My name is Dancho Danchev. For over two decades, I have navigated the shadowy corridors of the internet, an independent security consultant, a cyber threats analyst, and a relentless practitioner of Open Source Intelligence (OSINT) gathering. Born in Sofia, Bulgaria, on November 22th 1983 my journey into the heart of digital conflict began not in a corporate security operations center, but in the untamed frontiers of the early web, a landscape then governed by a different kind of law. I have been described in many ways: a cybersecurity researcher, a journalist, a blogger, and, in less formal circles, an ex-hacker from Bulgaria. This last descriptor, while perhaps the most simplistic, points to a fundamental truth about my trajectory: an understanding of the adversary's mindset, born not merely from textbook study, but from a deep, immersive engagement with the digital underground. My work has consistently revolved around dissecting malicious and fraudulent cyber threat actors, exposing their infrastructures, their methodologies, and their very personas. I have dedicated my professional life to pioneering my own approaches in cybercrime fighting and threat intelligence gathering striving to provide what I believe to be insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports. This is the public face, the curated digital footprint. Today, I write to you not merely as Dancho Danchev the analyst, but as the individual behind the analysis, to explain a decision that may seem radical, even self-destructive, to some: the deliberate publication of my personal files, my research archives, my "mind streams" of information security knowledge, aggregated over years, under the moniker "DDanchev Leaks" on the Distributed Denial of Secrets platform. This is not an act of vanity, nor a simple data dump. It is a calculated maneuver, born from years of navigating a complex and often perilous information ecosystem, a culmination of lessons learned, battles fought, and an unwavering commitment to a principle that has become both my shield and my sword: radical transparency in the pursuit of truth and the unmasking of those who operate in the digital shadows. This letter serves as a comprehensive explanation, a behind-the-curtains account of the motivations, the profound challenges, and the hard-won achievements that have culminated in this pivotal moment. It is a testament to the fact that in the world of cybercrime research, the line between observer and participant can blur, and the personal cost of illuminating the darkness can be immense. The decision to make my personal archives public is, in essence, a strategic counter-move against forces that seek to obscure, intimidate, and silence. It is an assertion of control over my own narrative and a contribution to the public record, ensuring that the knowledge I have painstakingly gathered remains accessible, not just to the highest bidder or the chosen few, but to anyone with the will to understand the evolving threatscape. This is the story behind the data, the human element intertwined with the code, the rationale for turning a private researcher's lens upon himself and offering the resulting image to the world.
The path that led me to this juncture has been anything but conventional. My early years, as I've alluded to in previous reflections, were marked by a deep fascination with computer systems and their vulnerabilities. This was the era of the "infamous hacking spree throughout the 's" a time when the digital frontier was vast, regulations were nascent, and a spirit of exploration, for some, bordered on the transgressive. It was during this formative period that I developed an intimate understanding of "lawful surveillance" and "lawful interception" techniques, not as abstract concepts, but as practical skills honed in the crucible of early online communities. This experience, while undertaken with the naiveté of youth, instilled in me a profound appreciation for the power of information, the malleability of digital systems, and the motivations that drive individuals to push their boundaries. I transitioned from these "hacker enthusiast" years into a more focused role as a security researcher and blogger, a platform I established in December which has served as my primary outlet for analysis and findings ever since. My work has spanned a wide spectrum of cyber threats, from dissecting complex Distributed Denial of Service (DDoS) attack networks to profiling the infrastructure and operations of sophisticated botnets like Koobface. I have delved into the world of cybercrime-as-a-service, exposing tools and services that lower the barrier to entry for aspiring malicious actors. My analyses have often focused on the tangible, the traceable: the command and control servers, the communication channels like Jabber and XMPP favored by cybercriminals the financial flows, and the social engineering tactics employed. This meticulous, evidence-based approach to attribution, a cornerstone of my methodology, is crucial because, as I've consistently maintained, attribution in cyber threat intelligence shouldn't rely on assumptions; it must be backed by concrete evidence . This dedication to factual, verifiable intelligence has been the bedrock of my reputation as an internationally recognized expert in the field. Yet, this very dedication, this relentless pursuit of truth, has also been the source of significant personal and professional challenges, challenges that have profoundly shaped my perspective and ultimately led to the decision I am elaborating upon today. The act of publishing one's own "personal files" is not one I undertake lightly. It is a paradoxical act for a researcher who values privacy, yet it is a response to an environment where privacy is routinely weaponized, and information itself is the most contested battlefield. It is an attempt to reclaim narrative, to ensure continuity of knowledge, and to make a definitive statement about the ownership and dissemination of intelligence in an age increasingly characterized by secrecy and manipulation.
My career has been a continuous immersion into the operational methodologies of malicious actors, a deep dive into the mechanics of their campaigns, and an exercise in persistent, often grueling, Open Source Intelligence (OSINT) gathering. The core of my work revolves around transforming disparate, often obscured, digital artifacts into coherent intelligence narratives that can illuminate the activities of cybercriminals, state-sponsored actors, and other threat entities. This process is far from glamorous; it is a meticulous, often tedious, endeavor that demands a high degree of technical acumen, analytical rigor, and an almost obsessive attention to detail. One of the primary areas of my focus has been the intricate ecosystem of botnets. These vast networks of compromised machines serve as the backbone for numerous illicit activities, from large-scale Distributed Denial of Service (DDoS) attacks – which I have profiled as managed services offering to "take down your competitor's web sites offline in a cost-effective manner" – to spam dissemination, credential theft, and ransomware operations. The Koobface botnet, which I extensively researched and contributed to exposing, stands as a prominent example of the complexities involved. My analysis involved not just identifying the malware's propagation mechanisms and its command and control (C) infrastructure, but also delving into the social engineering aspects, the financial flows supporting the operation, and, where possible, attributing the activity to specific individuals or groups. This attribution, as I've emphasized, is an art form grounded in evidence, not speculation. It requires connecting dots across a vast digital landscape, correlating forum postings, analyzing leaked chat logs like those from the Conti ransomware gang examining EXIF data from publicly accessible images and painstakingly mapping out the relationships between various malicious actors and their infrastructures. This often means spending weeks, or even months, monitoring a single threat actor group, tracking their every move, and documenting their activities in detail, as I did with the Koobface botnet over a period of two and a half years, publishing the details on my personal blog. The goal is to create a comprehensive picture that not only reveals what is happening, but how, why, and by whom.
Beyond botnets, my research has extensively covered the burgeoning "Cybercrime-as-a-Service" (CaaS) model. This commoditization of cybercrime tools and services has dramatically lowered the entry barrier, allowing individuals with limited technical expertise to launch sophisticated attacks. I have profiled numerous offerings in this underground marketplace, including WordPress/Joomla brute-forcing tools remote access tools (RATs) for which I maintain a technical compilation using public sources and various other malicious utilities sold or rented on dark web forums and hidden services. Understanding this economy is crucial, as it provides insights into the supply chain of cybercrime, revealing the developers, the vendors, and the customers who fuel this illicit ecosystem. My analyses often involve "exposing the 'Data Leaks' Paradise" where stolen information is traded, monetized, and weaponized. This includes examining specific data breach incidents, such as the Sonatrach data leak or the I-SOON Information Leaks and identifying the data leak brokers behind them. This work is not just about technical details; it's about understanding the human element, the motivations, and the operational security (OPSEC) practices of these actors. I compile portfolios of active cybercriminal Jabber and XMPP accounts, expose currently active email address portfolios of web site defacement groups and provide in-depth technical overviews of the Internet-connected infrastructure behind various ransomware groups like Maze and Black Basta. All of this requires a constant, unwavering engagement with the darkest corners of the internet, a place where trust is a luxury and danger is a constant companion. The challenges inherent in this work are manifold, ranging from the purely technical, such as bypassing sophisticated anti-analysis techniques or navigating complex anonymization networks, to the deeply personal, including the very real threats to one's safety and well-being that come from shining a light on powerful and often ruthless actors. The very act of "setting them straight in cyberspace" is an invitation for reprisal, a reality that every independent researcher operating in this domain must confront. It is a world dominated by a "countless number of malicious and fraudulent cyber threat actor", and to expose them is to inherently become a target. This understanding has shaped my operational security, my communication strategies, and ultimately, my philosophy on the importance of making research resilient and widely available, a philosophy that directly informs the "DDanchev Leaks."
The technical depth of my investigations often involves creating comprehensive taxonomies and models of various threat phenomena. For instance, my work on Distributed Denial of Service (DDoS) attacks has involved not just profiling specific "DDoS for hire" services but also understanding the underlying taxonomies of attacks, tools, and countermeasures. This academic rigor, combined with practical, hands-on analysis of live threats, allows for a more holistic understanding of the problem space. I've dissected campaigns like "Operation Ababil," an OSINT analysis provoked by online content, which united actors in an apparent opt-in botnet crowdsourcing effort. I've also explored the intersection of cybercrime with other critical areas, such as SCADA security incidents and critical infrastructure insecurities and even the concept of "virtual jihad" analyzing how these ideologies manifest and operate in cyberspace. My research methodology is heavily reliant on OSINT, which means meticulously sifting through publicly available information – from WHOIS records and DNS data to social media posts, forum discussions, and leaked documents. This often involves developing custom tools and scripts to automate data collection and analysis, enabling me to process large volumes of information efficiently. The aim is always to produce "insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports" because "anticipating the emerging threatscape is what shapes the big picture at the end of the day". This commitment to quality and depth has meant that my blog, "Dancho Danchev's Blog - Mind Streams of Information Security Knowledge", has become a resource for many in the security community, with an overage of , RSS feed subscribers at one point. However, operating as an independent researcher also means operating without the institutional backing and legal protections that larger organizations might offer. This independence grants me the freedom to pursue my investigations without constraint, but it also exposes me to greater personal risk. The decision to publish my personal files, therefore, is not just about sharing research; it's about creating a distributed, resilient archive of my work, a safeguard against attempts to erase or silence it. It is a recognition that in the digital age, information is power, and the democratization of that information can be a potent force for good, but also a lightning rod for those who thrive in secrecy. The very nature of my work, which involves "exposing" and "profiling" inherently creates adversaries, and the "DDanchev Leaks" serve as a pre-emptive measure against their potential actions.
The path of an independent cybercrime researcher, particularly one who actively seeks to expose and disrupt the operations of powerful malicious actors, is seldom smooth or safe. It is a path often paved with intimidation, isolation, and direct threats to personal security and liberty. My own journey has been no exception; in fact, it has been a stark illustration of the very real dangers that accompany this line of work. One of the most harrowing experiences, and one that fundamentally reshaped my understanding of the risks involved, occurred in . I simply vanished. For an extended period, my whereabouts were unknown, and genuine concern for my safety mounted within the security community and beyond. The circumstances surrounding my disappearance were, and to some extent remain, shrouded in mystery. I later recounted sending a "mysterious letter" to a friend in the malware-research community around September of that year, a period marking the last known contact before I went silent. This incident was not an isolated event but rather a culmination of pressures and threats likely stemming directly from my research activities, which were increasingly focused on high-profile and, presumably, high-stakes cybercriminal enterprises. The experience of being "missing," of being effectively severed from my digital life and the community I was a part of, was profoundly disorienting and traumatic. It served as a brutal reminder that the adversaries I pursued online were not confined to the digital realm; they had very real capabilities and, potentially, very real intentions to cause physical harm or otherwise neutralize perceived threats. This event, which I later referred to in a blog post titled "How I Got Busted for Loving the U.S in Cyberspace?", highlighted the geopolitical sensitivities that can also come into play. While the specifics of that period are deeply personal and complex, the overarching lesson was clear: my work made me a target. This realization necessitates a constant state of vigilance, a robust operational security posture, and, perhaps most importantly, a strategy for ensuring that the research itself – the knowledge painstakingly gathered – can survive even if the researcher is compromised. The "DDanchev Leaks" are, in part, an embodiment of this strategy: a means to decentralize and preserve a body of work that has proven to be controversial enough to elicit such extreme responses. The fear is not abstract; it is a lived experience that continues to inform my decisions and my approach to disseminating information.
Beyond the acute danger of physical harm, there exists a more pervasive, though perhaps less dramatic, form of adversity: the lack of recognition and, at times, active disregard from established institutions and corporations whose platforms and users are directly impacted by the threats I uncover. A case in point is my extensive research into the Koobface botnet. This botnet specifically targeted users of social networking platforms, notably Facebook (now Meta), infecting millions of machines and generating significant revenue for its operators through fraudulent schemes. My analysis involved deep dives into its C infrastructure, propagation methods, and the criminal syndicate behind it. I provided detailed technical breakdowns, identified key components of the operation, and worked towards its disruption. Yet, despite the clear and direct impact on their user base and the potential value of my findings, I was never approached by Facebook for collaboration. My research was never publicly acknowledged by them, nor was I offered any form of compensation or reward for my efforts, which ultimately aided in protecting their ecosystem. This experience is not unique to Facebook; it reflects a broader trend where independent researchers, often operating on limited resources and at significant personal risk, find their contributions overlooked or undervalued by the very entities that stand to benefit most. This lack of acknowledgment is not merely a matter of ego; it has tangible consequences. It can demoralize researchers, deprive them of resources that could allow them to continue their work, and create a disincentive for others to engage in similar public-spirited research. When corporations fail to engage with or acknowledge independent security research, they miss out on valuable intelligence and inadvertently foster an environment where vulnerabilities and threats can persist longer than necessary. This dynamic reinforces the sense that independent researchers are often operating on the fringes, fighting an uphill battle not just against cybercriminals, but also against the indifference or bureaucratic inertia of large organizations. It underscores the importance of creating alternative channels for disseminating research and ensuring that it reaches those who can act upon it, irrespective of official recognition or sanction. The "DDanchev Leaks" can be seen as one such alternative channel, a direct line to the public and to other researchers, bypassing traditional gatekeepers.
Furthermore, the very nature of the work—digging into the operations of criminals, extremists, and potentially state-sponsored actors—means constantly navigating a minefield of disinformation, legal threats, and attempts at character assassination. When you expose powerful actors, they do not simply relent; they fight back. This can manifest in various ways: from legal intimidation tactics designed to silence criticism, to concerted smear campaigns aimed at discrediting the researcher and their findings. I have faced accusations and innuendo, attempts to portray my work as malicious or self-serving, rather than the public service it is intended to be. There's a constant need to defend one's integrity, to meticulously document every step of the research process, and to be prepared for hostile scrutiny. The psychological toll of this should not be underestimated. Living under the constant awareness that you are being watched, that your work is attracting negative attention from dangerous individuals or organizations, and that your reputation is under perpetual assault, can be incredibly draining. It requires a strong sense of purpose and a thick skin to persevere. The "challenges that mirror his professional struggles, such as dissecting complex malware attacks or uncovering sophisticated hacking" are not just technical puzzles; they are deeply intertwined with personal risk and resilience. The decision to compile and release my personal files is, in this context, also an act of defiance. It is a way of saying, "I have nothing to hide." By laying my own data bare, I am preemptively countering attempts to distort my narrative or to use selective information against me. It shifts the dynamic, forcing critics to engage with the full body of my work, rather than relying on out-of-context snippets or fabricated claims. This radical transparency is a powerful tool in an environment where information is so easily weaponized. It is a strategy born from necessity, from years of operating in a hostile information ecosystem where truth is often the first casualty. The very act of publishing, of continuing to run my publication since December, 2005 despite these pressures, is a testament to a commitment that transcends the desire for easy recognition or corporate favor. It is a commitment to the broader security community and to the public at large, a commitment to ensuring that the activities of those who would do harm in cyberspace are brought to light. The "DDanchev Leaks" are the latest, and perhaps most comprehensive, manifestation of this enduring commitment.
The decision to consolidate and publicly release a significant portion of my personal research files, communications, and analytical notes under the "DDanchev Leaks" banner on the Distributed Denial of Secrets (DDoSecrets) platform is the culmination of years of reflection on the nature of information, power, and resilience in the digital age. It is a strategic choice, driven by a confluence of motivations that stem directly from my experiences as an independent cybercrime researcher operating in a persistently hostile and often opaque environment. Distributed Denial of Secrets itself is described as a (c)() non-profit journalist collective in the US, dedicated to archiving and publishing hacked and leaked documents in the public interest. They aim to make information accessible and resilient against censorship, often taking on datasets that other platforms might handle differently or refuse, with a stated goal of not acting as censors for data that is already out there. They claim to vet their sources carefully and focus on making information available for journalists and the public, presenting themselves as an alternative to platforms like WikiLeaks, with perhaps a greater emphasis on explaining their standards. Their work includes significant releases like BlueLeaks, a large dataset of internal U.S. law enforcement data and numerous other datasets covering a wide range of topics from corporate malfeasance to international affairs. The rationale for entrusting my personal archive to such an organization is multi-layered, reflecting the core principles that have guided my career: transparency, accountability, and the democratization of intelligence.
The primary motivation behind the "DDanchev Leaks" is the establishment of an immutable, publicly accessible, and decentralized archive of my research. Over the years, I have accumulated a vast repository of data: detailed analyses of botnet infrastructures, profiles of individual cybercriminals, intelligence on cybercrime-as-a-service offerings, extensive OSINT reports on various threat actors, and countless raw data points that underpin my published findings. This information constitutes not just my life's work, but also a unique historical record of the evolving cyber threat landscape. However, the very nature of this research, which often involves exposing powerful and malicious actors, makes it a target for suppression. My own disappearance in served as a stark reminder of the physical dangers, but there are also digital dangers: servers can be seized, websites can be taken down, and individuals can be silenced through legal or extralegal means. By publishing this archive through DDoSecrets, which operates on principles of resilience and anti-censorship. I am creating a "dead man's switch" of sorts, and more importantly, a living testament that cannot be easily erased. This ensures that the knowledge contained within these files remains available to the public, to other researchers, to journalists, and to law enforcement, long after I am unable or unwilling to maintain it myself. It is an act of digital immortality for my research, born from a deep-seated need to protect the integrity and continuity of the information I have dedicated my life to uncovering. This approach aligns with my long-standing practice of publishing detailed research on my personal blog but takes it a step further by leveraging a platform specifically designed for the robust archiving and dissemination of sensitive data in the public interest.
A second, equally critical motivation is the assertion of narrative control and a commitment to radical transparency. In an era of rampant disinformation and sophisticated character assassination, the personal files of a prominent researcher can become a weapon. Selective leaks, out-of-context quotes, or fabricated documents can be used to discredit an individual, to undermine their work, or to distract from the substantive issues they raise. I have been subject to such attempts, where my work or my person has been misrepresented. By proactively releasing the entirety of my relevant personal files—within the bounds of operational security and the safety of third parties—I am pre-empting such tactics. This act of self-disclosure is a powerful counter-narrative. It essentially says, "Here is everything. Judge for yourself." It allows others to see the raw data, the thought processes, the correspondence, and the context behind my published analyses. This level of transparency makes it significantly harder for malicious actors to manipulate my story or to use my own information against me. It is an acknowledgment that in the pursuit of truth, the researcher must also be willing to subject themselves to the same scrutiny they apply to others. This is not to say that every single personal document is included; careful curation is necessary to protect sensitive information unrelated to my research or the privacy of innocent individuals. However, the core of my research materials, the evidence that underpins my conclusions, and the communications relevant to my investigations are being made available. This methodology mirrors the evidence-based approach I demand in cyber threat intelligence attribution, extending it to my own practice. The "DDanchev Leaks" are, therefore, not just a data dump; they are a curated, albeit extensive, collection designed to provide maximum transparency and context, allowing for a comprehensive understanding of my work and my motivations. This is particularly important given the often sensitive nature of my findings, which can touch upon powerful entities or state-affiliated activities, as hinted at by my participation in a Top Secret GCHQ program to monitor hackers online. Such involvements, while offering unique insights, also increase the potential for mischaracterization or targeted attacks.
Finally, the "DDanchev Leaks" are intended as a resource for the broader information security community and for the public good. My research has always been driven by a desire to contribute to a safer digital environment. By making my raw data and detailed analyses publicly available, I am providing a rich dataset that others can learn from, build upon, and use to further their own investigations. This is consistent with the open-source intelligence ethos, which believes in the power of collaborative knowledge sharing. The files released may contain leads for ongoing investigations, technical details of novel attack techniques, or insights into the organizational structures of cybercriminal groups that others have not yet uncovered. For example, my detailed OSINT analyses on groups like Conti or Black Basta or my compilations of cybercrime-friendly forum communities could serve as valuable case studies or starting points for other researchers. The hope is that this release will spur further research, lead to new attributions, and ultimately contribute to more effective defenses against cyber threats. It is also a statement about the importance of independent research in an ecosystem increasingly dominated by large corporations and government agencies. By bypassing traditional channels, which as I've experienced with the Koobface research can be slow to acknowledge or act upon external intelligence, I am ensuring that this information reaches a wider audience directly. The methodology involves careful organization of the files, likely thematically or chronologically, to facilitate navigation and analysis. While the raw data is invaluable, providing context, where possible without compromising sources or methods, will also be crucial. This is not about flooding the public with unstructured information; it is about providing a meaningful, searchable, and understandable archive that can serve as a lasting resource. The "DDanchev Leaks" are, therefore, a testament to the power of open information, a defense against censorship and intimidation, and a gift to the community of researchers and analysts dedicated to making cyberspace a more transparent and secure domain. They represent the logical extension of a career spent believing that "sharing information about cyber attack campaigns and their perpetrators may be the optimal strategy to shield modern enterprises from the onslaught".
Throughout my career, which has spanned nearly two decades of active engagement in the cybersecurity domain, I have been fortunate enough to contribute to several significant endeavors that have, I believe, had a tangible impact on our understanding of and ability to counter cyber threats. These achievements are not merely accolades; they represent critical milestones in my ongoing effort to illuminate the shadowy operations of malicious actors and to empower the broader security community with actionable intelligence. One of the most prominent among these is my extensive work on the Koobface botnet. Koobface was a particularly insidious piece of malware that propagated primarily through social networking platforms, earning notoriety for its ability to compromise millions of user accounts and generate substantial illicit revenue for its operators through various fraudulent schemes, such as fake antivirus software and pay-per-install scams. My involvement with Koobface was not a fleeting investigation; it was a deep, sustained engagement that lasted for over two and a half years. During this period, I meticulously documented the botnet's architecture, identified its command and control (C) servers, tracked its evolution, and worked to attribute the campaign to the individuals and criminal networks behind it. This involved analyzing malware samples, monitoring network traffic, dissecting the social engineering lures used for propagation, and mapping the financial infrastructure used to launder the proceeds. My research, which I published extensively on my blog, provided crucial intelligence that was used by security vendors and law enforcement agencies in their efforts to disrupt the botnet's operations. While I never received direct acknowledgment or compensation from the major social media companies whose users were most affected, despite my findings directly contributing to their security posture the impact of this work is evident in the eventual takedown and sustained disruption of Koobface. This experience solidified my reputation as a tenacious and insightful researcher capable of tackling complex, large-scale cybercriminal operations. It also highlighted the critical role that independent, open-source intelligence can play in the collective fight against cybercrime, a theme that has been consistent throughout my career. The detailed methodologies developed during the Koobface investigation, particularly those related to persistent monitoring, infrastructure attribution, and financial flow tracking, have become standard components of my analytical toolkit, applied to numerous subsequent threats.
Another significant area of contribution has been in the systematic analysis and exposure of the "Cybercrime-as-a-Service" (CaaS) ecosystem. This underground economy, which provides easy access to sophisticated malware, exploit kits, botnets, and other malicious tools, has been a major driver in the proliferation of cyberattacks. I have dedicated considerable effort to profiling the key players, services, and marketplaces within this ecosystem. This includes identifying and documenting specific "DDoS for hire" services that offered to take down competitor websites for a fee analyzing brute-forcing and account verification tools used against platforms like WordPress and Joomla, and compiling comprehensive lists of currently active cybercrime-friendly forum communities. My work often involves infiltrating these communities (within ethical and legal boundaries), observing their dynamics, and documenting the services being offered. This intelligence is invaluable for understanding the threat landscape, as it provides insights into the types of attacks being developed, the prices being charged, and the customer base being targeted. For instance, my profiling of Jabber and XMPP accounts used by high-profile cybercriminals helps to map out their communication networks and can lead to further attributions. Similarly, my technical collection rounds for remote access tools (RATs), using only public sources, aim to provide a comprehensive overview of the malware landscape. These efforts contribute to a more proactive defense by enabling security professionals to anticipate emerging threats and to implement countermeasures before they become widespread. The qualitative analyses I've published, such as "Exposing the 'Data Leaks' Paradise" aim to provide a framework for understanding how data breaches are monetized and how the "data leaks" community operates, which is crucial for developing effective response strategies. This body of work has established me as a leading expert in the field of cybercrime intelligence gathering and it has been instrumental in raising awareness about the commoditization of cybercrime.
My contributions have also extended to more formal settings and collaborations. I have had the privilege of presenting my research at various international forums, including at Interpol, where I shared my insights on cyber threats and investigative methodologies with law enforcement officials from around the world. These interactions are vital for bridging the gap between the private research community and public sector agencies, fostering a more collaborative approach to tackling cybercrime. I was also a finalist in the SCMagazine Social Media Awards, which recognized the impact of my online presence and my efforts to disseminate security information through platforms like my blog and Twitter. Such recognitions, while not the primary driver of my work, help to validate the importance of independent research and to amplify its reach. A more unusual, yet significant, aspect of my background is my participation in a Top Secret GCHQ program aimed at monitoring hackers and security experts online. This experience, which I learned about through declassified documents, provided me with a unique perspective on state-level cyber operations and surveillance techniques. It underscored the complex interplay between different actors in cyberspace – from individual hackers to organized crime groups to nation-state intelligence agencies. This understanding has been invaluable in my subsequent research, allowing me to better contextualize the activities I observe and to appreciate the broader geopolitical dimensions of cyber conflict. My early "lawful surveillance" and "lawful interception" experience as a teenage hacker though informal at the time, laid a foundational understanding of these concepts that would later prove relevant in these more formal contexts. These diverse experiences, from hands-on malware analysis to high-level briefings, have shaped my holistic view of cybersecurity and have enabled me to contribute meaningfully to the field. The decision to release the "DDanchev Leaks" is, in many ways, an attempt to ensure that the collective knowledge and insights gained from these achievements are preserved and made accessible for future generations of researchers and defenders. It is about building upon these milestones to create a more resilient and informed global community.
The decision to compile and release my personal research archives as the "DDanchev Leaks" is not an end in itself, but rather a significant inflection point in a journey that has been defined by a relentless pursuit of clarity in an often-obscure digital realm. It is the culmination of years spent wrestling with the inherent tensions of security research: the need for discretion to protect sources and methods, versus the imperative for transparency to foster trust, enable collaboration, and hold malicious actors to account. My experiences, from the early days of exploring the nascent internet's vulnerabilities to the deeply challenging period of my disappearance and the persistent frustration of seeing critical research overlooked by those it most benefits have all contributed to this profound act of self-disclosure. The "DDanchev Leaks," hosted on a platform like Distributed Denial of Secrets that is explicitly designed to preserve and make available data of public interest, represent a strategic deployment of radical transparency. This is not merely about exposing external threats; it is about turning the researcher's lens inward, offering a comprehensive, unvarnished look at the processes, data, and reasoning that underpin my work. It is an acknowledgment that in an age of information warfare and rampant disinformation, the most potent defense against obfuscation and character assassination is the unflinching presentation of fact, context, and primary source material.
The motivations driving this release are deeply intertwined with the core tenets that have guided my career. Firstly, there is the imperative of preservation. The knowledge contained within these files represents a significant investment of time, effort, and, at times, personal risk. To allow this corpus of intelligence to be potentially lost, seized, or selectively suppressed would be a disservice not only to my own efforts but to the broader community of researchers, journalists, and defenders who rely on such information to understand and combat cyber threats. By entrusting this archive to a resilient public repository, I am ensuring its longevity and accessibility, creating a resource that can continue to yield insights long after my direct involvement ceases. Secondly, there is the pursuit of narrative integrity. As a researcher who frequently operates at the fringes, exposing powerful and often unscrupulous actors, I have been acutely aware of the potential for my work and my person to be misrepresented or targeted. The "DDanchev Leaks" serve as a pre-emptive corrective, a comprehensive body of evidence that allows others to form their own judgments based on the full record, rather than on selective leaks or malicious rumor. This act of self-vetting, of making my own "mind streams" public, is an attempt to reclaim agency over my narrative and to demonstrate an unwavering commitment to the principles of evidence-based analysis that I demand in my own work. Finally, there is the enduring belief in the power of shared knowledge. My career has been a testament to the value of open-source intelligence and collaborative research. From the detailed dissections of botnets like Koobface to the profiling of cybercrime-as-a-service offerings, my goal has always been to contribute to a collective understanding of the threatscape. The "DDanchev Leaks" are the ultimate expression of this philosophy, offering a raw, unfiltered dataset that others can analyze, learn from, and build upon. It is my hope that this release will spur new investigations, validate existing theories, and ultimately contribute to a more secure and transparent digital environment.
The challenges that have led to this decision – the personal risks, the institutional indifference, the constant battle against disinformation – are not unique to me. They are faced by many independent researchers and whistleblowers who dare to challenge powerful interests. The "DDanchev Leaks" should therefore be seen not just as a personal archive, but as a statement about the importance of protecting and empowering those who work to expose wrongdoing in all its forms. It is an acknowledgment that the current systems for safeguarding such information and its sources are often inadequate, and that new, more resilient models are needed. The use of platforms like Distributed Denial of Secrets represents one such model, leveraging distributed architectures and journalistic principles to ensure that information of public interest remains accessible. This is not without its own complexities and controversies, but in an increasingly hostile information environment, it is a necessary evolution. The future of cybersecurity research will depend on our ability to foster greater transparency, to build more robust mechanisms for sharing intelligence, and to create stronger protections for those who undertake this vital work. The "DDanchev Leaks" are my contribution to this future, a testament to the belief that even in the face of adversity, the pursuit of truth must prevail. The digital ether is vast and often chaotic, but within its depths lie the patterns, the connections, and the evidence that can illuminate even the darkest corners. It is my sincere hope that by making my own "streams of information" a permanent part of this public record, I can help others navigate its complexities and contribute to a safer, more informed world for all. The quest for digital veracity is an ongoing one, and the "DDanchev Leaks" are but one chapter in its unfolding codex.
Biographical links:
https://www.google.com/search?q="dancho+danchev"+"cyber"
https://ddanchev.blogspot.com/
https://twitter.com/dancho_danchev
https://linkedin.com/in/ddanchev
https://www.facebook.com/dancho.danchev.1426/
https://en.wikipedia.org/wiki/Draft:Dancho_Danchev
https://archive.org/details/@ddanchev
Sincerely,
Dancho Danchev
Independent Cybercrime Researcher
Troyan,
Bulgaria
20.09.2025
