Exposing the Darkode Forum Bust and the Associated Individuals Behind It - Or How I Almost Got Kidnapped? - An OSINT Analysis

I've decided to share with everyone an in-depth analysis and assessment using public sources that basically exposes key members of the Darkode forum community who actually ordered a hitman for me for the price of $10,000 back in 2010 prior to my illegal arrest and kidnapping attempt.

In this post I'll provide actionable intelligence on their online whereabouts with the idea to assist U.S Law Enforcement on its way to track down monitor and prosecute the cybercriminals behind these campaigns.

Sample Darkode forum domains active at the time:

hxxp://darkode.com - briankrebson@gmail.com

hxxp://darkode.pro

hxxp://darkode.com

hxxp://darkode.me

hxxp://darkode.cc

hxxp://darkode.su - Email: ctouma2@gmail.com

Sample names of key members of the Darkode forum community:

Johan Anders Gudmunds

Morgan C Culbertson

Eric L Crocker

Naveed Ahmed

Phillip R Fleitz

Dewayne Watts

Murtaza Saifuddin

Daniel Placek

Matjaz Skorjanc

Florencio Carro Ruiz

Mentor Leniqi

Rory Stephen Guidry - k@exploit.im

Sample personally identifiable information on key members of the Darkode forum community:

hotcoffeecup@jaim.at

s3x@neko.im

Arcore@jabber.org

sana@thesecure.biz

silic0n@jabber.org

split@thesecure.biz

ihack@thesecure.biz

systro@jabber.org

mafioso@xmpp.jp

zer0day@xmpp.jp

c4rl0s@jabber.ru

ipwn@cih.ms

h0tsh0t@jodo.im

jumbie@jabber.ru

off-sho.re@jabber.vc

x0x@jabba.biz

bestkrypt@rkquery.de bestkrypt - Email: annabellablibgs@hotmail.com - Email: apetrovskiy@evermail.org

elzig@exploit.im

na@exploit.im

m3gatr0n@jabber.ru

nassef@thesecure.biz

teardrop@swissjabber.ch

gamoonty@xmpp.jp

mojitka@jabber.org

the_bond@jabber.org

rzor@jabber.org

x47@xmpp.jp

mrborisb@xmpp.jp borisb

RG.JR9@thesecure.biz

zigma@jabber.org

propack@neko.im

dilibau@qip.ru

r3vproxy@jabber.org

synthetic@exploit.im

ling0@jabber.ru

Including the following C&C domains that were registered at the time:

upaskitv1.org - Email: jgou.veia@gmail.com

xylibox.biz

krebsonsecurity.biz

upaskitversion1.biz

stevenk.biz

briankrebs.biz

upaskit1.biz

researchsecurity.biz

securityresearch.biz

amatrosov.biz

Related C&C server domains that are known to have been registered at the time:

upasdomination.ru

exposedbotnets.ru

researchsecurity.biz

Related C&C server domains known to have been registered at the time:

hfgfr56745fg.com - 80.82.66.204

Sample personal photos of key members of the Darkode forum community that were basically responsible for ordering a hitman to look for me for the price of $10,000 and actively communicated between each other during my disappearance and kidnapping attempt: 

 

Stay tuned!

My Official Dark Web Onion Web Site - Now Publicly Accessible!

Dear blog readers,

I've decided to make my official Dark Web Onion - http://aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynfl5xkrjpqhlq55yd.onion/ publicly accessible using a clearnet URL which means that now you can access my daily updated Dark Web Onion using a clearnet URL - https://ddanchev-darkweb-onion.eu.ngrok.io

Stay tuned! 

Deep from the Trenches in Bulgaria! - Part Five

define:moronic

Thanks, but, no thanks.

Sample document courtesy of my homeland Bulgaria courtesy of Bulgarian Law Enforcement who kidnapped and home molested me and basically robbed me of $85,000 five years later after my illegal arrest and kidnapping attempt circa 2010:

Stay tuned!

Profiling a Currently Active Brian Krebs Themed Online E-Shop for Stolen Credit Cards - An OSINT Analysis

I've recently came across to a pretty interesting Brian Krebs themed E-Shop for stolen credit cards information and I've decided to share with everyone actionable intelligence with the idea to assist everyone with their cyber attack attribution campaigns.

Sample related malicious domains known to have been involved in the campaign: 

hxxp://briankrebs.at

hxxp://briankrebs.cm

Stay tuned!

Profiling the Omerta Cybercrime-Friendly Forum Community - An OSINT Analysis

In this post I've decided to share with everyone actionable intelligence regarding the infamous cybercrime-friendly forum community known as Omerta with the idea to assist everyone with their cyber attack attribution campaigns. 

Related personal emails known to have been involved in the campaign:

omerta.sup@gmail.com

suppa.sale@gmail.com

Sample related Omerta cybercrime-friendly forum domains known to have participated in the campaign:

hxxp://omerta.cc

hxxp://omerta.wf

hxxp://omerta.ws

hxxp://omerta.mn

hxxp://omerta.cx

hxxp://omerta.ms

hxxp://omerta.vc

hxxp://omertadns.biz

hxxp://cc101.biz

hxxp://omerta.vc

hxxp://omerta.mn

hxxp://monodsp.xyz

hxxp://gipertorrent.com

hxxp://securetheborder.us

hxxp://autorsite.com

hxxp://rtk.expert

hxxp://seoptex.com

hxxp://buybestdumps.biz

hxxp://buy-dumps-online.com

hxxp://7ap.biz

hxxp://buy-dumps-online.com

hxxp://mediation-plus-coaching.com

hxxp://2tracks.biz

hxxp://bestdumps.biz

Stay tuned!

Exposing "Moses Staff" Data Leaks Gang - An OSINT Analysis

I've recently came across to a currently active data leaks campaign launched by a newly formed hacking and data leaks group and I've decided to share with everyone an in-depth technical and relevant OSINT analysis with the idea to assist everyone with their cyber attack attribution campaigns.

Sample related domains known to have been involved in the campaign:

https://moses-staff.se

http://mosesstaffm7hptp.onion

https://t.me/Moses_staff_se

https://twitter.com/moses_staff_se

Sample related IPs known to have been involved in the campaign:

185.206.180.138

95.169.196.52

Stay tuned!

Massive "Facebook Appeal" Themed Phishing Campaign Uses Google's Firebase Spotted in the Wild - An OSINT Analysis

I just came across to a currently active phishing campaign that's using Google's Firebase as a hosting infrastructure for the purpose of enticing users into falling victim into a rogue and fake "Facebook Appeal" themed phishing campaign.

You can check out my initial analysis at my official Dark Web Onion here as my initial post got censored by Google as it violates its Terms of Service.

Sample malicious and rogue phishing domains known to have been involved in the campaign:

hxxp://publicaccount-facebook-46956.web.app

hxxp://publicappeal-348239237392.web.app

hxxp://publicappeal-9344858302239.web.app

hxxp://publicappeal-facebook.web.app

hxxp://publicappeal-form-fb-copyright102872.web.app

hxxp://publicappeal-form-fb-copyright104352.web.app

hxxp://publicappeal-form-fb-copyright119275.web.app

hxxp://publicappeal-form-fb-copyright126776.web.app

hxxp://publicappeal-form-fb-copyright171651.web.app

hxxp://publicappeal-form-fb-copyright18251.web.app

hxxp://publicappeal-form-fb-copyright18258.web.app

hxxp://publicappeal-form-fb-copyright18274.web.app

hxxp://publicappeal-form-fb-copyright18275.web.app

hxxp://publicappeal-form-fb-copyright182755.web.app

hxxp://publicappeal-form-fb-copyright18721.web.app

hxxp://publicappeal-form-fb-copyright187265.web.app

hxxp://publicappeal-form-fb-copyright187285.web.app

hxxp://publicappeal-form-fb-copyright18762.web.app

hxxp://publicappeal-form-fb-copyright19285.web.app

hxxp://publicappeal-form-fb-copyright19827.web.app

hxxp://publicappeal-form-fb-copyright981725.web.app

hxxp://publicappeal-form-page-unpublish1897.web.app

hxxp://publicappeal-from-fb-copyright12352.web.app

hxxp://publicappeal-from-fb-copyright12857.web.app

hxxp://publicappeal-page-unpublish-1827589.web.app

hxxp://publicappeal-page-unpublish1107276.web.app

hxxp://publicappeal-page-unpublish118172861.web.app

hxxp://publicappeal-page-unpublish18275.web.app

hxxp://publicappeal-page-unpublish182758.web.app

hxxp://publicappeal-page-unpublish1827586.web.app

hxxp://publicappeal-page-unpublish1827588.web.app

hxxp://publicappeal-page-unpublish182759.web.app

hxxp://publicappeal-page-unpublish18278652.web.app

hxxp://publicappeal-page-unpublish1827890.web.app

hxxp://publicappeal-page-unpublish187-36ac4.web.app

hxxp://publicappeal-page-unpublish187265.web.app

hxxp://publicappeal-page-unpublish18769.web.app

hxxp://publicappeal-page-unpublish1906392.web.app

hxxp://publicbusiness-appeal-form-129862.web.app

hxxp://publicbusiness-appeal-form125921.web.app

hxxp://publicfacebookappeal110631.web.app

hxxp://publicfb-appeal-form-29997.web.app

hxxp://publicfb-appeal-form-70f46.web.app

hxxp://publicfb-appeal-form-791bd.web.app

hxxp://publicfb-appeal-form-8276f.web.app

hxxp://publichouse-h3.web.app

hxxp://publicpage-appeal-unpublish1253631.web.app

hxxp://publicproject-8595314475285305009.web.app

hxxp://publicrestriction-appeal-business128.web.app

hxxp://publicreview2024545897534.web.app

Stay tuned!

From China With "Love" - Exposing the HKLeaks Propaganda Campaign - An OSINT Analysis

I've recently came across to a currently active information warfare operation propaganda campaign courtesy of China that somehow aims to successfully identify protesters using a variety of "leak" based Web sites.

In this analysis I'll provide actionable intelligence on the whereabouts of the individuals behind these campaigns and offer an in-depth technical discussion on their online whereabouts.

Based on a variety of publicly accessible sources including the use of  WhoisXML API's WHOIS database I've managed to find the following domains which are known to have been involved in the campaign including one personally identifiable email address which could lead to possible cyber campaign attribution campaigns.

Sample domains known to have been involved in the HKLeaks information warfare propaganda campaign:

hxxp://hkleaks.pk

hxxp://hkleaks.ru

hxxp://hkleaks.pk

hxxp://hkleaks.tj

hxxp://hkleaks.ml - Email: spiker@elude.in

hxxp://hkleaks.af

hxxp://hkleaks.cc

hxxp://hkleaks.pw

hxxp://hkleaks.kz

hxxp://hkleaks.kg

Sample email address accounts known to have been involved in the campaign:

hkleaks@yandex.com

hongkongmob@163.com

Hongkongmob@protonmail.com

hongkongmob@yandex.com

Sample responding IPs known to have been involved in the campaign:

185.178.208.132

185.178.208.152

96.126.123.244

194.58.112.174

45.33.18.44

45.33.23.183

72.14.178.174

186.2.163.203

45.33.20.235

72.14.185.43

173.255.194.134

45.79.19.196

186.2.163.140

45.56.79.23

186.2.163.60

186.2.163.7

45.33.2.79

186.2.163.210

198.58.118.167

185.53.177.31

45.33.30.197

186.2.163.216

Sample related photos from the HKLeaks information warfare online propaganda campaign:

Stay tuned!

Introducing Dancho Danchev's "Intelligence Community" 2.0 Dark Web Onion - Exclusive Content Available!

 

Dear blog readers,

It's been approximately 12 years since I've originally launched my Dancho Danchev's Blog - Mind Streams of Information Security Knowledge blog which quickly became one of the security industry's leading publications and since I've recently received quite a few censorship attempts that basically say that some of my research violates Google's Terms of Service I've decided to migrate my personal blog including to resume my research at the official Dark Web Onion for this blog which is:

• http://aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynfl5xkrjpqhlq55yd.onion

and therefore I've decided that this is my last post on my personal Dancho Danchev's Blog.

Users and readers interested in continuing to follow my research can grab the Tor browser and visit - http://aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynfl5xkrjpqhlq55yd.onion where I'll ensure that I'll be posting high-quality and never-published and discussed before research and OSINT type of analysis.

Sample screenshots from my "Intelligence Community" 2.0 Dark Web Onion blog:

Sample content which you can find at the Dark Web Onion:

• A Compilation of Currently Active and Related Scams Scammer Email Addresses – An OSINT Analysis
• A Compilation of Currently Active Cyber Jihad Themed Personal Email Addresses – An OSINT Analysis
• A Compilation of Currently Active Full Offline Copies of Cybercrime-Friendly Forum Communities – Direct Technical Collection Download -[RAR]
• A Compilation of Personally Identifiable Information on Various Iran-based Hacker Groups and Lone Hacker Teams – Direct Technical Collection Download – [RAR]
• A Koobface Botnet Themed Infographic Courtesy of my Keynote at CyberCamp – A Photo
• Advanced Bulletproof Malicious Infrastructure Investigation – WhoisXML API Analysis
• Advanced Mapping and Reconnaissance of Botnet Command and Control Infrastructure using Hostinger’s Legitimate Infrastructure – WhoisXML API Analysis
• Advanced Mapping and Reconnaissance of the Emotet Botnet – WhoisXML API Analysis
• Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran – Free Research Report
• Astalavista Security Newsletter - 2003-2006 - Full Offline Reading Copy
• Compilations of Personally Identifiable Information Including XMPP/Jabber and Personal Emails Belonging to Cybercriminals and Malicious Threat Actors Internationally – An OSINT Analysis
• Cyber Intelligence – Personal Memoir – Dancho Danchev – – Download Free Copy Today!
• Cybercriminals Impersonate Legitimate Security Researcher Launch a Typosquatting C&C Server Campaign – WhoisXML API Analysis
• Dancho Danchev – Cyber Intelligence – Personal Memoir – Direct Download Copy Available
• Dancho Danchev’s “A Qualitative and Technical Collection OSINT-Enriched Analysis of the Iranian Hacking Scene Through the Prism of the Infamous Ashiyane Digital Security Team” Report – [PDF]
• Dancho Danchev’s “Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran” Report – [PDF]
• Dancho Danchev’s “Astalavista Security Group – Investment Proposal” Presentation – A Photos Compilation
• Dancho Danchev’s “Building and Implementing a Successful Information Security Policy” White Paper – [PDF]
• Dancho Danchev’s “Cyber Jihad vs Cyberterrorim – Separating Hype from Reality” Presentation – [PDF]
• Dancho Danchev’s “Cyber Jihad vs Cyberterrorism – Separating Hype from Reality – A Photos Compilation
• Dancho Danchev’s “Exposing Koobface – The World’s Largest Botnet” Presentation – A Photos Compilation
• Dancho Danchev’s “Exposing Koobface – The World’s Largest Botnet” Presentation – [PDF]
• Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presentation – A Photos Compilation
• Dancho Danchev’s “Exposing the Dynamic Money Mule Recruitment Ecosystem” Presentation – [PDF]
• Dancho Danchev’s “Intell on the Criminal Underground – Who’s Who in Cybercrime for ” Presentation – [PDF]
• Dancho Danchev’s “Intell on the Criminal Underground – Who’s Who in Cybercrime for ?” – A Photos Compilation
• Dancho Danchev’s – Cybercrime Forum Data Set – Free Direct Technical Collection Download Available – GB – [RAR]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Blog – Full Offline Copy Available – Volume – [PDF]
• Dancho Danchev’s Comeback Livestream Today – Join me on Facebook Live!
• Dancho Danchev’s CV – Direct Download Copy Available
• Dancho Danchev’s Cybercrime Forum Data Set for – Upcoming Direct Technical Collection Download Available
• Dancho Danchev’s Primary Contact Points for this Project – Email/XMPP/Jabber/OMEMO and PGP Key Accounts
• Dancho Danchev’s Privacy and Security Research Compilation – Medium Account Research Compilation – [PDF]
• Dancho Danchev’s Private Party Videos – Direct Video Download Available
• Dancho Danchev’s Private Party Videos – Part Three – Direct Video Download Available
• Dancho Danchev’s Private Party Videos – Part Two – Direct Video Download Available
• Dancho Danchev’s Random Conference and Event Photos – A Compilation
• Dancho Danchev’s Random Personal Photos and Research Photos Compilation – A Compilation
• Dancho Danchev’s Research for Unit-.org – Direct Download Copy Available
• Dancho Danchev’s Research for Webroot – Direct Download Copy Available
• Dancho Danchev’s RSA Europe Conference Event Photos – A Photos Compilation
• Dancho Danchev’s Security Articles and Research for ZDNet’s Zero Day Blog – Full Offline Copy Available – [PDF]
• Dancho Danchev’s Security/OSINT/Cybercrime Research and Threat Intelligence Gathering Research Compilations – [PDF]
• Dancho Danchev’s Twitter Archive – Direct Download – [ZIP]
• Dancho Danchev’s Upcoming Cybercrime Research OSINT and Threat Intelligence Gathering E-Book Titles – Sample E-Book Covers
• Dancho Danchev’s Video Keynote Presentation – “Exposing Koobface – The World’s Largest Botnet” – Video Download Available
• Dancho Danchev’s Random Personal Photos and Research Photos Compilation – Part Three – A Compilation
• Dancho Danchev’s Random Personal Photos and Research Photos Compilation – Part Two – A Compilation
• Exposing A Virus Coding Group – An OSINT Analysis
• Exposing a Boutique Fraudulent and Rogue Cybercrime-Friendly Forum Community – WhoisXML API Analysis
• Exposing a Currently Active “Jabber ZeuS” also known as “Aqua ZeuS” Gang Personal Email Portfolio – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Two – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Four – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious Domains Portfolio – Part Three – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio – An OSINT Analysis
• Exposing a Currently Active CoolWebSearch Rogue and Malicious IPs Portfolio – Part Two – An OSINT Analysis
• Exposing a Currently Active Cyber Jihad Domain Portfolio – An OSINT Analysis
• Exposing a Currently Active Cyber Jihad Domains Portfolio – WhoisXML API Analysis
• Exposing a Currently Active Cyber Jihad Social Media Twitter Accounts – An OSINT Analysis
• Exposing a Currently Active Domain Portfolio Belonging to Iran’s Mabna Hackers – An OSINT Analysis
• Exposing a Currently Active Domain Portfolio Managed and Operated by Members of the Ashiyane Digital Security Team – WhoisXML API Analysis
• Exposing a Currently Active Domain Portfolio of Currently Active High-Profile Cybercriminals Internationally – WhoisXML API Analysis
• Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – An OSINT Analysis
• Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – Part Two – An 
• OSINT Analysis
• Exposing A Currently Active Domain Portfolio of Cybercrime Friendly Forum Communities – Part Three – An 
• OSINT Analysis
• Exposing a Currently Active Domain Portfolio of Tech Support Scam Domains – An OSINT Analysis
• Exposing a Currently Active Free Rogue VPN Domains Portfolio Courtesy of the NSA – WhoisXML API Analysis
• Exposing a Currently Active Iran-Based Lone Hacker and Hacker Group’s Personal Web Sites Full Offline Copies – Direct Technical Collection Download – [RAR]
• Exposing a Currently Active Kaseya Ransomware Domains Portfolio – WhoisXML API Analysis
• Exposing a Currently Active Koobface Botnet C&C Server Domains Portfolio – Historical OSINT
• Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – An OSINT Analysis
• Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Two – An OSINT Analysis
• Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Three – An OSINT Analysis
• Exposing a Currently Active List of Iran-Based Hacker and Hacker Team’s Handles – Part Two – An OSINT Analysis
• Exposing a Currently Active Money Mule Recruitment Domain Registrant Portfolio – Historical OSINT
• Exposing a Currently Active NSO Spyware Group’s Domain Portfolio – WhoisXML API Analysis
• Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hackers and Hacking Teams and Groups – An OSINT Analysis
• Exposing a Currently Active Portfolio of Personal Web Sites Belonging to Iran-Based Hackers and Hacking Teams and Groups – Part Two – An OSINT Analysis
• Exposing a Currently Active Portfolio of Ransomware-Themed Protonmail Personal Email Address Accounts – An OSINT Analysis
• Exposing a Currently Active Portfolio of RAT (Remote Access Tool) C&C Server IPs and Domains – An OSINT Analysis
• Exposing a Currently Active Rock Phish Domain Portfolio – Historical OSINT
• Exposing a Currently Active SolarWinds Rogue and Malicious C&C Domains Portfolio – An OSINT Analysis
• Exposing a Currently Active WannaCry Ransomware Domains Portfolio – WhoisXML API Analysis
• Exposing a Personal Photo Portfolio of Iran Hack Security Team – An OSINT Analysis
• Exposing A Personal Photos Portfolio of Ashiyane Digital Security Group Team Members – An OSINT Analysis
• Exposing a Personal Ransomware-Themed Email Address Portfolio – An OSINT Analysis
• Exposing a Personal Ransomware-Themed Email Address Portfolio – Part Two – An OSINT Analysis
• Exposing a Portfolio of Ashiyane Digital Security Team Hacking Tools – Direct Technical Collection Download – [RAR]
• Exposing a Portfolio of Personal Photos of Iran-Based Hacker and Hacker Teams and Groups – An OSINT Analysis
• Exposing a Rogue Domain Portfolio of Fake News Sites – WhoisXML API Analysis
• Exposing Bulgarian Cyber Army Hacking Group – An OSINT Analysis
• Exposing HackPhreak Hacking Group – An OSINT Analysis
• Exposing Personally Identifiable Information on Ashiyane Digital Security Group Team Members – An OSINT Analysis
• Exposing Random Koobface Botnet Related Screenshots – An OSINT Analysis
• Exposing Team Code Zero Hacking Group – An OSINT Analysis
• From the “Definitely Busted” Department – A Compilation of Personally Identifiable Information on Various Cyber Threat Actors Internationally – An OSINT Analysis – [PDF]
• Introducing Astalavista.box.sk’s “Threat Crawler” Project – Earn Cryptocurrency for Catching the Bad Guys – Hardware Version Available
• Introducing Dancho Danchevs’s “Blog” Android Mobile Application – Google Play Version Available
• Malware – Future Trends – Research Paper – Copy
• Person on the U.S Secret Service Most Wanted Cybercriminals Identified Runs a Black Energy DDoS Botnet – 
• WhoisXML API
• Profiling a Currently Active CoolWebSearch Domains Portfolio – WhoisXML API Analysis
• Profiling a Currently Active Domain Portfolio of Fake Job Proposition and Pharmaceutical Scam Domains – An OSINT Analysis
• Profiling a Currently Active Domain Portfolio of Pay-Per-Install Rogue and Fraudulent Affiliate Network Domains – An OSINT Analysis
• Profiling a Currently Active Personal Email Address Portfolio of Members of Iran’s Ashiyane Digital Security Team – An OSINT Analysis
• Profiling a Currently Active Personal Email Addresses Portfolio Operated by Cybercriminals Internationally – An OSINT Analysis
• Profiling a Currently Active Portfolio of Rogue and Malicious Domains – An OSINT Analysis
• Profiling a Currently Active Portfolio of Scareware and Malicious Domain Registrants – Historical OSINT
• Profiling a Currently Active Portfolio of Scareware Domains – Historical OSINT
• Profiling a Currently Active Portfolio of Spam Domains that Hit ZDNet.com Circa – An OSINT Analysis
• Profiling a Currently Active Scareware Domains Portfolio – An OSINT Analysis
• Profiling a Money Mule Recruitment Registrant Emails Portfolio – WhoisXML API Analysis
• Profiling a Portfolio of Cybercriminal Email Addresses – WhoisXML API Analysis
• Profiling a Portfolio of Personal Photos Courtesy of Koobface Botnet Master Anton Korotchenko – An OSINT Analysis
• Profiling a Portfolio of Personal Photos of Behrooz Kamalian Team Member of Ashiyane Digital Security Team – An OSINT Analysis
• Profiling a Portfolio of Personally Identifiable OSINT Artifacts from Law Enforcement and OSINT Operation “Uncle George” – An OSINT Analysis
• Profiling a Rogue Fast-Flux Botnet Infrastructure Currently Hosting Multiple Online Cybercrime Enterprises – WhoisXML API Analysis
• Profiling Iran’s Hacking Scene Using Maltego – A Practical Case Study and a Qualitative Approach – An Analysis
• Profiling Russia’s U.S Election Interference – WhoisXML API Analysis
• Profiling the “Jabber ZeuS” Rogue Botnet Enterprise – WhoisXML API Analysis
• Profiling the Emotet Botnet C&C Infrastructure – An OSINT Analysis
• Profiling the Internet Connected Infrastructure of the Individuals on the U.S Sanctions List –WhoisXML API Analysis
• Profiling the Liberty Front Press Network Online – WhoisXML API Analysis
• Profiling the U.S Election Interference – An OSINT Analysis
• Random Photos from the “Lab” Circa up to Present Day – A Compilation
• Sample Random Cybercrime Ecosystem Screenshots – A Compilation of Images – Direct Technical Collection Download – An Analysis
• Sample Random Cybercrime Ecosystem Screenshots – A Compilation of , Images – An Analysis
• Sample Random Cybercrime Ecosystem Screenshots – A Compilation of , Images – An Analysis
• Sample Random Cybercrime Ecosystem Screenshots – A Compilation of Images – An Analysis
• Security Researchers Targeted in Spear Phishing Campaign – WhoisXML API Analysis
• Shots from the Wild West – Random Cybercrime Ecosystem Screenshots – An OSINT Analysis – Part Three
• The Pareto Botnet – Advanced Cross-Platform Android Malware Using Amazon AWS Spotted in the Wild – WhoisXML API Analysis
• Who’s Behind the Conficker Botnet? – WhoisXML API Analysis
• Who’s on Twitter?

Stay tuned!

Massive Phishing Campaign Domain Farm Spotted in the Wild Uses Google's Firebase Thousands of Users Affected - An OSINT Analysis

I've just stumbled across a pretty decent and massive phishing domains farm that using Google's for the purpose of hosting and distributing the rogue and malicious content.

In this post I'll provide actionable intelligence on the infrastructure behind it including to discuss in-depth the TTPs (Tactics Techniques and Procedures) of the cybercriminals behind it.

Sample rogue and malicious URL known to have participated in the campaign:

hxxp://js-82wha8sw738.web.app/sc/css.css

Sample malicious and rogue responding IPs known to have participated in the campaign:

199.36.158.100

151.101.1.195

151.101.65.195

Sample screenshots of the rogue and malicious phishing domains known to have been involved in the campaign:

Sample rogue and malicious phishing domain portfolio known to have participated in the campaign:

0000.firebaseapp.com

02a8.web.app

11spielmacherbeta.firebaseapp.com

131023.firebaseapp.com

144110.firebaseapp.com

1493735036650.firebaseapp.com

164200.firebaseapp.com

177010.firebaseapp.com

177610.firebaseapp.com

17cc7.firebaseapp.com

212820.firebaseapp.com

abmay-d9b3b.web.app

abmay2-4abdf.web.app

adamlouie-c87d1.firebaseapp.com

adda-fenase.web.app

admininstatiles-5e702.firebaseapp.com

ads-restricted-id.web.app

aglae-f0665.firebaseapp.com

ahwma-de0bf.web.app

airbnb-70aba.firebaseapp.com

ajarwebsite-7d033.firebaseapp.com

all-scanner-cdf80.web.app

amao-dc021.web.app

ambitowebapp-2e394.firebaseapp.com

analytics-6a184.firebaseapp.com

angular2-hn.firebaseapp.com

angular7firestore-155e4.firebaseapp.com

aniapp-7ddc2.firebaseapp.com

anna-prone.web.app

api-project-723816548444.firebaseapp.com

appeal-form-fb-copyright102872.web.app

appeal-form-fb-copyright18258.web.app

appeal-form-fb-copyright187265.web.app

appeal-page-unpublish-1827589.web.app

appeal-page-unpublish1107276.web.app

appeal-page-unpublish118172861.web.app

appeal-page-unpublish18275.web.app

appeal-page-unpublish182758.web.app

appeal-page-unpublish1827586.web.app

appeal-page-unpublish182759.web.app

appeal-page-unpublish18278652.web.app

appeal-page-unpublish1827890.web.app

appeal-page-unpublish187-36ac4.web.app

appeal-page-unpublish18769.web.app

appemailhostingcha2.web.app

appy-760b5.firebaseapp.com

ararestaurant1.firebaseapp.com

arco-website-f9750.firebaseapp.com

aruba-postmaster-info.web.app

asmorx-1f6a2.web.app

asna-mod.web.app

ass-mote.web.app

asse-mofe.web.app

assets-0l61.firebaseapp.com

atarashii-atsui.web.app

au-ma-di.web.app

aude-mofe.web.app

audiscover-owawebapplications.web.app

auri-mo-da.web.app

auth-task1-m.web.app

auth20-outlook.web.app

authdemo-177a0.firebaseapp.com

authenticationuchu23.web.app

baffe-level.web.app

bandspace-console.web.app

baren-od.web.app

battle-22f22.firebaseapp.com

benali-acbe6.web.app

bestofjs-api-v1.firebaseapp.com

bi-1020101000x0.web.app

bigbt-aten.web.app

bingbrossvocalintel.web.app

bitbaink.web.app

bithunnb.web.app

bjqrasuoup.web.app

blockchain-assets-protection.web.app

blockchain-recovery-dda4d.web.app

bmazy2-0.web.app

bnp-verifi.web.app

boma-ren.firebaseapp.com

booking-hotesses-d7920.firebaseapp.com

bred-authentification-97-7.web.app

buten-dare.web.app

bzbikeruko.web.app

ca-regionale-department-a.web.app

cabs-ole.web.app

cadeau-par-plaisir.web.app

cale-mothe.web.app

camoam-d97a4.web.app

case-ofa.web.app

case100091254778.web.app

caseforpage100089481844.web.app

caseforpages100049151.web.app

caseforpages108412.web.app

caseforpages1885777.web.app

caseforpages1888888.web.app

caseforpages55222.web.app

caseforpages777422.web.app

caseforpages88174714.web.app

caten-opa.web.app

cau-quate.web.app

cen-kenase.web.app

cenle-one.web.app

centre-telephoneproinfo.web.app

chargement-service.web.app

chat-b2982.firebaseapp.com

chat-finpolo.firebaseapp.com

checkmailsawo5.web.app

checkmessagerievocalewebtel.web.app

checksweetmail6.web.app

cinhatena.web.app

cloud-space-auth-service.web.app

clouddoc-authorize.firebaseapp.com

club-note-vocale.web.app

code-mesme.web.app

cogne-menta.web.app

cojet-mole.web.app

cokade-made.firebaseapp.com

colimat-done.web.app

colo-mate.web.app

comasse-unade.web.app

come-measa.web.app

companyemailresync1.web.app

con-firma.firebaseapp.com

cones-dore.web.app

conh-ma.web.app

cop-ado.web.app

cope-ilna.web.app

cora-gas-me.web.app

cphost-7edd4.web.app

crawer-sur.web.app

credit-et-assurance07.web.app

cres-mate.web.app

crime-aune.web.app

crive-cible.web.app

csen-ted.web.app

d-validate.web.app

d3iioor0753gvdbfewypqb64.web.app

daisma-e7e6c.web.app

darrin-pendleton-j5286.web.app

dc4u-6e803.firebaseapp.com

decdo-chat2.firebaseapp.com

demachatendi36.web.app

demoitau-d3428.web.app

denabere-2c382.web.app

digital-book-9f870.firebaseapp.com

dmacenda.web.app

docsharex-authorize.firebaseapp.com

docuproject39-277-383-files.firebaseapp.com

dope-ufen.web.app

downloadfreeebookspdf-6e806.firebaseapp.com

downloadpdfreader-d7702.firebaseapp.com

drafty-43c88.firebaseapp.com

driveintuksouteast-falcaopla.web.app

dropdocument-c3829.web.app

dskdirect-5ba26.web.app

dw-website-fbc19.firebaseapp.com

eagle10.firebaseapp.com

ebookwngfgewarwle.web.app

edret-tropm.web.app

efetgreds.web.app

eins-done.web.app

eleven-bot-399b7.web.app

elimu-c1a38.firebaseapp.com

email-mweb-co-za-zimbra-1.firebaseapp.com

email-update-verify.web.app

email-verificationservices365.web.app

empacte-do.web.app

ems-obe.web.app

emsi-lobo.firebaseapp.com

end-losup.web.app

erfders-f6013.web.app

esote-mode.web.app

exness-mobile.web.app

explore-wetriansfering-web.web.app

exposedacne.web.app

f0ldgonn.firebaseapp.com

facebook-appeal1749902610052.web.app

facebook-appelcase32q1.web.app

facebookappeal-case10351001.web.app

facebookappealcase1884888444.web.app

facebookappealcase7174747444.web.app

facebookcase187444441.web.app

facebookcase188444.web.app

fares-one.web.app

fb-appeal-form-70f46.web.app

fb-appeal-form-791bd.web.app

fb-restricted-d12c2.web.app

fbappealform13111.web.app

fbforpages1848151.web.app

fbmail-case199418414.web.app

fbmail-pages100049194.web.app

fbpages-case10004915.web.app

fema-tode.web.app

fetfetaa-81119.web.app

fines-gining.web.app

firtserverunithpp.web.app

flape-man.web.app

flape-odade.web.app

fmvfhagpab.web.app

focus-online-news.web.app

fodes-mota.web.app

font-makeupe.web.app

foresta-mod.firebaseapp.com

foten-moda.web.app

francesbbv.web.app

freeebookspdf-9ab41.firebaseapp.com

freejobsnews-f8cb8.firebaseapp.com

freis-mode.web.app

gadjabadjala1.web.app

gare-train3.web.app

gene-marso.web.app

genie-alba.firebaseapp.com

girly-wallpaper-5b75f.web.app

godadyxs.web.app

gomas-12c01.web.app

gospel-living.web.app

goswapp-bsc.web.app

gotan-one.web.app

gotcha-67060.firebaseapp.com

grace-bijoux-14910.firebaseapp.com

green656dfbb5f31b1fe48c2391a6.web.app

gridsend-98f14.web.app

groupe-ca-authenticati-caisse.web.app

groupe-sa-accueil-autnenti.web.app

gweb-gc-gather-production.firebaseapp.com

gweb-miyagi.firebaseapp.com

hagenpau.web.app

histoire-clik.web.app

hiworksservicecenter.web.app

hon-macona.web.app

hounbvc-c7661.web.app

hsfkrkqogo.web.app

httpsaudiscover-owawebapplications.web.app

httpsdocument-download-902123.web.app

httpsfyregym-wetransfer.web.app

httpsjojo-wiza124.web.app

httpsjoovkuebea.web.app

httpsminxtex.firebaseapp.com

httpsprice-per-unit.firebaseapp.com

httpsprotectmimemimefrem.web.app

httpsworldvision-419f2.firebaseapp.com

hunin-one.web.app

hyle-fb82f.web.app

info-telephone-vocale.web.app

international-web-fb75a.web.app

isfane-osade.web.app

iydd-1b2d8.web.app

jams-jamz1234.web.app

jecta-f45df.firebaseapp.com

jentame-add.web.app

jes-mo-sad.web.app

jex-ulto.web.app

kaunte-mone.web.app

kebote-moda.web.app

kes-mole.web.app

kodrefse-nsf.web.app

l09162020-fixmailhelpdesk.web.app

laefhfdhkdsdv.web.app

lamaf-50e45.web.app

les-more.web.app

lg-roudcubeblack-access.web.app

lgeyfuusmg.web.app

licloud.web.app

licos-date.web.app

line-9ca1c.web.app

link-bb76d.web.app

lisen-ocun.web.app

live-support-82d11.firebaseapp.com

login-442v3f.web.app

loginfo-tkconf.web.app

lohsam-86765.web.app

lommsrecu3.firebaseapp.com

lono-jena.web.app

lote-masme.web.app

louams-62870.web.app

lthouse.web.app

m-cabanqueenligne-particuliers.web.app

m-orangebankenligne-id.web.app

m1technology.firebaseapp.com

maedz-5fdff.web.app

mail-8583e.web.app

mail-account-verify-f4723.web.app

mail-lcloud-com-account.web.app

mail-ovhcloud.web.app

mansan-4ca1c.web.app

may1110genstanbk.web.app

mbqbfhfmgr.web.app

memo-vocale-52636.web.app

mentipdf.web.app

mercadolibre-research.web.app

mms-sms-alert.firebaseapp.com

mo-aska-da.web.app

mobialmysyf.web.app

mobizzmperb.web.app

moce-add.web.app

moce-aude.web.app

molases-b652e.web.app

mon-tome.web.app

msgmessage-7f854.firebaseapp.com

mswordg.web.app

mta-round-cube.web.app

mxflexsub.web.app

my-bithumb.web.app

my-winbamk.web.app

mylogin-config.web.app

nale-ping.web.app

name-ocina.web.app

ne01u59l.firebaseapp.com

nera-mode.web.app

netw0rksolutions.web.app

newlink-c8a8f.web.app

njnapcdvzc.web.app

nopin-dod.web.app

nozed-uname.firebaseapp.com

ntzmttpmnttoepnlant.web.app

o-orangebank18-id.web.app

oaism-72827.web.app

ocaque-domen.firebaseapp.com

ocuso-aken.web.app

office-webmail-login-f0e3c.web.app

officeindex-file.web.app

officemailsharing-20cd3.web.app

offices-voicemail.web.app

oftenas-oweb.web.app

ojin-madij.web.app

olet-mado.web.app

omawo-14b8c.web.app

on-me-ro.firebaseapp.com

onee-a0488.web.app

oneone-19cd8.web.app

onga-moce.web.app

onlinepdfkwpmmkl.web.app

onsa-mode.web.app

orange-my-app.web.app

orangesmsprovocale.web.app

oras-moria.web.app

oroma-42f59.web.app

osale-mape.web.app

osaute-moca.web.app

others1-f7ce9.web.app

outline-auth-d7f99.web.app

outlookloffice365user09ngxsmd.web.app

outlookloffice365userp86aese6.web.app

outlooks-userserver.web.app

owa-signon-officeaccount.web.app

owablu84349439434.web.app

owserv220020.web.app

padma-3fbb8.web.app

page-appeal-unpublish1253631.web.app

pagebusiness-copyrightcase1256.web.app

pay-sera.web.app

phuongpndev.web.app

pokajca.web.app

poltunefrdonecodesms.web.app

popuyecash7.web.app

portail-messagerieorangesms.web.app

postmailservr-panel-centr.web.app

project2021c-42b13.firebaseapp.com

pry-ecommerce.web.app

put-media-lan.web.app

r-web-2a3a9.web.app

rbc-mainline.web.app

rbc-verifylogin5.web.app

rbclogin-line.web.app

readingwtagzdm.web.app

recording-c12f5.web.app

renard-trouillard.web.app

restore70174-coinbase-us.web.app

rjabldfrbg.web.app

romas-512bf.web.app

rooted-4da8a.web.app

rouncubemail.web.app

royalbill-a3y4.web.app

rufe-sun.web.app

saal-kejriwal.web.app

samda-3c88f.web.app

sarba-one.web.app

scorchvc.web.app

scorchvc.web.app0

serve-8e8dc.web.app

server-authentication-332e1.web.app

servercpanel-afa12.web.app

service-vocalesmsprotelfixe.web.app

sharebox-onedrive-file-f692f.web.app

side-esone.web.app

sim-ote.web.app

skype-online04171.web.app

slackchatv1.firebaseapp.com

snaptik.web.app

soci-molen.web.app

sode-mape.web.app

soden-olma.web.app

sofe-inchena.web.app

sofe-tane.web.app

solen-conda.web.app

somas-b88a0.web.app

sone-masa.web.app

sonta-maline.web.app

sore-modabe.web.app

soure-made.web.app

sparkassbank-de.web.app

srey-deocs.web.app

sroxma-ab2cc.web.app

sudo-mone.web.app

sugen-oda.web.app

sun-maupe.web.app

sunge-ode.firebaseapp.com

suone-bena.web.app

swiftshare-content-auth.web.app

tittot-a8505.web.app

tm-etiquetado.web.app

tome-done.web.app

totem1.web.app

totem2.web.app

tousou-posoto3.web.app

trdsmccdb7386cbf3ba0b0b8d.web.app

truein-264db.web.app

ugen-orabe.web.app

uiinlcuo37oed.web.app

un-foreste.web.app

unt-morelle.web.app

update-45190ca.web.app

user-45190ca21.web.app

userca-58ce4.web.app

usmin-moda.web.app

validate-clientrbc.web.app

vandameman4.web.app

verberuyer7.web.app

verif-loginrbc.web.app

verify-48181.web.app

verify-user-rbc.web.app

verifywell-85477.web.app

vkmqnvyfwd1111.web.app

vmta-mod.web.app

vocaleproidorange.web.app

votre-boitevocale-fixe.firebaseapp.com

wdfyxklmba.web.app

web-bf4.web.app

web-e1f6d.web.app

web874830-98375-90232.web.app

webmail-a2846.web.app

webmail-control-9efc7.web.app

wecluihfrf-76tygh.web.app

wedpfoaliculate-resmazm.web.app

westernfoodmaincourse.web.app

wetranslatetransfers-coxsola.firebaseapp.com

wetrnafers.web.app

whatsapp-clone-teamwork.firebaseapp.com

win-more-0x.web.app

winx-fbac0.web.app

wix-engage-visitors-prod-0.firebaseapp.com

wix-engage-visitors-prod-10.firebaseapp.com

wix-engage-visitors-prod-20.firebaseapp.com

wo0923536-902453-908563.web.app

wraxdne.web.app

www.firebaseapp.com

www.web.app

x0x0x10010-0100.web.app

x48652.web.app

xamua-7cb66.web.app

xcio-00000auth.web.app

xm01-18c1f.web.app

xn--87487387348739-16aa.web.app

xtpma4ep.firebaseapp.com

zoho-active.web.app

zoho-adminserv.web.app

zoho-mailservices.web.app

zoho-online.web.app

zoho-validationserv.web.app

zxtst-44902.firebaseapp.com

Stay tuned!

The Dark Web Market Segment - FUD or Hype? - An Analysis

In recent years it became clearly evident that the over-population of the Dark Web with hundreds of thousands of active low profile and high-profile Dark Web Onion web sites

Dancho Danchev's "Cybercrime Research and Cybercrime Fighting" USB Stick - Grab the Torrent!

This summary is not available. Please click here to view the post.

Dancho Danchev's Ultimate "Cybercrime Research and Fighting Toolkit" - Order a USB Stick Today!

 

Dear blog readers,

Order today!

Stay tuned!

 

Dancho Danchev's Keynote on "Exposing Koobface - The World's Largest Botnet" at CyberCamp 2016 - Watch Online!

Dear blog readers,

I've decided to share with everyone my Keynote from CyberCamp 2016 - "Exposing Koobface - The World's Largest Botnet" with the idea to help everyone improve their situational awareness on current and emerging cyber threats. 

Here's the actual PPT.

Stay tuned!

Deep from the Trenches in Bulgaria! - Part Four

define:moron

Big thanks to all the dipshits based in Bulgaria who basically broke my life for the sake of their own well being. Mad props kudos all god bless and don't forget to bow down and behold to the almighty -- the dollar is not for you -- savior and basically everything that you don't understand and don't forget we're always there "looking for you".

Stay tuned!

Looking for a Cyber Security Project Investor?

Dear blog readers,

I've just received a direct acquisition proposal for a high-profile cyber security project and I need an investment partner who can work with me and make it happen.

Are you interested in working with me for this project? Drop me a line at dancho.danchev@hush.com

 Sample project screenshots:

Stay tuned!

New Dark Web Onion Address!

Dear blog readers,

Check out my new Dark Web Onion address which is - http://aklw6fojficmu3zqsdsffprbas3kqrheej4ntvynfl5xkrjpqhlq55yd.onion/wordpress where I intend to continue publishing high-quality and never-released before cybercrime research and threat intelligence including OSINT analysis type of research on a daily basis.

Big thanks to everyone visiting my Dark Web Onion on the Dark Web and keep it coming.

Stay tuned!