In December 2020, there was a distributed denial-of-service attack on the ScrapTF network. The attacker would navigate to specific pages moments before an attack would hit. Cross-referencing these requests with known user IPs allowed us to determine the attacker.
This prompted an investigation, shedding new light on a criminal with a history of online scams.
Alexandre Gagnon is a con artist from Quebec, Canada. Alex is also known as Peanuthero. Alex has a paper trail of scams on the internet due to his activities on HackForums and other websites. If you are familiar with Team Fortress 2 trading, this is the same Alex that runs Mannco.store.
Alex’s modus operandi is DDoS attacks and false DMCA takedowns against competing services. Despite efforts to separate his identities, there are many ties between his personas. Alex will deny any claims. This post documents these behaviours and links his different identities together.
Alex’s many, many HackForums scams
NB: The linked threads are local archives because HackForums requires a user login. You can verify the contents yourself by signing in to HackForums, as the threads are likely to stay.
Alex scammed uncountable amounts of money from HackForums users.
In 2016, Alex took to HackForums to sell web hosting services. Posting as Peanuthero, Alex would claim his services were “offshore” and “takedown-free”. In other words, his services would ignore takedown requests for unlawful content.
Users would buy Alex’s services under the impression that his claims were legitimate. Alex was actually reselling hosting from the Netherlands at 200% markup.
Spamhaus, a widely-used anti-spam blacklist, soon blacklisted Alex’s services. Covering this up, Alex scammed a user out of over US$4,000, claiming it was because the user was hosting child pornography. The user in question discovered that Alex was fabricating support tickets from the upstream to prove his claim.
HackForums would ban Peanuthero from the website in July 2016. Alex would return and sign up to HackForums with sock accounts to continue advertising his own services. Seasoned users identified him almost immediately, and HackForums would ban his sock accounts. Alex would then immediately cut access for the users who paid for his service.
Alex would return a second time to advertise yet another offshore service. This turned out to be another snake oil host claiming to operate out of the Seychelles, again traced to the Netherlands.
Evading more bans, an investigation of Alex’s cryptocurrency wallet transfers showed he was still using wallet addresses from previous scams.
After finally leaving the forum, Alex would continue hosting payment portals for BPServers.ru through to 2017, although the abandoned client area was no longer usable.
Certain Mannco.store staff have helped Alex with his scams. The footer of BPServers.ru references web designer brand wbxdsg, a project of Nicolas Durand. This name appears in the footer of an old Mannco.trade page template which is still online today.
Alex’s HackForums scams would link to Acuata.com in the footer. Likewise, Acuata.com would link back to these services. Acuata is “a private contractor that work on multiples (sic) communities & websites”.
Although the site is way older, Acuata has listed “Alexandre Gagnon” as the Director/Founder since at least 2018. This overlaps the time in which Alex changed his identities.
Also on the roster is:
- Emmanuel Chevreux, a long-time friend of Alex from his Dofus days, who has worked alongside him since at least 2015 on a project known as Sourcerev.
- Anthony Garcia, a.k.a. “Lagg”, a Team Fortress 2 Wiki sysop.
Acuata.com first appeared on January 15, 2014, having a very different set of services on its roster:
- layer7.pw, a distributed denial-of-service (DDoS) / “booter” service.
- OutlawServers.ca, a “bullet proof” hosting service. “Bullet proof” is another phrase meaning they will ignore any legal letters.
- BPServers.ru, an offshore hosting service “for your personal botnet”.
These services no longer exist, and the frontpage of Acuata.com no longer reference these. Snapshots are still available on web.archive.org.
Despite being on the portfolio in 2020, Mannco.store and Mannco.trade are not shown on the Acuata.com frontpage as of writing. Yet, many site-related staff are still listed here.
Acuata.com has never changed ownership according to WHOIS records. Thus, Alex has always been in control of this website.
Dofus, and false DMCA takedowns
Dofus is an MMORPG popular among French-speaking communities. Dofus has private servers operated by individuals. Alex, or Peanuthero, operated AsterionServeurs from roughly 2008 to 2012.
Alex was hostile towards other server operators, filing false DMCA notices against at least one. A thread (in French) documents Alex sending fraudulent DMCA takedown notices by impersonating the game’s developer.
As Peanuthero, Alex would send false DMCAs to Cloudflare as Alexandre Gagnon.
Alex identified himself as the owner of AsterionServeurs and Acuata.com on his former personal website.
SteamRep tagging, ban evasion and attacks on the ScrapTF network
Peanuthero’s first appearance in the Steam trading space was with mannco.jackpot. This was a gambling website which would use backpack.tf web APIs to fetch price data. At that time, a policy was in place to disallow use of this data by gambling websites. After revoked API access and repeated attempts to circumvent a block, Alex took to launching DDoS attacks on backpack.tf.
Peanuthero would receive a SteamRep tag when it was discovered one of his bots, for some reason, had an unexplained SteamRep Scammer tag. Peanuthero’s appeal against the tag was declined.
Mannco.trade and Mannco.store launched around this time. This is when Peanuthero stepped down, and “Alex” took his place. Nobody knew who Alex was, and Alex had no history in the trading scene.
The 2020 DDoS attack followed a major feature release on Mannco.store. Our investigation resulted in the following:
- The Alex and Peanuthero identities were linked together.
- The main Mannco.store staff received bans from the website.
- Upon request, SteamRep reinstated a tag on Alex’s new Steam account.
- Mannco.store published an article reinforcing the claim that Alex and Peanuthero are two different people.
Alex has continued to launch DDoS attacks on the ScrapTF network since.