nanog: Spamhaus under DDOS from AnonOps (Wikileaks.info)

[Steve Linford <linford () spamhaus org>]

As many of you know, both Trend Micro and Spamhaus have published warnings about a Wikileaks mirror site 
'wikileaks.info' which is run by the person or persons behind 'AnonOps' from an IP address of a Russian dedicated 
cybercrime host (Heihachi) on which there is nothing but malware and other cybercrime. Innocent people seeking to read 
or download Wikileaks documents are being directed to the rogue wikileaks.info server and into the hands of the crime 
gangs located there.

For trying to warn about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by 
AnonOps. The criminals there do not like our free speech at all.

As our site can't be reached now, you can not read our article on this, and we can not continue to warn Wikileaks users 
not to load things from the Heihachi IP. If you know journalists who would get this message out to Wikileaks users, 
please forward this message (entire) to them.

The anonymous folks at AnonOps did not like our article update, here's what we said and what brought the ddos on us:

----

In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the 
person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) 
called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people 
to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if 
we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never 
did) and others claiming we are "a pawn of US Government Agencies".

None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not 
written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very 
site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the 
Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, 
including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and 
postbank-kontodirekt.com.

Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In 
fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even 
recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to 
question why wikileaks.info is not on the list of real Wikileaks mirrors at <a 
href="http://wikileaks.ch/mirrors.html";>wikileaks.ch</a>.

Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by 
Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it.

Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an 
official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server 
instead".

----

 Steve Linford
 The Spamhaus Project
 http://www.spamhaus.org