Exposing Bulgaria's "Kyulev" Compromised Database Leaker and Hacker - An OSINT Analysis

 An image is worth a thousand words.

https://t.me/retired111

e.kyulev@protonmail.com

dadsagency@tutanota.com

https://prnt.sc/u57c62

https://dadsagency.com - 104.27.150.28

- +359 888758498

- 16ASoz7GTbfYoexS4DM2LpuNohcM6uPEPd

hxxp://dadsagency.org - 181.214.86.11

hxxp://dadsagency.ws

hxxp://dadsagency.to

hxxp://reket2021.to

hxxp://dadsagency.cc

hxxp://dadsagency.pw

hxxp://dadsagency.xyz

https://ghostbin.com/paste/FztLI/dads2021

https://ghostbin.com/paste/fahTb/Kibernetik69

https://shoppy.gg/@Kyulev

https://www.strawpoll.me/20709599

Stay tuned!

Continue reading →

Who's Behind the Syrian Electronic Army? - An OSINT Analysis

Continuing the "FBI Most Wanted Cybercriminals" series I've decided to continue providing actionable threat intelligence on some of the most prolific and wanted cybercriminals in the World through the distribution and dissemination of actionable intelligence regarding some of the most prolific and wanted cybercriminals.

Following a series of high-profile Web site defacement and social media attack campaigns largely relying on the utilization of good-old-fashioned social engineering attack campaigns - it appears that the individuals behind the Syrian Electronic Army are now part of FBI's Most Wanted Cyber Watch List which means that I've decided to conduct an OSINT analysis further sharing actionable intelligence behind the group operators with the idea to assist law enforcement and the U.S Intelligence Community with the necessary data which could lead to a successful tracking down and prosecution of the team behind these campaigns.

In this post I'll provide actionable intelligence on the group behind the Syrian Electronic Army including actionable intelligence on the infrastructure on some of their most prolific social engineering driven campaigns.

Sample Personal Photo of Ahmad Al Agha:

Sample Personal Photo of Firas Nur Al Din Dardar:

Sample Web Site Defacement Screenshot courtesy of "The Shadow":

Sample Screenshots of the Syrian Electronic Army Web Site Defacement Activity:

Related domains known to have participated in the campaign:
hxxp://quatar-leaks.com
hxxp://net23.net
hxxp://secureids.washpost.net23.net
hxxp://mail.hrw.net84.net
hxxp://soul.websitewelcome.com
hxxp://blog.conservatives.com/wp=content/uploads/cnn.php
hxxp://ikhwansuez.net/cnn.php
hxxp://klchr-pshr.com/bo.php
hxxp://gloryshipsghana.com/wh.php
hxxp://centriplant-dev.coreware.co.uk/wp-content/blogs.dir/ob.php
hxxp://deliveryroutes.co.uk/ch.php
hxxp://sws-schulen.de/gn.php
hxxp://sws-schulen.de/ut.php
hxxp://kulalars.com/jwt.php
hxxp://karisdiscounts.com/nasa.php

Related IPs known to have participated in the campaign:
hxxp://91.144.20.76
hxxp://194.58.88.156
hxxp://88.212.209.102
hxxp://141.105.64.37
hxxp://213.178.227.152
hxxp://82.137.248.2
hxxp://82.137.200.5
hxxp://94.252.249.94
hxxp://5.149.101.187
hxxp://82.137.248.3
hxxp://76.73.101.180
hxxp://82.137.248.3
hxxp://81.137.248.4
hxxp://82.137.248.5
hxxp://82.137.248.6
hxxp://91.144.18.219
hxxp://178.52.134.163
hxxp://78.46.142.27/~WH
hxxp://78.46.142.27/~syrian
hxxp://46.17.103.125
hxxp://46.57.135.14
hxxp://188.139.245.9
hxxp://82.137.250.235

Social Media Accounts:
hxxp://twitter.com/Official_SEA
hxxp://twitter.com/ThePro_Sy
hxxp://instagram.com/official_sea3/
hxxp://pinterest.com/officialsea/
hxxp://www.facebook.com/sea.theshadow.716
hxxp://linkedin.com/pub/th3pr0-sea
hxxp://plus.google.com/116471187595315237633
hxxp://flickr.com/photos/th3pr0
hxxp://foursquare.com/user/29524714

Skype account IDs known to have participated in the campaign: 
syria.sec
koteba63
koteba
sea.shadow3
the.shadow21
tiger.white20
nana.saifo10
nana.saifo

Related emails known to have participated in the campaign:
th3pr0123-ap2@gmail.com
th3pr0123@gmail.com
whitehouse-online@hotmail.com
whitehouse_online@hotmail.com
sea.the.shadow@gmail.com
leakssyrianesorg@gmail.com
leaks.syrianes.org@gmail.com
syrian.es.sy@gmail.com
syrianessy@gmail.com
sea.wr4th@gmail.com
pr0@hotmail.nl
sy@hotmail.com
sy34@msn.com
killboy-1994@hotmail.com
jl0@hotmail.com
cf3@hotmail.com
zq9@msn.com
doom.ceasar@gmail.com
y8p@hotmail.com
rq1@hotmail.com
cf3@hotmail.com
wassemkortab@yahoo.com
sf0725zq0330@dressmall.com
adam.magdissi@hotmail.com
bf6@hotmail.es
b-6f@hotmail.com
bg_@hotmail.com
asdelylord@hotmail.com
i-8u@hotmail.com
b-8q@hotmail.com
tiger.tiger248@gmail.com
nagham_saifo@hotmail.com
edwinjouhansyah@gmail.com
sea.coders@hotmail.com

We'll continue monitoring the campaign and post updates as soon as new developments take place. Continue reading →

Exposing Bulgaria's Largest Data Leak - An OSINT Analysis

I've recently came across to a news article detailing the recently leaked Bulgaria NAP records database and I decided to take a closer look. What does this leak basically constitute? Basically the attacker managed to compromise the security of the Web Site basically leading to a successful extraction of a decent-portion of data which could basically constitute a leak.

NOTE: The data in this analysis has been obtained using public sources.



In this post I'll profile a novice Bulgaria-based cybercriminal that basically managed to obtain access to the database and shared it within several cybercrime-friendly forum communities making it publicly accessible including an in-depth overview of TAD Group which is basically a Bulgaria-based penetration testing company.




Real Name: Daniel Ganchev - Email: daniel.ganchev@abv.bg

Sample URL of the cybercriminal involved in the campaign:
hxxp://instakilla.com/ - Email: wp@instakilla.com; info@instakilla.com

Instagram Account: hxxp://www.instagram.com/instakilla_/

Bitcoin address used in the campaign: 3Ex6LeHorgRjkBmws4SsRZ3FXSJDXk5FhP

Sample additional domain known to have been used by the same individual: hxxp://209.250.232.143

Related URLs known to have participated in the campaign:
https://instakilla.com/5k.txt
https://instakilla.com/teaser.txt

Sample Screenshot of the Original Letter Send to Journalists:

Let's take a closer look at the Bulgaria-based TAD-Group is basically a well-known penetration testing company currently running Bulgaria's largest and most popular hacking forum community - hxxp://www.xakep.bg which was recently blamed for Bulgaria's largest database leak in particular its founders and several employees in the context of performing an OSINT analysis basically highlighting some of the key functions of the company and its involvement in the incident.

Sample Company Logo:

Sample Hacking Forum Logo:

Sample Exploits Developed courtesy of the founder of the group:

Sample Photos of TAD Group Employees:

Sample TAD Group Photos:

Related personally identifiable information of TAD members:

Real Name: Ivan Todorov

Email: todorov_i@tadgroup.com; todorov_i@subway.bg

Related social network accounts:

hxxp://github.com/chapoblan

hxxp://www.facebook.com/chapoblan/

Sample Bulgaria Leaked Database URL:

hxxp://uploadfiles.io/s1p3gzh8

Sample Email known to have been used in the campaign:

Email: minfin_leak@yandex.ru

Sample MD5 known to have been used in the campaign:

MD5: 3125f2f04d3bac84c418ceb321959aba

It's also worth pointing out that I've managed to come across to a fraudulent proposition courtesy of the hxxp://www.xakep.bg cybercrime-friendly forum community with the cybercriminal behind it currently soliciting managed hacker-for-hire type of services.

Sample screenshots courtesy of the service:

We'll be keeping an eye on the campaign and we'll post updates as soon as new developments take place.

Continue reading →