Who is Alexandre Gagnon?
Dec 11, 2022In December 2020, there was a distributed denial-of-service attack on the ScrapTF network; the collective of Team Fortress 2 trading websites better known as backpack.tf, Scrap.TF, and Marketplace.TF. The attacker would navigate to specific pages moments before an attack would hit. Cross-referencing these requests with known user IPs allowed us to determine who was doing it.
This prompted further investigation, shedding new light on a criminal with a history of online scams.
Alexandre Gagnon, or Peanuthero, is an individual from Quebec, Canada. Alex has a paper trail of scams on the internet due to his activities on HackForums and other websites. If you are familiar with Team Fortress 2 trading, this is the same Alex that runs Mannco.store.
Alex’s modus operandi is DDoS attacks and false DMCA takedowns against competing services. Despite efforts to separate his identities, there are many ties between his personas. Alex will deny any claims and has gone out of his way to remove references to his past life. This post documents these behaviours and links his different identities together.
False DMCA takedowns
Alex operated AsterionServeurs from roughly 2008 to 2013. This was a private server platform for Dofus, a popular French MMORPG. Alex was hostile towards other server operators, filing false DMCA notices against at least one.
November 2013: Alex impersonates French video game developer Ankama to send fraudulent DMCA notices to competing private servers. Alex upsets the private server community and argues with them on a public forum.
Alex would send false DMCAs to CloudFlare under his real name, perhaps not realising that DMCA notices are always forwarded to the subject of the complainant.
Alex identified himself as the owner of AsterionServeurs on his former personal website.
A series of web hosting scams
NB: Because HackForums requires a user login, the linked threads are local copies. You can verify the contents yourself by signing in to HackForums, as the threads are likely to stay.
In 2016, Alex scammed uncountable amounts of money from HackForums users. Alex would claim his services were “offshore” and “takedown-free”. In other words, his services would ignore takedown requests for unlawful content.
July 2016: As “Peanuthero”, Alex advertises OutlawServers.ca, a “black hat” web hosting service. Spamhaus, a widely-used anti-spam blacklist, soon blacklists Alex’s service. Covering this up, Alex scams a user out of over US$4,000, claiming it was because the user was hosting child pornography. The user in question discovers that Alex was fabricating support tickets from the upstream to back up his lie. An investigation of Alex’s cryptocurrency wallet transfers showed he was still using wallet addresses from previous scams.
August 2016: As “SkylerRaine”, Alex is caught reselling hosting from the Netherlands at 200% markup at BPServers, his new bullet-proof service. Alex would assert his claims in private messages, to customers who knew how routing on the internet worked. Seasoned users identify that this might be Alex from his writing style, and further sleuthing leads to his next ban.
September 2016: As “manandco” (mannco?), Alex returns yet again to advertise ShadowHosting – yet another offshore service. Again, another host claiming to operate out of the Seychelles, traced to the Netherlands.
After finally leaving the forum, Alex would continue hosting payment portals for BPServers.ru through to 2017, although the abandoned client area was no longer usable.
Acuata.com
Alex’s HackForums scams would link to Acuata.com in the footer. Likewise, Acuata.com would link back to these services. Acuata is “a private contractor that work on multiples (sic) communities & websites”.
Although the site is way older, Acuata has listed “Alexandre Gagnon” as the Director/Founder since at least 2018.
Also on the roster is:
- Emmanuel Chevreux, a long-time friend of Alex from his Dofus days, who has worked alongside him since at least 2015 on a project known as Sourcerev.
- Anthony Garcia, a.k.a. “Lagg”, a Team Fortress 2 Wiki sysop.
- Hadrien Jared, of Hadrien Design. Hadrien has designed the web frontend on a lot of Alex’s projects, from Acuata.com, to SourceRev, to Mannco.store.
Acuata.com first appeared on January 15, 2014, having a very different set of services on its roster:
- layer7.pw, a distributed denial-of-service (DDoS) / “booter” service.
- OutlawServers.ca, a “bullet proof” hosting service. “Bullet proof” is another phrase meaning they will ignore any legal letters.
- BPServers.ru, an offshore hosting service “for your personal botnet”.
These services no longer exist, and the frontpage of Acuata.com no longer reference these. Snapshots are still available on web.archive.org.
Acuata.com has never changed ownership according to WHOIS records; this indicates that Alex has always been in control of this website.
Mannco.store, and an identity crisis
Peanuthero’s first appearance in the Steam trading space was with mannco.jackpot. This was a gambling website which would use backpack.tf web APIs to fetch price data. At that time, a policy was in place to disallow use of this data by gambling websites. After revoked API access and repeated attempts to circumvent a block, Alex took to launching DDoS attacks on backpack.tf.
Peanuthero would receive a SteamRep tag when it was discovered one of his bots, for some reason, had an unexplained SteamRep Scammer tag. Peanuthero’s appeal against the tag was declined.
Mannco.trade and Mannco.store launched around this time. This is when Peanuthero stepped down, and “Alex” took his place. Nobody knew who Alex was, and Alex had no history in the trading scene. While it was suspect that they were the same person, no concrete proof was ever surfaced, allowing him to operate this way for roughly a year.
Certain Mannco.store staff have helped Alex with his scams. The footer of HackForums-era BPServers.ru references web designer brand wbxdsg, a project of Nicolas Durand. This name appears in the footer of an old Mannco.trade page template which is still online today.
In 2020, Alex registered MANNCO ONLINE LIMITED in the United Kingdom’s Companies register. This was dissolved after a year. For some reason, Alex put his nationality as ‘British’ in the original filing before changing it to Canadian.
Despite being listed in 2020, Mannco.store and Mannco.trade are not shown on the Acuata.com portfolio. Mannco.store has this in the footer:
Mannco.store is operated by Minelauva Holdings Limited, Kypranoros, 13, EVI BUILDING, Floor 2, Flat/Office 201, 1061, Nicosia, Cyprus. (Company Registration No. HE429892)
Again, after looking this up on the Cyprus companies register… this is a company registered to Alexandre Gagnon. Why set up a new company alias as a parent, I do not know. Almost every address I have found registered to one of Alex’s products has been a business address designed for overseas clients shared by many other companies.
Before being updated at some point in 2022, the Mannco.store Terms of Service referenced the same address to the registered Entreprise Acuata inc. in Canada, which is, again, registered to Alexandre Gagnon. Registered as recently as February 2021, it appears to be a home address.
Attacks on the ScrapTF network
Following a major feature release on Mannco.store in December of 2020, all three sites in the ScrapTF network were being hit with DDoS attacks. Whenever an attack would happen, Alex would not-so-subtly make comments about downtime over Discord.
A certain IP address would browse to specific pages right before an application-level attack would hit that page – a technique to work out which pages would load the slowest, thus more vulnerable to an attack. Cross-referencing IPs with our database led us to Alex. This led to the discovery of the information posted in the previous sections.
With the identities linked, the main Mannco.store staff received bans from the website, and SteamRep reinstated a tag on Alex’s new Steam account upon our request. Following this incident, Mannco.store published an article still trying to claim that Alex and Peanuthero are two different people.
Alex has continued to launch DDoS attacks on the ScrapTF network since. Alex has occasionally reached out to me to claim he is still not Alex and threaten litigation in broken English.
It is not impossible, but highly improbable, that there are two Alexandre Gagnons from Quebec with similar backgrounds. But if that were true, the Alex of 2016 has all but disappeared, and the other Alex has come out of virtually nowhere, coincidentally with the same work colleagues.
This is pretty much where this story ends – I find his personality fascinating, but more importantly, his identity and behaviour should remain permanently on record.
I am always interested any extra information to further complete Alex’s biography – please send any tips to [email protected].