NOTE: The data in this analysis has been obtained using public sources.
In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.
Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg
Sample URL of the cybercriminal involved in the campaign:
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com
Instagram Account: hxxp://www.instagram.com/instakilla_/
Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP
Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143
Related URLs known to have participated in the campaign:
https://instakilla.com/5k.txt
https://instakilla.com/teaser.txt
Sample Screenshot of the Original Letter Send to Journalists:
Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.
Sample Company Logo:
Sample Exploits Developed courtesy of the founder of the group:
Sample Photos of TAD Group Employees:
Sample TAD Group Photos:
Related personally identifiable information of TAD members:
Real Name: Ivan Todorov
Email: todorov_i@tadgroup.com; todorov_i@subway.bg
Related social network accounts:
hxxp://github.com/chapoblan
hxxp://www.facebook.com/chapoblan/
Sample Bulgaria Leaked Database URL:
hxxp://uploadfiles.io/s1p3gzh8
Sample Email known to have been used in the campaign:
Email: minfin_leak@yandex.ru
Sample MD5 known to have been used in the campaign:
MD5: 3125f2f04d3bac84c418ceb321959aba
It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.
Sample screenshots courtesy of the service:
We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.