3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
CrX

CrX

ID: e34a66d4e43067ac1a5729fb9402bdb9
Hacktivist Group Defacement Crew
Threat types: Defacement
Mexico TTO
Updated: 2026-01-13
Created: 2025-10-16
Progress: 54% Completeness: 55% Freshness: 50%
Operation zone: Trinidad and Tobago
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

“crx” — individual web defacer active circa 1999–2004 with multiple page takeovers recorded in Zone-H mirrors. Trademark strings observed include “Hacked by crx”, “CRX OWNZU”, and Spanish-language insults; one detailed narrative (razorback2.com, 2004-04-03) describes discovery of a vulnerability, uploading a PHP script to the webroot, modifying the HTTPD configuration, disabling logging, and replacing index. Possible alternate handle mentioned in a conflict post: “Kastro” (unconfirmed).


Technique Technique name Tactics Evidence
T1491.002 External Defacement TA0040
  • 1999 — mute300.net — defaced landing with long message signed “-crx”; asserts total takeover of the site. · ref
  • 2004-04-03 — razorback2.com — concludes with “razorback2.com hacked by crx”; index replaced; original backed up as index.bak.php. · ref
  • unknown — accounts.usc.edu.tt — classic banner “Hacked by crx”, Mexican flag image, Spanish insult line. · ref
  • unknown — Simple deface strings on multiple hosts: “CRX OWNZU” / “hacked by crx”. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2004-04-03 — razorback2.com — “Few minutes later, a vulnerability is discovered … a php script is copied into www … The Index is modified successfully”. Indicates exploitation of a public-facing service to gain write access. · ref
T1562.002 Disable Windows Event Logging TA0005
  • 2004-04-03 — razorback2.com — “apache doesn't log the requests”; suggests log/telemetry impairment post-access. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-16T20:57:14+00:00
crx — Individual Web Defacer (1999–2004)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

crx appears in multiple historical mirrors (Zone-H era) as an individual defacer active from at least 1999 to 2004, leaving minimalist strings such as “Hacked by crx”, “CRX OWNZU”, and, in one case, Spanish-language profanity accompanied by a Mexican flag image. A detailed write-up on razorback2.com (2004-04-03) describes discovering a vulnerability, uploading a PHP script to the webroot, modifying the HTTPD configuration, disabling Apache logging, and replacing index (with a backup saved as index.bak.php). A longer, combative message on mute300.net (1999) includes an AIM handle reference and taunts; within that text the name “Kastro” appears, but linkage as an alias remains unverified. Overall, the evidence supports a profile of a solo defacer executing opportunistic exploitation and page replacement across disparate targets. Confidence: medium.

  1. mute300.net — lengthy deface note signed -crx; claims full takeover and taunts administrators; mentions “Kastro” within the rant (possible alias, unconfirmed).
  2. 2004-04-03. razorback2.com — narrative states attack “starting … from France”, “vulnerability is discovered”, PHP script copied into www, HTTPD config modified, Apache logging disabled, index replaced; ends “razorback2.com hacked by crx”.
  3. Undated (early 2000s). accounts.usc.edu.tt — banner “Hacked by crx”, Mexican flag image, Spanish profanity.
  4. Undated (early 2000s). Multiple hosts show “CRX OWNZU” or “hacked by crx” strings (scripts-zone.com, portailduhack.freegaia.net, security-corporations.com, gueux.net, dark-sign.com, harnois.biz).
  • Possible alternate handle: “Kastro” — appears only inside the mute300.net rant; no independent infrastructure or campaign continuity found. INFERENCE (confidence: low).
  • Operational behaviors: Opportunistic web defacements across heterogeneous targets; in at least one case, post-exploitation hardening to reduce traces (turning off web logs).
  • Geographic hints:
  • Mexican flag + idiomatic Spanish insult suggest Mx-themed signaling on accounts.usc.edu.tt.
  • “Starting … from France” on razorback2.com indicates either French vantage (proxy/host) or physical presence at the time; not dispositive of nationality.
  • English in 1999 post is fluent colloquial US-slang with minor errors—consistent with a heavy-exposure non-native or a native speaker; MT quality in 1999 was poor, so fluency likely genuine. INFERENCE (confidence: low–medium).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–4 of 4 images
Hacked website evidence Free Preview
Hacked website evidence
Hacked website evidence Free Preview
Hacked website evidence
Hacked website evidence Free Preview
Hacked website evidence
Hacked website evidence Free Preview
Hacked website evidence