Pinoy Vendetta
Pinoy Vendetta is a Filipino hacktivist collective that surfaced in mid-2021, gaining notoriety for large-scale DDoS campaigns against opposition politicians, human rights groups, and critical news outlets such as Rappler, ABS-CBN, and VERA Files. The group framed itself as pro-Duterte and anti-communist, openly pledging support to the government’s NTF-ELCAC task force and portraying its actions as patriotic “cyber-vigilantism.”
​
Operating mainly through Facebook pages until their removal in early 2022, Pinoy Vendetta mixed propaganda with boasts of website takedowns, often accompanied by taunts or ideological statements. Their attacks relied on off-the-shelf DDoS tools, rented botnets, and stresser services, rather than custom malware.
While they received public praise from government figures like Undersecretary Lorraine Badoy, investigators traced the attacks back to members in Davao City and linked the campaigns to a broader climate of digital repression. By mid-2022, the group’s online presence faded, but its activity remains a case study in state-aligned hacktivism and cyber-enabled censorship in the Philippines.
​
Pinoy Vendetta
Aliases: PV, PinoyVendetta, “Ordinary Citizens”
​
Origin: Philippines
Motivation: Pro-government hacktivism, anti-communist, anti-media
First Observed:** June 2021
Status: Most active mid-2021 to early 2022; low profile after mid-2022
​
Tactics, Techniques, and Procedures (TTPs)
Attack Vectors: Primarily DDoS (HTTP floods, referrer spam, proxy abuse); some information operations (spoofed CPP website)
​
Target Sectors: News media, human rights NGOs, opposition politicians, activist groups, insurgent organizations
​
Tools / Malware: Off-the-shelf DDoS tools (MHDDOS, CC-Attack, DAVOSET, SST Destroyer); rented botnets; stressor services; promoted underground tools (Atrac, Joker, Velocity, Medusa, etc.)
Notable Campaigns & Operations
June 2021 > First wave: DDoS against CPP, Bayan Muna, Kabataan, 1Sambayan, and opposition politicians (Trillanes, De Lima).
Dec 2021 > Media DDoS wave: ABS-CBN, Rappler, VERA Files, Philstar, CNN Philippines, GMA, TV5, Bulgar, regional outlets.
Jan–Feb 2022 > Election season: Sustained DDoS attacks during presidential debates; Rappler hit with ~1M requests/sec.
Mar 2022 > Retaliation Attacks on Mindanao Gold Star Daily, PressOne, Interaksyon.
Information operations: Fake CPP-NPA-NDF website hosted on GitHub.
​
Infrastructure & IOCs
​
Domains: cpp-npa-ndfp[.]org (spoof site, GitHub pages)
Observed Techniques: Randomized HTTP query floods, null user-agent floods, referrer spam,
CMS endpoint abuse (xmlrpc.php, wp-login.php)
​
Stresser/Botnet promotion: Atrac, Joker, Velocity, Slovakia2 Reloaded, Medusa
​
Regional & Geopolitical Context
Strongly aligned with Duterte administration’s anti-communist rhetoric and “red-tagging” of opposition.
Publicly supported NTF-ELCAC (National Task Force to End Local Communist Armed Conflict).
Received praise and amplification from government figures (Undersecretary Lorraine Badoy, Jeffrey “Ka Eric” Celiz).
​
Threat Assessment
​
Sophistication: Low–Medium (relied on publicly available tools; disruptive due to scale, not novelty).
Current Activity: Declined after April 2022; no major campaigns under Marcos Jr. administration.
Who Should Care: Media outlets, NGOs, activist coalitions, political opposition in the Philippines.
​
References
Qurium Media Foundation forensic reports (2021–2022)
Rappler investigations (2021–2022)
National Union of Journalists of the Philippines (NUJP) statements
Freedom House, Access Now, Rest of World reports
Manila Bulletin coverage and interviews
Campaign Timeline
2021- Initial Ops
June 14-21
Targets: CPP, Bayan Muna, Kabataan, 1Sambayan, Antonio Trillanes, Leila de Lima
Method: DDoS
Impact: Sites offline for extended periods; positioned as “anti-communist crusade”
August
Action: Facebook post pledging support for NTF-ELCAC, threatening opposition politicians
Impact: Cemented ideological alignment with Duterte government
October 19
Target: Gordon’s official Senate site
Method: DDoS
Impact: Part of harassment during corruption probe
November
Action: Launch of cpp-npa-ndfp[.]org (GitHub pages spoof)
Impact: Information operation against insurgent groups
December 11-23
Targets: ABS-CBN, Rappler, VERA Files, Philstar
Method: DDoS
Impact: Prolonged outages; Rappler hit at ~1M requests/sec
2022
Jan 22-29
Targets: Rappler, TV5, Bulgar Online, GMA Network
Method: DDoS
February 7-27
Targets: CNN Philippines (debate coverage), Rappler, Altermidya, Bulatlat
Method: DDoS
Impact: High visibility disruption during election season
February 23
Action: Meta removes Pinoy Vendetta’s main page and “PV Ordinary Citizens”
Impact: Group loses primary propaganda channel
​
March 14-16
Targets: Mindanao Gold Star Daily, PressOne.PH, Interaksyon
Method: DDoS
Impact: Retaliation against fact-checking coalition
April 5
Action: Qurium and Rappler identify “Crtc4L” as a core member
Impact: Group largely goes silent afterwards