In December 2020, there was a distributed denial-of-service attack on the ScrapTF network. The attacker would navigate to specific pages moments before an attack would hit. Cross-referencing these requests with known user IPs allowed us to determine the attacker.

This prompted an investigation, shedding new light on a criminal with a history of online scams.

Alexandre Gagnon is a con artist from Quebec, Canada. Alex is also known as Peanuthero. Alex has a paper trail of scams on the internet due to his activities on HackForums and other websites. If you are familiar with Team Fortress 2 trading, this is the same Alex that runs

Alex’s modus operandi is DDoS attacks and false DMCA takedowns against competing services. Despite efforts to separate his identities, there are many ties between his personas. Alex will deny any claims. This post documents these behaviours and links his different identities together.

Alex’s many, many HackForums scams

NB: The linked threads are local archives because HackForums requires a user login. You can verify the contents yourself by signing in to HackForums, as the threads are likely to stay.

Alex scammed uncountable amounts of money from HackForums users.

In 2016, Alex took to HackForums to sell web hosting services. Posting as Peanuthero, Alex would claim his services were “offshore” and “takedown-free”. In other words, his services would ignore takedown requests for unlawful content.

Users would buy Alex’s services under the impression that his claims were legitimate. Alex was actually reselling hosting from the Netherlands at 200% markup.

Spamhaus, a widely-used anti-spam blacklist, soon blacklisted Alex’s services. Covering this up, Alex scammed a user out of over US$4,000, claiming it was because the user was hosting child pornography. The user in question discovered that Alex was fabricating support tickets from the upstream to prove his claim.

HackForums would ban Peanuthero from the website in July 2016. Alex would return and sign up to HackForums with sock accounts to continue advertising his own services. Seasoned users identified him almost immediately, and HackForums would ban his sock accounts. Alex would then immediately cut access for the users who paid for his service.

Alex would return a second time to advertise yet another offshore service. This turned out to be another snake oil host claiming to operate out of the Seychelles, again traced to the Netherlands.

Evading more bans, an investigation of Alex’s cryptocurrency wallet transfers showed he was still using wallet addresses from previous scams.

After finally leaving the forum, Alex would continue hosting payment portals for through to 2017, although the abandoned client area was no longer usable.

Certain staff have helped Alex with his scams. The footer of references web designer brand wbxdsg, a project of Nicolas Durand. This name appears in the footer of an old page template which is still online today.

Alex’s HackForums scams would link to in the footer. Likewise, would link back to these services. Acuata is “a private contractor that work on multiples (sic) communities & websites”.

Although the site is way older, Acuata has listed “Alexandre Gagnon” as the Director/Founder since at least 2018. This overlaps the time in which Alex changed his identities.

Also on the roster is:

  • Emmanuel Chevreux, a long-time friend of Alex from his Dofus days, who has worked alongside him since at least 2015 on a project known as Sourcerev.
  • Anthony Garcia, a.k.a. “Lagg”, a Team Fortress 2 Wiki sysop. first appeared on January 15, 2014, having a very different set of services on its roster:

  •, a distributed denial-of-service (DDoS) / “booter” service.
  •, a “bullet proof” hosting service. “Bullet proof” is another phrase meaning they will ignore any legal letters.
  •, an offshore hosting service “for your personal botnet”.

These services no longer exist, and the frontpage of no longer reference these. Snapshots are still available on

Despite being on the portfolio in 2020, and are not shown on the frontpage as of writing. Yet, many site-related staff are still listed here. has never changed ownership according to WHOIS records. Thus, Alex has always been in control of this website.

Dofus, and false DMCA takedowns

Dofus is an MMORPG popular among French-speaking communities. Dofus has private servers operated by individuals. Alex, or Peanuthero, operated AsterionServeurs from roughly 2008 to 2012.

Alex was hostile towards other server operators, filing false DMCA notices against at least one. A thread (in French) documents Alex sending fraudulent DMCA takedown notices by impersonating the game’s developer.

As Peanuthero, Alex would send false DMCAs to Cloudflare as Alexandre Gagnon.

Alex identified himself as the owner of AsterionServeurs and on his former personal website.

SteamRep tagging, ban evasion and attacks on the ScrapTF network

Peanuthero’s first appearance in the Steam trading space was with mannco.jackpot. This was a gambling website which would use web APIs to fetch price data. At that time, a policy was in place to disallow use of this data by gambling websites. After revoked API access and repeated attempts to circumvent a block, Alex took to launching DDoS attacks on

Peanuthero would receive a SteamRep tag when it was discovered one of his bots, for some reason, had an unexplained SteamRep Scammer tag. Peanuthero’s appeal against the tag was declined. and launched around this time. This is when Peanuthero stepped down, and “Alex” took his place. Nobody knew who Alex was, and Alex had no history in the trading scene.

The 2020 DDoS attack followed a major feature release on Our investigation resulted in the following:

  • The Alex and Peanuthero identities were linked together.
  • The main staff received bans from the website.
  • Upon request, SteamRep reinstated a tag on Alex’s new Steam account.
  • published an article reinforcing the claim that Alex and Peanuthero are two different people.

Alex has continued to launch DDoS attacks on the ScrapTF network since.