operators are currently seeking a buyer for the domain, and potentially intend to create their own new file-sharing platform. During this transition period, the platform’s shutdown will affect the availability of files previously accessed on AnonFiles by both cybersecurity researchers and threat actors.


AnonFiles’ shutdown made waves on the underground and Cybersixgill collected the following post on a popular cybercrime forum, where a threat actor posted about the current status of AnonFiles. Specifically, the poster asked if they were the only one facing issues with the platform, or if the latter was officially offline. Multiple threat actors replied that AnonFiles was down, lamenting on the “sad” news.

Some forum members also wondered if the platform would ever reopen, while others proposed updating AnonFiles links on the forum to ensure that all content remains accessible. Following the replies, the author of the post expressed regret over losing their files. This chatter underscores the popularity of AnonFiles within the cybercriminal community, and the extent to which threat actors seek alternative platforms to continue sharing files.

Annon-fig1Figure 1: Threat actors discuss AnonFiles’ shutdown on a cybercrime forum

Annon-Fig2Figure 2: AnonFiles’ operators’ official message announcing the platform’s shutdown due to overwhelming abuse


Similar chatter has been observed on another leading cybercriminal forum, as Cybersixgill

collected the following post about AnonFiles’ fate. Forum members expressed their frustration and urgent need to upload/download files to/from AnonFiles, actively seeking alternative sites for file sharing and wondering if the platform’s operators will “fix the issue.

One forum member affirmed that AnonFiles was “down for 5 days,” adding that it was allegedly used by “half” of the members of this particular cybercrime forum. Another member questioned AnonFiles’ value and argued that alternative sites provide higher quality service. This post reflects widespread apprehension among cybercriminals who depended on AnonFiles for malicious activities.

Anonn-Fig3Figure 3: Threat actors react to AnonFiles shutdown on a cybercrime forum


AnonFiles' sudden shutdown has raised concerns among the cybercriminal underground, with threat actors expressing frustration over the loss of a popular file-sharing platform that played a significant role in their operations. These reactions not only underscore the prevalence of AnonFiles within the cybercriminal community but also reflect the essential role it played in facilitating their activities.

As they scramble to find alternative platforms, cybercriminals will likely adapt and eventually identify new avenues for their malicious endeavors, just like they did in the past, specifically after the shutdown of a notorious English-language cybercrime forum in 2022. This event serves as a reminder of the dynamic and ever-evolving landscape of cybercrime, where tools and platforms rise and fall, but the pursuit of malicious goals persists.

[1] A proxy is an intermediary server that stands between a user's device and the internet, forwarding requests and receiving responses on their behalf. It serves multiple purposes, including improving security, privacy, and performance, and can bypass content restrictions.

[2] An ISO file is a digital replica of an optical disk like a CD, DVD, or Blu-ray, compressed into a single file. Also known as an ISO image, it's a compact copy of extensive data collections.

[3] Malvertising refers to malicious advertising, where cybercriminals inject harmful code or content into online ads that are then displayed on legitimate websites. When users interact with these ads, they might unknowingly download malware, get redirected to malicious websites, or become victims of phishing attacks.

[4] As its name implies, stealer malware steals sensitive information from infected computers, including login credentials, financial information, session cookies, and information from other programs and websites used by victims. Stealers can be dropped either via phishing emails, malicious and or/compromised websites, cracked software, or as part of supply chain attacks.

[5] Search hijacking extensions are browser extensions or add-ons that modify a user's web browser settings, particularly the default search engine and homepage, without the user's consent. These extensions can redirect users' searches to alternative search engines or display ads and sponsored content. In some cases, search hijacking extensions may also collect users' browsing data for unauthorized purposes.

[6] A botnet is a network of compromised computers controlled by a malicious actor. It's used to carry out cybercriminal activities, such as distributing malware, harvesting sensitive data, sending spam emails, or launching distributed-denial-of-service (DDoS) attacks.

You may also like

Ivanti hero

April 01, 2024

Chinese APTs Exploit Ivanti Zero-Day Vulnerabilities in New Surge of Activity

Read more
ATT Hero image

April 01, 2024

AT&T Confirm Major Data Breach Affecting Over 70million Customers

Read more
XZ Utils image

April 01, 2024

Highly Technical Supply Chain Attack Impacts XZ Utils Operations

Read more