Dancho Danchev's Blog - Mind Streams of Information Security Knowledge: 09/07/21

Tuesday, September 07, 2021

Exposing Bulgarian Cyber Army Hacking Group - An OSINT Analysis

In this OSINT analysis I'll offer in-depth information and analysis of Bulgaria's Bulgarian Cyber Army including personally identifiable information on some of the key members behind the group for the purpose of assisting U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.

EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> http://cyber-code.tk/ -> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian%20Cyber%20Army

-> https://www.facebook.com/bgcyberarmy

Bca-group.org - Email: bca-group@mail.ru

BG Cyber Army - Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire

- [Pa3pyxA, FuckOFF, CyberKing, CyberLord]

CyberLord: cyberlordbg@mail.ru :: [OK]

[+] CyberKing: z3roc00l@mail.ru :: [OK]

Pa3pyxA: ra3pyxa@mail.ru

Anonymous BG's main forum URL: http://anonbg.info

Group member handles: rootheR_, Hades, NoTolerance, EvilHack, PsychoPatternz.

Forum postings for ID-ed member PsychoPatternz: http://anonbg.info/member.php?34-PsychoPatternz

Forum postings for ID-ed member EvilHack: http://anonbg.info/member.php?13-EvilHack

EvilHack's real name: Genadi

Skype: genadi_97

Skype: anonymous_evilhack

City: Veliko Turnovo or Tutrakan

Associated emails:

clangrf@abv.bg

genadi_100@abv.bg

anonyops@abv.bg

EvilHack@hmamail.com

evilhack000@gmail.com

evilhack@bk.ru

evil_hack@abv.bg

URL he maintains:

https://www.facebook.com/pages/EvilHack-Programs

http://anonymous-world.free.bg/page-8.html

http://web-dangerous.free.bg/page-9.html

http://evilhack-official.blogspot.com/

http://www.podariavam.com/user/GenadiD

PsychoPatternz's name: Asparuh Naydenov

City:: Plovdiv

Skype: asparuh1231

URLs he maintains:

http://psychopatternz.blogspot.com/

https://www.facebook.com/hakhz/timeline

Facebook profile:

https://www.facebook.com/Psychopatternz

EvilHack appears to be also a member of a newly emerged group, namely, Bulgarian Cyber Army.

Connection: EvilHack -> http://www.youtube.com/user/AnonymousEvilHack/about -> http://cyber-code.tk/ -> BG Cyber Army -> http://www.zone-h.org/archive/notifier=Bulgarian%20Cyber%20Army

-> https://www.facebook.com/bgcyberarmy

Official Web site: bca-group.org - Email: bca-group@mail.ru

Related group emails: bca-group@bk.ru; adrenalinovocs@abv.bg

Current members: Cyber Root, Cyber King, iNCUBUS, JoKeR, MoonSpire

Ex-members: Pa3pyxA, FuckOFF, CyberKing, CyberLord

Group members' associated emails:

CyberLord - cyberlordbg@mail.ru

CyberKing - z3roc00l@mail.ru

Pa3pyxA - ra3pyxa@mail.ru

Group's Name: Hack3D TeaM" or "MTH Soft

Facebook: https://www.facebook.com/hack3dteam;

https://www.facebook.com/bgworm.info

Vimeo account: http://vimeo.com/user16145338/videos

Forum: http://hakerstvo.informe.com/

Zone-H Archive: http://zone-h.org/archive/notifier=MaStErChO/page=1

Hackdb Archive: http://www.hack-db.com/hacker/r00tkit/all.html

Google Plus Profile: https://plus.google.com/104878573752624522053/photos

Group Members: r00tkit, MaStErChO AloneWolf, Sspdf11, razora911, Metalqear

Shout outs most commonly given to -- on the basis of multiple defaced

page assessments --MaStErHaCk, - RTFM -The Godfather-(tm)(R) PanteliX (R)(tm) -

(tm)W!PS(tm) - Tiger(tm) - Slackera - TraferA - 3ikmy - N3x0R.

Known group domains' reconnaissance:

hxxp://bgworm.com - Email: gudolik@gmail.com - name: "Mastercho

Hoomie" same as the Google Plus account

hxxp://bgworm.info - historical WHOIS emails: Email: nikolas47@abv.bg;

Email: mahon-74@hotmail.com

Group member profile: Anton Nikolaev (MaStErChO)

Email: ludoto_93@abv.bg - email used from the forum's registration confirmation

Secondary email: ludoto_93@hotmail.com - Reference:

https://www.facebook.com/photo.php?fbid=327560933969442&set=a.325721410820061.74800.125466524178885&type=1

Skype: ko.ti.puka

Mobile: 0895373102

Second Mobile: 0887565357

Birth date: March 25, 1992 or 17 July, 1990

Sample Personal Photos of Bulgarian Cyber Army Team Members:

Stay tuned!

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Exposing Team Code Zero Hacking Group - An OSINT Analysis

In this post I'll provide personally identifiable information on some of the key members of the Team Code Zero hacking group with the idea to assist U.S Law Enforcement and the the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.

Related Zero for Owned Personal Domains and Web Sites:

http://sh0dan.org

http://antilimit.net

https://sinnerz.com

https://codez.com

Related Team Code Zero/Confidence Remains High Team Members:

- so1o

- helix

- xFli

- modeX

- Shok

- zer0x

- Spheroid

Related Personal Web Sites belonging to Team Code Zero Members:

http://www.aom.co.uk/total/

http://www.r0ot.org/crh/

http://www.rootshell.com

http://insecurity.insecurity.org/codez/

Related personal emails belonging to Team Code Zero Members:

- dk@crackhouse.com

- dz@acheron.net

- domains4sale@usa.net

- zen@sekurity.org

Related personal Web sites belonging to Team Code Zero Members:

http://el8.netgates.co.uk

http://www.mastaz.org/codezero/

http://ulticonn.dyndns.com/codezero/

Related personal email belonging to Team Code Zero Members:

Darkfool

darkfool@pancreas.com

Related personal Web sites belonging to Team Code Zero Members:

http://insecurity.insecurity.org/codez/

http://www.r0ot.org

http://www.exceed.net

http://www.7thsphere.com/hpvac/hacking.html

ftp://ftp.sekurity.org/users/so1o/

Related personal Web sites of Team Code Zero Members:

www.d-lab.com.ar/crh/

www.technotronic.com/ezines/crh/

http://cybrids.simplenet.com/Toast/files/CRH/

ftp.linuxwarez.com/pub/crh/

ftp.sekurity.org/users/so1o/

Related personal Web sites belonging to Team Code Zero Members:

http://www.d-lab.com.ar/sekret/warez/

http://www.d-lab.com.ar/mad/

http://www.d-lab.com.ar/crh/

Sample personal photos of Team Code Zero Members:

Stay tuned!

Dancho Danchev

Exposing 29A Virus Coding Group - An OSINT Analysis

In this analysis I'll provide personally identifiable information on some of the key members of the infamous 29A Virus Coding Group for the purpose of assisting U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.

Personal email belonging to the group: 29A@sourceofkaos.com

Group's personal Web site: http://sourceofkaos.com/homes/29a/

Second group's Web Site: http://www.29a.net/ - Email: m0n305@terra.es

Personally identifiable information for GriYo: – Spain – Email: griyo@akrata.org - http://www.geocities.com/Area51/Corridor/2618 - Email: Dreamcatcher5072@aol.com - Email: griyo@hellsparty.com; griyo29A@hotmail.com- http://griyo.hellsparty.com - Email: griyo@bi0.net - https://twitter.com/griyo666- http://vxug.fakedoma.in - https://www.facebook.com/pg/djgriyo

Personal Emails belonging to 29A Team Members:

- Jacky Qwerty – Peru - jqwerty@cryogen.com

- Mental Driller – Spain - mental_driller@hotmail.com

- Reptile - Canada - bwaha@hotmail.com

- SoPinky – Argentina - msopinky@hotmail.com

- Super – Spain - super_29a@mixmail.com

- Tcp – Spain - tcp@cryogen.com

- Vecna – Brazil - vecna@antisocial.com

- VirusBuster – Spain - darknode@oninet.es - Email: virusbuster@terra.es

- Z0mbie – Russia - zloebuchij_zasrakomondohooy@usa.net

- Darkman - Denmark darkman@sourceofkaos.com

- roy g biv - iam_rgb@hotmail.com

Personally Identifiable Information for Benny:

Personal Web Site: http://benny29a.cjb.net; http://benny29a.kgb.cz; http://www.benny29a.com

Sample Personal Email: benny_29a@hushmail.com; benny@post.cz; benny_29a@privacyx.com

Related personal Web sites: http://benny.bloguje.cz; http://benny.hysteria.cz

ICQ – 123122556; 156892790; UnderNet.Org server, #vir, #virus, #vxers channels

Related personal Web sites for 29A Group Members:

- Alcopaul/[rRlf] http://alcopaul.cjb.net; alcopaul@cannabismail.com

- Benny/29A http://www.coderz.net/benny; benny@post.cz

- Mental Driller/29A mental_driller@notrix.net; mental_driller@psynet.net; mental_driller@hotmail.com

- philet0ast3r/[rRlf] http://www.rRlf.de philet0ast3r@rRlf.de PhileT0ast3r@gmx.de

- ZeMacroKiller98 http://zemckiller98.multimania.com - http://membres.lycos.fr/zemckiller98 zebulon@softel.fr

- Vecna http://coderz.net/vecna

- VirusBuster http://virustradingcenter.cjb.net

- Z0MBiE http://z0mbie.host.sk http://forumer.com/bsodomon

- GriYo Spain griyo@hellsparty.com

- Ratter Czech Republic ratter@atlas.cz

- roy g biv iam_rgb@hotmail.com

- VirusBuster Spain virusbuster@terra.es

- Super super_29a@mixmail.com

Sample SNA (Social Network Analysis) Graph of 29A Virus Coding Group:

Stay tuned!

Dancho Danchev

Exposing HackPhreak Hacking Group - An OSINT Analysis

HackPhreak is a well known U.S based hacking group throughout the 90's which is known to have been actively using IRC for the purpose of communicating and recruiting new members including its own Anti-Pedophile organization among the Internet's first community-driven organization to fight online child pornography launched by a popular and well-known hacking group including the following high-profile members of the group:

HackPhreak Group Members Include:

Bronc Buster, Lothos, Overdose, Truedog, x-empt, phriction, ntwakO, Gridmark, Phemetrix, Mnemonic, t0ucht0ne, muted, espionage, mercs, kanuchsa, Morbid Angel, Lucii, optiklenz, cap n crunch, tip, icer, sreality, Zyklon, havoc, HyperLogik, Defiant, Duncan Silver. Slfdstrct, lothos

Group's founder: Charlie Wellborne - rloxley@hackphreak.org

Personally identifiable information for Digital Ebola:

Digital Ebola - Email: digi@legions.org

AIM: digitalebola1

ICQ: 70001776

IRC: Undernet #legions, Efnet #ampedout

MUD: sensenet.legions.org port 5555

digi@wintermute.linux.tc

digi@wintermute.unixgeeks.com

Sample HackPhreak network infrastructure reconnaissance:

http://wintermute.legions.org - 66.12.11.162

http://neuromancer.legions.org - 66.12.11.171

http://cyberspace7.legions.org

http://sensenet.legions.org

http://straylight.legions.org

http://monkeyboxing.legions.org - 66.12.11.170

http://boomzilla.legions.org

lhttp://uckydragon.legions.org - 66.12.11.172

http://walledcity.legions.org

http://aleph.legions.org

Sample Personal Emails belonging to HackPhreak members:

digi@wintermute.linux.tc, digi@wintermute.unixgeeks.com, digi@legions.org, ks@rmci.net, digi@linuxpron.com, fejed@legions.org, proto@legions.org, shekk@smurfs.com, wak0@legions.org, super@ce.net, threx@attrition.org, phric@legions.org, fejed@legions.org, threx@attrition.org, digi@legions.org, sodium@omega2.net, fejed@legions.org, godess@securityflaw.com, ntwako@legions.org, anonymous@legions.org, phric@legions.org,, CogitoESum@yahoo.com, ddfelts@ultravision.net, gimps@legions.org, gridmark@legions.org, davidj@wiretapped.net, dayzee@madsekci.net, clocker@adelphia.net, dayzee@madseckzi.net, flutterby_2001@hotmail.com, syntech@intraworldcom.net, j.p@b3ss13.ant10nl1ne.com, morbie@legions.org, pr00f@pr00f.org, cippa@hobbiton.org, beowulf3@telocity.com, adonis1@videotron.ca, alkinoos@project802.net, vecna@s0ftpj.org, cogitoesum@yahoo.com, ntwak0@safehack.com, archimedes@security-foundation.net, gridmark@planetmotherfucker.net, ruben@generation.nl, vecna@insertcoint.net, kiddish@hehe.com, blooddjinn@hotmail.com

Sample Personal Photos belonging to HackPhreak hacking group members:

Dancho Danchev