Grimes Admits To Hacking, Blackmailing Indie Music Blog Hipster RunoffImage via Jeff Kravitz/FilmMagic Tech News Grimes
People usually don’t flippantly recount committing federal cybercrime as “my coolest hacker moment,” but that’s what musician Claire Boucher, better known as Grimes, just did.
In an interview with Vanity Fair, Grimes dropped the bombshell that she was responsible for the 2012 DDoS attack against former indie music snark blog Hipster Runoff that ultimately led to the site’s demise.
Grimes delved into the story after a picture of her kissing another woman at a New York City party in 2012 came up during the interview. The picture was published by Hipster Runoff in 2012, which upset the then-burgeoning musician. “Back in the day, like before the woke era, I actually got canceled for this,” Grimes told Vanity Fair. “I was trying to be, like, all integrity and start my career, and it was like ‘Grimes Gone Wild’ or something. It was this, like, super wack, mean story, and it was like this meme which was going all over the internet.”
She also claimed that the photo in question was “leaked” to Hipster Runoff, but Jackie Singh, former cybersecurity staffer for Joe Biden’s 2020 presidential campaign, noted on her blog, Hacking But Legal, that the photo was likely published on the now-defunct NYC nightlife site LastNightsParty.com. “It seems like a misrepresentation to imply this was a private photo for which the blogger was deserving of retribution for publishing.”
In response to the “leaked” photo, Grimes teamed up with a friend who worked in the videogame industry to hit Hipster Runoff with a DDoS attack and hold the site hostage. “We were actually able to DDoS Hipster Runoff and basically blackmail them,” Grimes said as she sat next to the catalyzing photo. “We were like, ‘We’re not gonna let you put your site back up until you take the story down. And he did, in fact, take the story down. It was like my coolest hacker moment.”
Both issuing a DDoS attack and extortion are federal crimes under U.S. law punishable by up to a combined 11 years in prison. In Canada, where Grimes lived at the time, those same crimes carry anywhere from 10 years to life in prison, but it appears that Grimes and her games industry partner may have committed even more offenses during their standoff with Hipster Runoff. According to a 2012 Motherboard interview with the site’s owner, Carlos “Carles” Perez, the cyber attack against Hipster Runoff wasn’t limited to crashing to the site. “My server disk has crashed and remote backups were sabotaged,” Perez said. “My hosting company and support team say that there are signs of foul play on the server, and some of the last actions before it crashed are very suspicious.”
In the interview, Perez hinted that he may have known who was behind the hack at the time but couldn’t confirm the identity of the attacker. The cyberattack proved a crushing blow to Perez’s “one man operation.” Hipster Runoff was never able to be fully restored due to the damage and the site was sold in 2015. Singh points to Perez migrating the site from WordPress to Drupal in 2009 as the potential cause for the backdoor into Hipster Runoff.
“In its early years, Drupal was plagued with security vulnerabilities, and if it had been installed in 2009 with potentially no updates since as indicated by the site owner, the server could have been vulnerable to a particularly nasty vulnerability called CVE-2008-6171 which could have enabled this type of hack,” Singh said.
Regardless of how Grimes and her friend were able to access and effectively kill Hipster Runoff, her airing of the tale as a celebratory accomplishment doesn’t sit well. “A decade later, unfazed by time and experience, Grimes remains convinced this was a triumphant moment for her, and not an ethical lapse for which she should feel ashamed,” Singh said. “For someone who can’t stop ranting about ‘wokeness’ and ‘cancellation’, Grimes doesn’t seem concerned about any actual risk associated with admitting crimes to a major magazine, despite the fact that Canada does not have a statute of limitations on cybercrime.”