Skip to main content

Wikileaks website that hosted torrent with infected files is migrated to a new domain

UPDATED: While has been taken offline and is not currently being redirected elsewhere, it looks like all of that host's functionality is now being provided by - mostly as a way to facilitate torrent downloads. The new host appears to require SSL, which did not. The SSL issue was particularly troubling as all of the torrents available for download on were created referencing the non-SSL version of the site (establishing an unencrypted client connection between the P2P client and, another great way for the powers that be to identify Wikileaks users). The torrent that includes infected files, gifiles-2014.tar.bz2.torrent, remains available for download as well.

As I discussed in my series of posts explaining how the Stratfor email dump hosted by Wikileaks contains malicious software, I first came across a series of infected files when I downloaded and reviewed a torrent file hosted on the Wikileaks subsite "". A number of factors at the time lead me to believe that "" was not a mirror of Wikileaks hosted by a third party, but was in fact run by the Wikileaks organization directly: notably, that both and resolved to the same set of IP addresses, both sites shared the same SSL certificate, and was linked to throughout

 Today it was brought to my attention that has been taken offline, and I verified that the DNS entry for has been kiboshed. uses the Wikileaks nameservers ( &, so this change would have been performed by a trusted member of the Wikileaks technical team. I am not aware of any announcements from Wikileaks stating the reason for the removal of from DNS. Whatever the reason for the change, this update has not removed the infected files from distribution.

As of this writing (9/15/2015), all of the infected files remain available for direct, individual download through a series of dozens of curated links directly from the website. I have also received reports that those attempting to download the infected torrent file using a Bittorrent client are unable to find a complete peer to seed the torrent. If anyone wishes to review these files for research purposes you are welcome to contact me and I can seed temporarily. For obvious reasons I am not interested in seeding the torrent on anything like an ongoing basis, and I encourage researchers and journalists to review the infected files directly on the as a first step. I have compiled a list of URLs containing infected files and posted it to PasteBin; I also have a post explaining that infected files are not restricted to the torrent file.