Saturday, July 27, 2019

Exposing Bulgaria's Largest Data Leak - An OSINT Analysis

I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.

In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.

Real Name: Daniel Ganchev - Email:

Sample URL of the cybercriminal involved in the campaign:
hxxp:// - Email:;

Instagram Account: hxxp://

Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://

Related URLs known to have participated in the campaign:

Sample Screenshot of the Original Letter Send to Journalists:

Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp:// which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.

Sample Company Logo:

Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:

Sample TAD Group Photos:

Related personally identifiable information of TAD members:
Real Name: Ivan Todorov

Related social network accounts:

Sample Bulgaria Leaked Database URL:

Sample Email known to have been used in the campaign:

Sample MD5 known to have been used in the campaign:
MD5: 3125f2f04d3bac84c418ceb321959aba

It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp:// cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:

We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.