YggTorrent, one of the biggest French-language media piracy sites, had its servers emptied and destroyed overnight Tuesday to Wednesday in early March, putting an end to what had grown into a major operation serving millions of users. The attacker, calling themselves Gr0lum, claimed the site had tallied 6.6 million users, making it a significant hub for illegal file-sharing across the French-speaking internet.
Originally launched in 2017, the site had grown to become a major presence in French-language piracy, and became a reliable source for users searching for timely releases of French-language films, movies, magazines, books and games. YggTorrent offered a directory of torrent files that allow users to download data over a peer-to-peer network, frequently used to share illicit copies of films, TV series and music. The site began offering a 14.99-euro monthly subscription in December for a turbo mode while adding hurdles to downloads for free users.
The hacker's claimed motivation centred on this shift towards monetisation. In a manifesto posted online, Gr0lum accused the site's owners of DDoS attacks against competing trackers, purging uploaders the moment they opened their mouths, and sabotaging their own API to prevent anyone from using third-party tools. More seriously, Gr0lum claimed the platform was storing all 54,776 of its members' credit cards, questioned what the operators did with that information, what the purpose of tracking each visitor's behaviour was, and whether users were aware of fingerprinting of crypto wallets.
The hacker's statement concluded with the words: "6.6 million users. Years of lies. An empire built on extortion". The scale of the breach was substantial. According to the site's operators, a secondary pre-production staging server was the entry point, from where attackers used a privilege escalation exploit to delete and then exfiltrate the site's database. The hacker also drained the cryptocurrency wallets used to fund the servers, representing tens of thousands of Euros.
YggTorrent's operators initially responded with a brief statement, appearing to consider returning to operation. The site displayed a countdown clock, suggesting it planned to debut a new offering 11 days from now. However, they ultimately reversed course. In their closure announcement, the operators stated: "Continuing in this climate of constant hostility no longer reflects the spirit that motivated us. We refuse to drag you into a series of attacks, tensions, and uncertainties. Returning only to leave again under constant threat would no longer make sense".
Yet the operators also pushed back against Gr0lum's allegations. In a statement on a countdown website, YggTorrent said: "individuals have been spreading numerous accusations accompanied by fabricated, manipulated, or out-of-context elements, as part of a disinformation campaign aimed at discrediting YGGtorrent". They acknowledged the breach had occurred but disputed the characterisation of their business practices.
The incident exposes a vulnerability within piracy communities. Unlike legitimate platforms subject to regulatory oversight and security standards, underground file-sharing sites often operate with minimal transparency about how they handle user data or financial information. According to YggTorrent, all stored user passwords were hashed and salted, but the leak suggested millions of legacy accounts were still stored in MD5 without salts, offering significantly weaker protection.
What makes YggTorrent different from previous torrent site shutdowns is the claim that a single hacker inflicted fatal damage from the inside, turning a piracy site into the victim of a piracy-style hit. The collapse raises questions about whether the piracy ecosystem can sustain large, centralised platforms, or whether users will fragment across smaller, less proven alternatives offering lower visibility and potentially greater security risks.
YggTorrent warned: "We strongly advise against downloading anything from torrent sites that attempt to capitalise on this event by posing as successors or alternatives, because they could deliver malware". Whether users will heed this warning remains unclear.