User:NathanStance

pwnp0ny (often stylized as pwnp0ny or PWNP0NY) is a cybercrime collective associated with distributed denial-of-service (DDoS) attacks, booter and stresser services, account compromises, swatting, and alleged intrusions into high-profile targets. The group first gained public attention in the mid-2020s and has maintained a presence in underground hacking communities into the 2026. It attracted significant law enforcement interest in 2023 when the U.S. National Security Agency (NSA) publicly identified several associated aliases in connection with cyber threats.

The group is known for fluid membership, extensive use of aliases and rebranded accounts, and a highly public presence on X (formerly Twitter), where it frequently engages in claims of responsibility, online drama, and rival feuds.

The @pwnp0ny X account was created in March 2020, collaborating with members from the original Lizard Squad era and sharing cultural and personnel overlaps with post-Lizard Squad splinter groups and crews such as GoonSquad, pwnp0ny developed its own identity focused on booter/stresser operations and provocative public activity.

The group became active in the late 2020s and experienced heightened visibility between 2023 and 2025 through public claims and law enforcement scrutiny. Activity continued into 2026 amid ongoing drama and disassociations.

• xai — Identified as the original founder.
• jasperpwnz (also known as NaziSecurity or cosmo.mp3) — Prominent active member.
• ryan — Long-standing veteran member with connections to earlier scenes (including Lizard Squad, Rustle League, GNAA)
• taker (also known as TakerTheGoon, 74K3R, takerthegoon, SecurityAnaIyst) — Returned to activity in late 2023. Previously active in 2016–2017 and subject to a 2016 law enforcement subpoena.

• shr00ms
• kitten
• nearly
• peIicans
• mango
• $urge
• ChevenTheGod
• antichrist (Floyd Fictoor)
• zeskoxi (publicly disassociated in 2026)
• talktothepaw_

Note: Due to the heavy use of pseudonyms and fluid affiliations common in this ecosystem, exact membership is often difficult to verify.

• Nintendo Switch Private Key Dump Claim (August 17, 2023): The account @cvvmen (antichrist) posted “Sigh... @Nintendo bad security.” and attached a Pastebin link titled “[NINTENDO] Switch Private Key Dump! (PRODINFO) (CONSOLE RELATED)”. The post mocked Nintendo’s security and claimed access to sensitive console-related private keys.

• EA Games Outage Claim (September 18, 2023): The account @cvvmen (antichrist) posted “Bye #EAGames! @pwnp0ny” alongside a DownDetector chart showing a sharp spike in Electronic Arts service outage reports.

• Government Email Operation (Late 2025 – Early 2026): Members allegedly operated an illegal government mail service. Creating and Distributing credentials for official-looking government domains (e.g., `mail.gov.xx`, with usernames such as `@zaire.gov.xx`). These operations involved the creation and maintenance of fraudulent government identities, which were sold to third parties. Such activities enable identity fraud, phishing campaigns, business email compromise (BEC), and other cyber-enabled crimes by leveraging the perceived legitimacy and trust associated with government email addresses.

• PWNPONY Ransomware (2025): According to cybersecurity research by CipherTech Solutions^[1], pwnp0ny developed and deployed PWNPONY ransomware - a simple Python-based ransomware that encrypts files using basic XOR encoding. It was observed being delivered via a custom loader named NodeDecryptor, alongside other stealers such as ZeroTrace Stealer and a Prysmax Stealer variant. Approximately 50 samples of this loader were identified, indicating active malware distribution operations.

• Botnet Operations and F5 Exploits: Public discussion within underground communities has referenced pwnp0ny's botnet capabilities, specifically its integration with F5 exploits. In one notable post, a user (@OperatorBlood) alluded to the technical sophistication required for the group's botnet to function with F5 vulnerabilities.

• NSA Most Wanted Listing (2023): The NSA publicly listed pwnp0ny and several associated aliases (including taker, antichrist, gdkmango, shr00ms, $urge, and ryan) in relation to cyber threats. The official pwnp0ny account shared media coverage of the listing on November 16, 2023.

• Snapchat-Related Claim (December 24, 2023): The group posted a claim that jasperpwnz was contacting Snapchat headquarters regarding accounts. Leading a lot of people to believe a potential breach had happened. No further information has been posted or confirmed other than multiple OG users on snapchat being reportedly swapped and being sold at the time of the tweet.

• Swatting Incident (January 10, 2024): Following a post by @zRobinator about police presence near his residence, pwnp0ny claimed responsibility and shared supporting links.

• Account Compromise and Swatting Claims (August 2025): - August 11, 2025: Content associated with pwnp0ny referenced swatting and hacking activities against Call-of-Duty gamers. - August 12, 2025: A post claimed an account recovery involving @talktothepaw_ (“big hacker kitty”) and @notmango69 (“unarrestable mango”).

• AJ Styles Account Compromise (2025/2026): A verified post from wrestler AJ Styles’ X account (@AJStylesOrg) publicly criticized ryan (urharmless), referring to him as a “fake Lizard”. resulting in an ongoing feud with the hacking group Scattered Spider.

• Alleged Government Network Access: Leaked images circulating from individuals close to the group show certificate management interfaces containing multiple Department of Defense (DoD) root certificates (including DOD SW CA-75, DOD EMAIL CA-70, DOD ID CA-64, and others) installed on Microsoft Local Computer stores. These screenshots have been presented as evidence of sustained backdoor or privileged access to U.S. government systems, including DoD logins, NSA-related portals, Marine Corps networks, Intelink, and RISS systems. The authenticity and extent of any such access remain unconfirmed by public sources.

The group has also been involved in long-running public disputes with individuals and groups linked to HasanBF (BreachForums admin) and Scattered Spider. In October 2016, @TakerTheGoon (Taker) and GDKMango were named in a subpoena from the Polk County, Florida State Attorneys Office related to a false bomb threat investigation (Case PCSO 16-45571).

• Heavy reliance on public X posts for claiming responsibility.
• Frequent targeting of gaming companies and consumer platforms.
• Combination of technical exploits, social engineering, and swatting.
• Fluid structure makes attribution challenging.

This is based on open-source intelligence (news, threat reports, and public X activity) Many claims made by the group may be exaggerated for clout or unverified. I do not endorse, assist with, or provide guidance on any illegal activities. Law enforcement agencies (FBI, NSA, etc.) actively investigate these matters. (Note this group is no longer active and all information is publicly available.)

• Lizard Squad
• GNAA
• Scattered Spider