From BlackVortex1 to ShadowByt3$: Tracing a Multi-Platform RaaS Infrastructure and Leak Operations

Ransomware-as-a-Service (RaaS) operations have increasingly shifted from tightly controlled groups to more accessible, affiliate-driven ecosystems. What once required technical expertise and closed networks is now being repackaged into models that lower the barrier to entry, allowing individuals with varying levels of capability to participate in data extortion activities.

Amid this broader shift, a relatively new name, ShadowByt3$, began surfacing across multiple platforms. The activity did not originate from a single identifiable breach or announcement, but rather through scattered indicators: forum posts, leak promotions, and fragments of infrastructure appearing across both clear web and dark web environments.

At first glance, these elements appeared disconnected. However, as the investigation progressed through StealthMole, a pattern began to emerge: one that suggested coordination rather than coincidence. What initially looked like isolated activity gradually revealed the outline of an operation attempting to position itself within the RaaS landscape.

This report traces how those fragments connect, following the path from a low-profile forum identity to a broader ecosystem built around data leaks, recruitment, and multi-platform visibility.

Incident Trigger and Initial Investigation

The investigation was initiated through StealthMole’s ransomware monitoring, which flagged a data leak associated with the University of Georgia in early April 2026. The listing was attributed to a group named ShadowByt3$, with the data published on a dedicated onion-based leak page:

• mfbbt****************************************2qad.onion

Accessing the page provided the first clear indication that this was not an isolated incident. The site displayed multiple organizations, each accompanied by timestamps and downloadable data samples, suggesting an ongoing operation rather than a single breach disclosure.

Before expanding the investigation further, the focus remained on understanding the nature of this onion site. Using StealthMole’s historical indexing, earlier versions of the same onion page were reviewed. This revealed a noticeable shift in presentation within a short period:

• On 8 April 2026, the interface appeared in a purple theme, accompanied by a more aggressive, campaign-style message.
• By 9 April 2026, the same site had shifted to a blue-themed interface, presenting itself as a private platform for vetted users, with emphasis on controlled access and onboarding.

This rapid change suggested active maintenance rather than a static deployment, indicating that the operator was actively refining how the platform was presented, balancing visibility with restricted access.

Leak Site Analysis and Infrastructure Discovery

With the leak page established as the central point of activity, the next step was to examine what sat behind it. Rather than treating it as a simple listing page, the investigation focused on the embedded elements that enable interaction: communication, payments, and access.

Running the onion domain through StealthMole’s Darkweb Tracker surfaced a consistent set of identifiers tied directly to the platform. These were not hidden or obfuscated; instead, they were deliberately exposed, indicating that the site was designed not just to display leaks, but to facilitate engagement.

The page provided multiple contact channels:

• ProtonMail: Sha*****S@proton.me
• TOX ID: A96D*******************************43F
• Telegram:
  • https://t.me/Shad******2
  • https://t.me/Shad******S

Alongside communication methods, the site listed cryptocurrency payment options:

• Bitcoin: bc1qh********************************rgl
• Ethereum: 0xd9*******************************f61
• Monero: 47NH****************************************A9a

The combination of multiple communication channels and payment methods reflects an infrastructure built for accessibility rather than exclusivity. Instead of forcing interaction through a single controlled channel, the operator offers several entry points, allowing victims or potential affiliates to engage using whichever method is most convenient.

A further pivot revealed the presence of an additional onion domain:

• sdwb******************************************cad.onion

The structure and content of this secondary domain closely mirrored the primary leak site, suggesting it functions as a parallel or fallback instance. This kind of duplication is typically used to maintain continuity in case of disruption, indicating that the operator has considered basic resilience, even if the overall setup remains relatively lightweight.

The infrastructure presents a clear pattern: a central leak site supported by multiple communication channels and mirrored access points. The focus is not on concealment, but on ensuring that the operation remains reachable, adaptable, and easy to engage with, characteristics that become more significant as the investigation moves beyond infrastructure into how the operation is promoted and sustained.

Leak Distribution and Operational Use of Telegram

While the onion site provided the structural backbone of the operation, it did not fully capture how ShadowByt3$ interacted with its audience. That layer became visible through Telegram, where activity was more dynamic and operational in nature.

Pivoting the previously identified links within StealthMole led to the channel:

• https://t.me/ShadowByt3S

Unlike the static presentation of the leak site, this channel reflected ongoing activity. Posts were used to announce leaks, share partial datasets, and direct users toward external download links. The content was not uniform: some entries focused on specific organizations, while others emphasized dataset size or type, suggesting an attempt to appeal to both victims and potential buyers.

A consistent pattern emerged in how leaks were presented. Instead of immediately releasing full datasets, the actor shared limited samples alongside brief descriptions of the compromised data. These previews often highlighted sensitive elements: operational logs, internal documentation, or identifiable information, enough to demonstrate access without fully exposing the dataset.

This approach serves two purposes. First, it reinforces credibility by providing tangible proof of compromise. Second, it creates controlled exposure, allowing the actor to retain leverage while increasing pressure on the affected organization.

Another recurring element in the channel was the use of time-bound messaging. Certain posts referenced deadlines or implied consequences if no response was received, aligning with extortion-driven workflows rather than simple data dumping. In some cases, the messaging extended beyond disclosure, indicating that data could be sold or redistributed if demands were not met.

In addition to leak announcements, the channel also contained messages aimed at recruitment. Rather than positioning itself solely as a distribution platform, it was used to attract individuals with potential access to corporate environments, offering a share of proceeds in exchange for collaboration. This shifts the role of Telegram from a passive broadcast channel to an active operational tool: one that supports both monetization and expansion.

A secondary channel was also identified:

• https://t.me/ShadowBytsleaks

Its presence suggests an effort to maintain continuity, either as a backup or as an additional outlet for distributing content. This redundancy aligns with the broader pattern observed in the infrastructure: prioritizing availability and reach across multiple platforms.

Attribution Pivot: Linking ShadowByt3$ to BlackVortex1

Up to this point, the investigation had established how the operation functioned: its infrastructure, communication channels, and leak distribution methods. The next step was to understand who was behind it, or at least how the activity could be tied to a consistent identity.

This pivot emerged through a DarkForums thread:

• https://darkforums.***/Thread-ShadowB********************School

The post, published by a user operating under the name BlackVortex1, directly referenced ShadowByt3$ and pointed toward the same ecosystem already observed. The connection was not implied, it was stated, providing the first explicit bridge between a forum identity and the broader operation.

Rather than treating this as a standalone claim, the investigation expanded by running the username through StealthMole’s Darkweb Tracker. This revealed that BlackVortex1 was not limited to a single platform. The same handle appeared across multiple forums, including:

• https://darkforums.***/User-BlackVortex1
• https://darkforums.***/User-BlackVortex1
• https://breachsta*****/profile/BlackVortex1
• https://cracked***/BlackVortex1
• https://breachsta****/profile/BlackVortex1

At a surface level, these profiles offered limited activity. Reputation scores were low, and engagement was minimal. However, the consistency of the username across platforms, combined with the timing of account creation, concentrated between late 2025 and early 2026, suggested something more deliberate than casual reuse.

This pattern points toward a coordinated effort to establish a presence across multiple forums within a short timeframe. Rather than building reputation gradually, the actor appears to prioritize visibility and reach, ensuring that the same identity can be discovered in different environments.

The significance of this becomes clearer when viewed alongside the earlier findings. The infrastructure, Telegram activity, and forum presence are not operating independently, they are interconnected through a consistent set of identifiers. The BlackVortex1 profile acts as an entry point into that network, linking promotional activity on forums to the operational ecosystem observed elsewhere.

RaaS Model and Operational Structure

The investigation reached a turning point when activity linked to the BlackVortex1 profile led to a thread on Cracked.sh:

• https://cracked.sh/Thread-HADOWBYT3-RAAS

Unlike earlier touchpoints, which focused on leaks and promotion, this thread provided a more direct look into how the operation is structured. Rather than presenting isolated incidents, it outlined a model, one that aligns with ransomware-as-a-service frameworks but reflects characteristics of an operation still in its early stages.

One of the most immediate observations is the emphasis on participation rather than exclusivity. The model does not restrict access to a closed group of trusted affiliates. Instead, it introduces a dual-entry system:

• Individuals with existing corporate access are encouraged to join without upfront cost
• Others can gain entry by paying a relatively low fee (USD 250 in cryptocurrency)

This approach lowers the barrier to entry significantly. Instead of relying solely on skilled operators, the model appears designed to attract a broader range of participants, including those who may not have technical capabilities but possess access or the potential to obtain it.

The revenue structure further reinforces this design. A 70/30 split is offered in favor of affiliates, allowing participants to retain the majority of any ransom payments. From an operational perspective, this suggests that the core actor is prioritizing scale over control, incentivizing others to bring in targets while maintaining a smaller share of the proceeds.

Another notable element is the way responsibilities are distributed. The thread indicates that affiliates can rely on the operator for certain functions, including aspects of negotiation. This reduces the operational burden on participants and makes the model more accessible to less experienced actors. At the same time, it allows the operator to maintain a degree of involvement in the extortion process without directly carrying out every stage.

The technical details presented, including references to custom builds and encryption methods, are framed more as features than as deeply explained capabilities. This distinction is important. The thread reads less like a technical disclosure and more like a service offering, where functionality is highlighted to attract interest rather than to demonstrate depth.

Together, the structure reflects an operation focused on expansion. Instead of tightly controlling access or emphasizing advanced tooling, the model is built around accessibility, recruitment, and distribution of effort. This aligns with earlier observations from Telegram, where insider access and collaboration were actively encouraged.

Conclusion

The investigation into ShadowByt3$ reveals an operation that is still in the process of defining itself, but already exhibits the core components of a functioning ransomware ecosystem. Rather than emerging from a position of technical maturity or established reputation, the actor appears to be building outward: assembling infrastructure, expanding visibility, and attracting participation across multiple platforms simultaneously.

What stands out is not the sophistication of any single component, but the way these components are combined. Forum presence, Telegram activity, onion-based infrastructure, and a structured RaaS offering are all aligned toward a common objective: growth. The operation prioritizes accessibility, both in how it communicates and how it recruits, lowering barriers for participation while maintaining enough structure to appear credible.

The linkage to the BlackVortex1 identity reinforces this positioning. Instead of operating through long-established personas, the actor relies on a recently created but consistently reused identity, suggesting a deliberate attempt to seed presence across different ecosystems rather than build depth within a single one.

At its current stage, ShadowByt3$ reflects an operation in transition: moving from initial setup toward broader adoption. While its long-term trajectory remains uncertain, the foundation it has established demonstrates how quickly a coordinated presence can be built using readily available platforms and tools. The risk, therefore, lies not only in what the operation is today, but in how easily this model can scale if it succeeds in attracting sustained participation.

Editorial Note

Investigations into ransomware and dark web activity rarely offer complete visibility, and this case is no exception. Much of what is observed is derived from actor-controlled spaces, where claims, capabilities, and intent cannot always be independently verified. This inherent uncertainty makes careful correlation essential.

In this case, StealthMole enabled the investigation to move beyond isolated findings, connecting identities, infrastructure, and activity across multiple platforms to form a coherent narrative, not of certainty, but of informed understanding.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Breaking Bad to Bazaar: Tracing a Dark Web Ecosystem of Trade and Distribution

The investigation began with Breaking Bad, a cybercriminal forum that presents itself as a structured and resource-rich environment rather than a typical underground message board. Its interface reveals a mix of services, ranging from marketplaces and vendor sections to technical resources and curated links, suggesting a platform designed to support more than just conversation.

While exploring its structure, one particular element stood out: a reference to a marketplace labeled “Bazaar Drug Market.” At first glance, it appeared to be just another listing among many. However, this seemingly minor detail raised a larger question: how are these marketplaces connected to the forum, and what role do they play within this environment?

This question became the starting point for a deeper investigation. What followed was not just a look into a single marketplace, but a gradual uncovering of how different components, platforms, users, and infrastructure, may be linked in ways that are not immediately visible.

Breaking Bad Forum: Structure and Service Ecosystem

A closer look at the Breaking Bad platform reveals that it functions as more than just a discussion forum. The investigation initially led to the following onion link:

• 6tn2ejdphoveywwt6pc2sbaez62bytq4vr4xd2f2b6mrffhzakrcvbid.onion

Accessing this link revealed a structured platform where users are presented with a range of organized services rather than unstructured discussions. The interface is divided into clearly defined categories, indicating a system designed to support ongoing activity rather than casual interaction.

The platform features multiple sections that cater to different aspects of underground trade. These include areas dedicated to drug markets, chemical suppliers, and reagent sourcing, alongside sections focused on drug combinations and chemical knowledge. This combination of marketplace access and informational resources suggests that the platform supports both the distribution and understanding of substances, allowing users to move from learning to execution within the same environment.

In addition to trade-related sections, Breaking Bad also includes a link directory, which appears to guide users toward external platforms and services. Within this structure, references such as the Bazaar Drug Market are presented as part of the platform’s broader ecosystem rather than isolated listings. This indicates a level of curation, where certain services are made more visible to users navigating the forum.

The platform further incorporates elements like video content and wiki-style resources, expanding its role beyond communication. These features contribute to a more comprehensive environment where users can access shared knowledge, tutorials, and external tools alongside marketplace links.

Overall, the structure of Breaking Bad suggests a platform that acts as a central hub, connecting users to multiple components of the underground ecosystem. Rather than operating in isolation, it appears to facilitate movement between services, creating a pathway that eventually leads to platforms like Bazaar.

Bazaar Marketplace: Entry Point and Initial Observations

The transition from the Breaking Bad forum to Bazaar occurred through a direct reference within the platform, where “Bazaar Drug Market” was listed among other services. Following this lead, the investigation identified the primary marketplace entry point:

• bazaar********************************************zid.onion

Accessing this onion link revealed a fully developed marketplace interface, distinct from the forum environment. Unlike the structured discussion layout of Breaking Bad, Bazaar presented itself as a transaction-focused platform, featuring product listings, vendor profiles, pricing details, and filtering options based on location and delivery preferences.

The marketplace displayed a wide range of drug-related listings offered by different vendors, each accompanied by product images, descriptions, and pricing. Several listings included handwritten identifiers referencing “Bazaar” and, in some cases, “Breaking Bad,” suggesting that vendors were not only active on the platform but also consciously associating their products with its branding. This behavior indicates a level of familiarity and alignment between vendors and the ecosystem in which the marketplace operates.

Additional elements on the homepage further reinforced the platform’s structure. Sections such as customer support, cryptocurrency purchase guidance, and references back to the Breaking Bad forum were visibly integrated into the interface. These features suggest that Bazaar is designed to be accessible even to less experienced users, guiding them through both platform usage and transaction processes.

Another notable observation was the presence of captcha-based protection mechanisms, likely implemented to prevent automated access and mitigate potential disruptions such as scraping or denial-of-service attempts. This indicates that the platform is actively maintained and incorporates basic defensive measures to preserve availability.

At this stage, Bazaar appeared as a standalone marketplace with clear operational intent, while still maintaining visible links to the Breaking Bad environment. These initial observations set the foundation for a deeper investigation into its infrastructure, access points, and operational design.

Bazaar Infrastructure and Mirror Network

After establishing the primary marketplace, the investigation focused on identifying additional access points linked to Bazaar. This was done using StealthMole’s Dark Web Tracker, which revealed multiple domains associated with the platform across both clearnet and onion environments.

One of the first findings was a catalog page:

• https://deepweb.n***/catalog/bazaar.**

This page provided an external reference to Bazaar and helped surface additional domains connected to the platform. From there, two clearnet domains were identified:

• https://bazaar.**/
• https://bazaar.*****/

Further investigation of https://bazaar.*****/ revealed a structured mirror directory. This page listed multiple Bazaar-related domains, including:

• https://b**.**/
• https://bazaar.**/
• http://bazaar**********************************zid.onion/

These links were accompanied by a PGP-signed message, indicating that they are officially associated with the platform. The use of PGP in this context suggests an attempt to help users verify legitimate access points and avoid phishing or clone sites.

In addition to these, several onion-based infrastructure components were identified:

• storage************************************************ezid.onion
• yccz****************************************************7id.onion
• http://torrun**********************z5ad.onion/verify/bazaarmarket

The storage subdomain appeared to host product images used in marketplace listings, indicating a separation between the main interface and media hosting. The additional onion links functioned as mirrors or verification pages, replicating core information and ensuring continued accessibility.

Another variation of the platform was also identified:

• bazaarplnt7rsrc3o65qfvez2oqis4wnupmxezijsu22pmzcljonpmqd.onion

This version appeared to be a localized (Polish) instance of the marketplace, although it was inactive at the time of investigation.

Overall, the presence of multiple clearnet domains, onion mirrors, and verification pages suggests that Bazaar relies on a distributed infrastructure model, allowing it to remain accessible even if individual domains are disrupted.

Operational Model: DeadDrop Distribution System

Further insight into Bazaar’s operations was obtained through the catalog page referenced earlier. One of the key features described was the platform’s use of a DeadDrop delivery model.

Instead of relying solely on traditional shipping methods, sellers on Bazaar can hide products in physical locations and upload the coordinates to the platform. Buyers who purchase these listings receive the location details and retrieve the items themselves.

This approach changes how transactions are carried out:

• It removes the need for direct interaction between buyer and seller
• It reduces reliance on postal systems
• It allows for localized distribution within specific regions

The platform also supports structured uploads for these listings, including bulk data formats, which suggests that sellers can manage multiple drop locations efficiently.

In addition to this, Bazaar supports cryptocurrency-based transactions (including Bitcoin and Monero), along with features such as wallet management and basic account security options. These elements indicate that the platform is designed to handle repeated transactions and ongoing activity.

The combination of digital marketplace features with physical distribution methods highlights a hybrid operational model that extends beyond typical darknet trade mechanisms.

User Activity and Exposure Through StealthMole

To understand how users interact with Bazaar-related infrastructure, the investigation shifted toward StealthMole’s Compromised Data Set and ULP Binder tools.

The first pivot was conducted using the domain:

• https://bz*.**t/

This search revealed multiple compromised records linked to a user:

• Username: garciagarcia19
• IP Address: 1**.**.**.**0 (Chile)

The same user appeared across multiple datasets, indicating repeated exposure of credentials. A further pivot on the IP address returned approximately 570 compromised records, suggesting that the system associated with this IP had been widely exposed.

Some of these records were linked to platforms such as:

• https://bbgate.com/
• https://dash.sellhub.cx/auth/register/

While these platforms are separate from Bazaar, their presence indicates that the user has activity across multiple online environments, including those associated with underground marketplaces.

A similar pattern was observed when investigating another Bazaar-related domain:

• https://bazaar.***/login/register

This revealed two additional users:

• Username: chumbawamba
• IP Address: 1**.**1.**.*2 (Poland)

• Username: kdv98sf
• IP Address: 2**.**.**8.*4 (Bulgaria)

Further analysis showed:

• ~700 compromised records linked to the Polish IP
• ~1000+ compromised records linked to the Bulgarian IP
• Associated email identified: ka****n.vak******v@gmail.com

These findings suggest that users interacting with Bazaar-related infrastructure often exhibit credential reuse and exposure across multiple platforms. While this does not confirm their specific roles within Bazaar, it highlights potential weaknesses in user operational security.

Conclusion

The investigation began with a single reference on the Breaking Bad forum but gradually expanded into a broader analysis of the Bazaar marketplace and its surrounding infrastructure.

Bazaar presents itself as a standalone marketplace, but its connection to Breaking Bad, combined with its distributed infrastructure, mirror network, and operational design, suggests that it functions within a larger ecosystem rather than in isolation. The use of PGP-signed mirrors, multiple access points, and dedicated storage nodes indicates a platform built with continuity and resilience in mind.

At the same time, the DeadDrop delivery model introduces a layer of physical-world interaction that distinguishes Bazaar from many traditional darknet marketplaces. This approach reflects an attempt to adapt operations in a way that reduces reliance on conventional distribution channels.

User-level findings further add context to this ecosystem, showing that individuals interacting with Bazaar-linked infrastructure often have a broader digital footprint, with signs of repeated credential exposure across different platforms.

Overall, Bazaar can be understood not just as a marketplace, but as part of a connected and evolving environment where infrastructure, operations, and user behavior intersect.

Editorial Note

Investigations involving darknet platforms and underground ecosystems rarely provide complete visibility into ownership or control. While connections between platforms, infrastructure, and users can be identified, attribution remains inherently uncertain and subject to change over time.

This case highlights how StealthMole enables structured exploration of such environments, allowing investigators to move from a single entry point to a broader understanding of the ecosystem, while maintaining analytical discipline and avoiding unsupported conclusions.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

From XpertTechy to BlackHat Tools: Uncovering a Multi-Layered Malware Distribution Network

The underground market for hacking tools has grown into a structured ecosystem, where ready-made malware, remote access tools (RATs), and obfuscation techniques are openly advertised and distributed across forums and messaging platforms. What once required technical expertise is now increasingly packaged into accessible, “plug-and-play” offerings, lowering the barrier for entry into cybercrime. These tools are often promoted with claims of being fully undetectable, easy to deploy, and capable of bypassing modern security protections.

In this environment, actors rarely rely on a single platform. Instead, they operate across a mix of Telegram channels, cybercrime forums, and surface web websites, creating interconnected networks that serve different purposes, from promotion and trust-building to delivery and monetization. This layered approach not only expands their reach but also helps them maintain persistence even if one part of their infrastructure is disrupted.

This investigation began with the identification of one such distribution point and gradually uncovered a broader network of activity spanning multiple platforms. What initially appeared as isolated tool advertisements revealed deeper connections between forum identities, communication channels, and supporting web infrastructure, pointing toward a more organized operation than it first seemed.

Incident Trigger and Initial Investigation

With this broader landscape in mind, the investigation began during routine monitoring of Android RAT activity. While reviewing discussions on DarkForums, a thread was identified:

• https://darkforums.me/Thread-EagleSpy-v5-LifeTime-Activated-Latest-Android-RAT

The post promoted “EagleSpy v5” as a lifetime-activated Android RAT, presented as a ready-to-use tool. Its structure and messaging were consistent with many similar listings seen across underground forums: emphasizing ease of use and accessibility rather than technical complexity.

At this stage, the thread itself did not appear unusual in isolation. However, a closer look at the content revealed a direct contact point provided by the user “xerttechy,” including a Telegram link:

• http://t.me/blackhattoolss

This detail became the first pivot in the investigation. Rather than focusing solely on the tool being advertised, attention shifted toward the identity of the user and the communication channel being promoted.

To build initial context, the username “xerttechy” was queried using StealthMole’s Dark Web Tracker. This revealed multiple additional threads associated with the same user across DarkForums, including posts promoting other tools such as Craxs RAT, XWorm HVNC RAT, crypto-related stealers, and mining utilities. Despite variations in the tools being advertised, the structure of these posts remained consistent, suggesting a pattern rather than isolated activity.

The repeated promotion of different tools under the same identity, along with the presence of a shared contact channel, indicated that the initial finding was likely part of a wider distribution effort rather than a standalone post.

Expansion of Actor Activity Across Forums

Following the initial pivot on the username “xerttechy,” the investigation focused on understanding how widely this activity extended beyond DarkForums. Using StealthMole’s Dark Web Tracker, additional posts linked to this identity began to surface across multiple threads and platforms.

On DarkForums itself, the same user was found promoting a range of tools, including:

• Craxs RAT
• XWorm HVNC RAT
• Crypto-related stealers
• Monero (XMR) mining builders
• APK encryption and bypass methods

While the tools varied, the overall pattern remained consistent: short promotional posts, emphasis on functionality, and a clear intent to attract users looking for ready-made solutions.

One thread in particular stood out:

• https://darkforums.me/Thread-Craxs-RAT-Best-Android-RAT-Fully-Activated

Unlike the earlier EagleSpy post, this thread referenced a different Telegram contact:

• t.me/tools4alll

This introduced a second communication channel into the investigation, suggesting that the actor was not relying on a single point of contact. Whether this reflected multiple channels under the same control or a broader distribution setup was not immediately clear, but the overlap in behavior and posting style indicated a connection worth tracking.

The Craxs RAT thread also led to an external website:

• https://www.xperttechy.**/craxs-rat-cracked/

This was the first instance where the activity extended beyond forums and messaging links into a standalone web domain, adding another layer to the investigation.

Linking External Infrastructure and Additional Identities

The discovery of the Craxs RAT page marked a shift in the investigation, as activity was no longer confined to forum posts. The website appeared to host similar content, promoting cracked versions of tools that had already been observed on DarkForums.

Using this page as a pivot, further searches revealed the same Craxs RAT promotion appearing on other platforms:

• https://nulledbb.com/thread-Craxs-RAT-Best-Android-RAT-Full-Activated
• https://craxpro.to/threads/craxs-rat-best-android-rat-lifetime-activated.1757907/

On Nulled, the thread was posted by a different user:

• https://nulledbb.com/profile/726093/ (“markoliver”)

This introduced a new identity into the investigation. To understand whether this was a separate actor or connected activity, the username “markoliver” was queried in StealthMole’s Dark Web Tracker.

The results showed that this user was active across multiple forums, including:

• https://demonf*******s.net/Thread-FUD-K-G-B-RAT-Crypter-HVNC-Fully-Undetectable
• https://darkne*****y.com/threads/bitrat-advanced-windows-rat-fully-activated.37563/
• https://sini*****r.***/Thread-FUD-Windows-Crypter-Bypass-All-Antiviruses-Avanced
• https://h***.org.**/index.php?threads/venom***t-pro-hvnc****r-rat-latest-version.1***9/post-1***1

Across these threads, the same pattern continued: promotion of RATs, crypters, and related tooling. More importantly, the Telegram contact t.me/tools4alll appeared repeatedly across these posts, matching the contact seen earlier in the Craxs RAT thread linked to “xerttechy.”

Alongside this, another domain surfaced:

• https://www.xperttechy.***/

The naming similarity with the previously identified xperttechy.*** domain suggested a possible connection between the two, indicating that the activity might be supported by more than one web asset.

At this point, the investigation had established a consistent overlap between forum identities, external websites, and a shared Telegram contact, tying together activity that initially appeared to come from different users.

Telegram Infrastructure and Distribution Layer

With multiple forum posts pointing toward Telegram, the investigation shifted to examining how these channels were being used in practice. Two links had already surfaced during earlier steps:

• http://t.me/blackhattoolss
• http://t.me/tools4alll

Opening t.me/blackhattoolss provided a clearer view of how the operation was structured. The channel was actively used to promote hacking tools, with posts advertising Android RATs, APK-based payloads, and related utilities. Instead of detailed explanations, most posts followed a simple pattern: brief descriptions, screenshots or claims of functionality, and links for download or contact.

The channel bio included a direct point of contact:

• @real*******ls

Alongside this, it referenced external pages:

• https://sites.google.com/view/black-hat**********p
• https://shop.blackhat***********p.cc/p****s/

These appeared to support the channel’s activity by acting as landing pages and “proof” repositories, reinforcing trust for potential buyers.

Looking at the content more closely, some posts included direct download links, such as APK files hosted on third-party platforms (e.g., MediaFire). This indicated that Telegram was not just being used for communication, but also as a distribution point where users could access tools with minimal friction.

The second channel, t.me/tools4alll, was repeatedly referenced across multiple forum threads tied to both “xerttechy”and “markoliver.” Its presence across different platforms suggested that it served a similar role, acting as a consistent contact layer that connected otherwise separate posts.

What stood out here was not just the existence of these channels, but how frequently they appeared across unrelated threads and identities. Whether a tool was being promoted on DarkForums, Nulled, or other platforms, the path often led back to Telegram. This made it a central point in the overall setup, linking together forum activity, tool promotion, and user interaction in one place.

Web Infrastructure and Identity Signals

Beyond forums and Telegram, the investigation also uncovered supporting web infrastructure that appeared to be tied to the same activity. One of the key domains identified earlier, https://www.xperttechy.***, provided additional context when explored beyond the initial Craxs RAT page.

The site was not limited to tool-related content. Some sections presented it as a general-purpose technology platform, offering blog content, guest posting opportunities, and services typically associated with legitimate web development or tech publishing.

• https://www.xperttechy.***/about-us/
• https://www.xperttechy.****/write-for-us-tech-blog-2024/

Within the “About” section, a contact email was listed:

• xpertt*******6@gmail.com

This was the first instance where a direct email address could be associated with the broader activity observed across forums and Telegram. Unlike earlier findings that turned out to be placeholder data, this email appeared consistently within the site’s content, suggesting it was actively maintained by whoever controlled the domain.

At the same time, the positioning of the website stood in contrast to the earlier findings. While forum threads and Telegram channels focused on promoting RATs, crypters, and other tools, the website presented a more neutral and in parts, legitimate image. Pages encouraging guest contributions and tech blogging did not reference any of the tools seen elsewhere.

A second domain, https://www.xperttechy.***, also appeared during the investigation. While its exact role was less clear, the similarity in naming suggested a possible connection to the same operator or setup.

These elements point to a layered approach. On one side, there is visible activity across forums and Telegram focused on tool promotion. On the other, there is a surface web presence that presents itself as a standard tech platform, with identifiable contact details. The overlap between these layers provides additional signals that help connect what might otherwise appear as separate pieces of activity.

Cross-Platform Presence and Onion Activity

As the investigation progressed, the same patterns began appearing across a wider range of platforms, extending beyond the initial forums already identified. Using StealthMole’s Dark Web Tracker, additional threads were found on sites such as:

• http://www.n***t-o***x.**/threads/1***0/
• https://nif****m.w****/threads/silent-crypto-miner-builder-monero-xmr.124186/
• https://crd****w.**c/threads/port-forwarding-rdp-server-for-using-rats.33***4/
• https://www.turk****am.org/ko****r/silent-crypto-miner-builder-monero-xmr.20***5/
• http://www.cracki****.com/threads/50691/latest
• https://alphv.****/threads/96**7/

Across these platforms, the usernames varied slightly including “xpert techy,” “xperttechy,” and “mark oliver.” Despite these differences, the structure of the posts remained familiar: tool promotion, brief descriptions, and redirection toward Telegram for further interaction.

A notable addition during this phase was the identification of an onion-based forum thread:

• http://bdfclub********************qudjwad.onion/threads/fud**************advanced-edition.159833/post-363030

This thread, posted by “markoliver,” promoted an APK encryption method and included the same Telegram contact seen earlier. The presence of this activity on a Tor-based platform added another layer to the investigation, indicating that the same promotional approach was being used across both clearnet and dark web environments.

What stands out across all these findings is the consistency rather than the scale. The same types of tools, similar posting formats, and recurring contact points appeared regardless of the platform. Whether on regional forums, larger cracking communities, or onion services, the approach remained largely unchanged.

This consistency made it possible to connect activity across different usernames and platforms without relying on a single identifier. Instead, it was the repetition of patterns: how the tools were presented, where users were directed, and how contact was established, that tied these pieces together.

Operational Pattern and Tool Distribution Strategy

Looking across all the identified threads, channels, and websites, a consistent pattern begins to take shape in how the operation is structured. The activity does not rely on a single platform or identity. Instead, it follows a layered approach where each component plays a specific role.

Forum posts appear to serve as the entry points. Across platforms, the content is kept simple: short descriptions, feature highlights, and claims around functionality. These posts are not overly detailed, but they are frequent and spread across multiple communities, increasing visibility without drawing too much attention to any single account.

From there, users are directed toward Telegram. This is where interaction likely moves from public to private. The repeated appearance of channels such as t.me/blackhattoolss and t.me/tools4alll, along with the admin handle @real*********s, suggests that Telegram acts as the primary coordination layer: handling communication, follow-ups, and possibly transactions.

The inclusion of external websites adds another layer. Pages like the Google Sites storefront and the proofs page provide a sense of structure, giving the operation a more organized appearance. At the same time, domains such as xperttechy.*** introduce a different kind of presence, one that blends in with regular web content while still linking back to the broader activity.

Another noticeable aspect is the range of tools being promoted. Instead of focusing on a single product, the activity spans Android RATs, Windows RATs, crypto-related tools, crypters, and mining utilities. This suggests a distribution model rather than development, where the goal is to offer a variety of tools to attract a wider audience.

Overall, these elements point to a setup that is designed for reach and continuity. If one platform or account becomes inactive, others can continue operating without disruption. The repetition of the same structure across different environments makes the activity easier to trace, but also highlights a deliberate and reusable approach rather than isolated or one-off posts.

Conclusion

What started as a single forum thread gradually unfolded into a broader network of activity spread across multiple platforms. By following small but consistent details: usernames, contact links, and repeated posting patterns, it became possible to connect what initially appeared to be unrelated pieces.

The investigation shows that this activity is not limited to one identity or one platform. Instead, it relies on a combination of forum presence, Telegram-based communication, and supporting web infrastructure. Each layer plays a role, whether it is attracting users, maintaining contact, or reinforcing credibility.

A key takeaway is the reuse of the same elements across different environments. Variations in usernames or platforms did not change the underlying structure. The same types of tools were promoted in similar ways, and users were consistently directed toward shared communication channels. This consistency made it possible to map connections without relying on a single definitive identifier.

The presence of both overt tool promotion and a more neutral-looking web platform adds another layer to the activity. Rather than operating entirely in one space, the setup blends into different environments, making it less obvious when viewed in isolation.

Overall, the findings point toward a coordinated distribution effort rather than scattered activity. The strength of this operation lies not in any single component, but in how these components work together to create a connected and persistent presence across platforms.

Editorial Note

Investigations involving underground forums and fragmented online identities rarely provide absolute certainty, especially when actors deliberately reuse aliases and operate across multiple platforms. What can be established, however, are patterns: consistent behaviors, repeated contact points, and overlapping infrastructure that, when viewed together, form a reliable picture of activity.

This case highlights how small, seemingly disconnected traces can be pieced together through StealthMole, allowing analysts to navigate uncertainty and build a structured understanding of complex, multi-layered operations.

To access the unmasked report or full details, please reach out to us separately.

Contact us: Support