The fanfiction site Archive of Our Own (AO3) suffered a DDoS attack from a hacker group likely affiliated with Russia on Monday, shutting it down for approximately one day.
“A group presenting themselves as a collective of religiously and politically motivated hackers has claimed responsibility for the attack,” tweeted the AO3 status account. “Experts do not believe they are honest about their motivation, so we urge caution in believing any reasoning they provide for targeting AO3.”
Sudan Anonymous, on its Telegram channel, claimed responsibility for the attack, and said that AO3 was “corrupting children” with LGBTQ content.
However, the takedown of a fanfic site may have more to do with Sweden poised to join NATO than any concerns over explicit content.
AO3 is a volunteer-run fanfiction repository hosting more than 10 million individual stories from fandoms running the gamut from Harry Potter to One Direction to My Little Pony to Naruto.
Popular serial stories have spanned hundreds of thousands of words over years, and the site received a Hugo Award for its contributions to science fiction and fantasy fiction.
Although many of the stories are tame ways to explore characters and settings that could otherwise violate copyright, it is well known in online communities for hosting sexual content. AO3 has cultivated a reputation as a place for queer writers to safely explore their identities and sexualities.
AO3 was most recently reported as the source material for large language models. Generative AI tools scraped the archive to train their large language models, and as a result, many chatbots like ChatGPT have detailed knowledge about some of the more esoteric sexual fantasies cooked up by the fanfic communities on AO3, such as “knotting.”
Sudan Anonymous demanded $30,000 in ransom money to end the attack. On a blockchain explorer, a linked bitcoin wallet showed no transactions since the wallet was created in April, indicating that they received no ransom.
Sudan Anonymous claimed responsibility for a number of attacks since January this year against U.S. and EU banking infrastructure, as well as against companies like Microsoft, Reddit, Flickr, and Tumblr over the past few weeks. The motives for those attacks were not stated on their channel, save for another ransom demand for Microsoft account details.
Australian cybersecurity experts CyberCX assessed the hacker group to be “likely to be an individual or a small, coordinated group rather than a grassroots hacktivist organization.”
But Sudan Anonymous was created only days before a far-right Danish politician burned a Quran in front of the Turkish embassy in Sweden.
This political stunt was organized by a journalist with ties to Russian media, and Russian intelligence operatives staged fake anti-Turkish protests in Western countries following the incident to prolong diplomatic conflict between Sweden and Turkey, prior to escalating talks about Sweden joining NATO.
Turkey has opposed Sweden’s admission to NATO for years, but recently relented.
Sudan Anonymous made some of its first posts about the incident and launched DDoS attacks on Swedish cyber infrastructure.
CyberCX estimated that the group was spending thousands of dollars per month on proxy servers to launch DDoS attacks, making it unlikely that they were unaffiliated hackers based in Sudan, where the median income is substantially lower than that.
Sudan Anonymous has also openly posted about their affiliation with the Russian hacker collective Killnet, which has targeted Western cyber infrastructure such as the White House’s website and Elon Musk’s Starlink network.
It is unclear how successful or effective these attacks have been, beyond disrupting website traffic for a few hours. Cybersecurity firm Darkowl reported that although Killnet and Sudan Anonymous claimed to take down the European financial infrastructure earlier this spring, there was “little evidence” they had been able to follow through with this threat.
Ironically, AO3’s existence is linked to an anti-LGBTQ and anti-porn content purge on LiveJournal when LiveJournal was sold to a Russian startup in 2007.
The blogging platform, besides hosting independent critical journalism about the Russian state, was also one of the largest archives of fanfiction online. After the sale, LiveJournal began taking down and banning fan blogs, often without explanation beyond “impermissible content.”
Users then migrated to the newly-created AO3.
Analysts at CyberCX assess that Russia, if they are indeed involved, would be using these low-level attacks to sow division between various minority groups in the West and further amplify disinformation.
In a video with over a million views, TikTok user Pearlmania500 noted the overall weirdness of it.
“If this is the future of psyops, World War III is going to be the silliest goose.”