From Yab Yum to Daulatdia: Tracing the Infrastructure of a Dark Web Prostitution Platform

The investigation began with the discovery of an onion service presenting itself as Daulatdia Brothel, discovered incidentally during analysis of unrelated dark web activity. The site claimed to offer on-demand sexual services and positioned itself as an established operation rather than a newly created platform. At the time of discovery, there was no clear indication of who operated the service, how long it had been active, or whether it existed beyond a single domain.

Initial investigation raised subtle but important questions. The platform appeared more structured than many transient dark web listings, yet its presentation and claims did not fully align with its visible footprint. Certain elements suggested the service might not be confined to a single domain, prompting a broader examination of its digital presence rather than its advertised offerings.

As the investigation expanded, attention shifted away from the content of the site itself and toward the traces surrounding it, where the service appeared, how it was referenced elsewhere, and what technical artifacts persisted beyond the main page. These early indicators suggested that the Daulatdia-branded site might represent only one stage in a longer operational history.

This report follows that trail. By examining the infrastructure, external references, and financial touchpoints associated with the platform, the investigation seeks to reconstruct how the service emerged, evolved, and maintained continuity within the dark web environment, based solely on verifiable evidence.

Incident Trigger and Initial Investigation

The investigation was triggered when an onion URL surfaced during a separate dark web inquiry. The link appeared under the label “SlaveBay,” a third-party reference rather than a name used by the service itself.

• b33y***************************************************eid.onion

When analyzed using StealthMole’s dark web tracker, the onion service was found to identify itself directly as “Welcome to Daulatdia Brothel.” The site claimed association with Daulatdia, Bangladesh, and advertised sexual services through a structured interface rather than a single static page. At this stage, the platform’s legitimacy, scope, and longevity were unknown.

Further contextual checks revealed that the same onion URL was mentioned in a Telegram channel, where it was described as a probable scam. This conflicting external characterization introduced early ambiguity, reinforcing the need to rely on infrastructure-level evidence rather than surface claims.

Given the discrepancy between the site’s apparent structure and its disputed reputation, the investigation shifted toward determining whether the platform existed elsewhere, had historical continuity, or shared infrastructure with other services.

Platform Structure and Internal Functionality

With the initial Daulatdia-branded onion service identified, the next step was to understand whether the platform functioned as a simple advertisement or as an operational service. So, we decided to run the first identified domain through StealthMole’s darkweb tracker. Consequently, another related domain appeared with the same interface.

• yabyum***********************************************gpqd.onion

Beyond the landing page, the platform also exposed a login interface, a publicly accessible forum, and individual user profile pages, including a visible account under the username Nameless1. These elements suggested that the service was designed to support user accounts and repeat engagement rather than one-off contact. An FAQ section and a page discussing short-term accommodation, including Airbnb rentals, further reinforced the impression of a platform attempting to present itself as organized and service-oriented.

The forum was explicitly described as unmoderated. Threads visible at the time of investigation showed users openly requesting sexual services by geography and preference. Whether these requests resulted in real-world interactions could not be verified, but the design choice itself was telling. By hosting requests internally rather than pushing users immediately to external messaging platforms, the service positioned itself as a central coordination point rather than a passive directory.

Marketplace Presentation and Media Artifacts

As the investigation moved deeper, StealthMole’s media indexing capabilities revealed additional details about how the platform presented its offerings. Multiple image assets were discovered under user-associated directories, consistent with listing or profile imagery rather than generic decoration.

Several of these images carried embedded labels such as MACDADDYPIMP, Lonely_cuties, Lupin, and SupplyForKids. The repetition and formatting of these labels suggested deliberate categorization, likely intended to segment listings or personas within the marketplace. While the indexed images themselves did not contain explicit sexual content, their structured presentation aligned with how illicit service marketplaces commonly organize offerings for browsing and selection.

At this stage, the focus remained on what could be observed directly: the platform behaved like a marketplace, with persistent listings, categorized personas, and infrastructure built to support discovery and comparison, regardless of how effective or legitimate those offerings ultimately were.

Historical Footprint and Rebranding Indicators

Questions about the platform’s longevity were addressed through historical indexing. This process revealed that the Daulatdia-branded service had not emerged in isolation. The same infrastructure had previously operated under the name Yab Yum, using identical layouts, content structure, and service descriptions.

Several onion domains were associated with this earlier phase, including:

• B33yiqlhpysykamkyzeerxz4yishmelo5fruityj543jlnn6silna2ad.onion
• 4ogv76w42wjhv5zloluegzcpte7trrzxkbugqy7vvtismws4zm5zzmid.onion
• 4ogv76w4nm5egekasxxudinby3uhowv6mt2pjtp2zcbrdsrdb65fp4id.onion

All three were offline at the time of investigation, but historical snapshots showed them hosting the same platform that later appeared under the Daulatdia identity. Rather than indicating unrelated copycat sites, the consistency across these domains pointed to deliberate mirror deployment and domain rotation.

During its Yab Yum phase, the platform also promoted a USD 2,000 weekend trip to Daulatdia, Bangladesh. The offer was framed as a bundled experience rather than casual travel advice, implying a level of coordination beyond simple online introductions. While there was no evidence that such trips were ever executed, their promotion provided insight into how the platform sought to position itself: as an organized service with international reach.

Operator Signals and Infrastructure Continuity

As the investigation expanded beyond domains, attention turned to identifying stable operator-linked artifacts. Two email addresses were recovered from the platform’s content across different iterations:

• h******@notmail.com
• hp****@mail2tor.com

One of these, h*****@notmail.com, was associated with the PGP fingerprint:

• 3DC*************************************FE

This cryptographic identifier became a key pivot point. Unlike onion domains, which are frequently discarded, PGP keys often persist across infrastructure changes. Pivoting on this fingerprint led to the identification of another related onion domain, which was also offline at the time of analysis.

• b33******************************************rad.onion

The reuse of the same PGP key across multiple domains and branding phases provided a strong continuity signal. It suggested that the Daulatdia and Yab Yum platforms were not separate efforts but successive iterations managed under the same operational control.

Financial Infrastructure and Payment Readiness

Financial artifacts added another layer to this continuity. Analysis ofb33yiqlkdqa3scyxzvn6vbz5qsw7e7dzp3mizrknqeuv35bauuj6wrad.onionsurfaced a large number of Bitcoin wallet addresses linked to the platform. Among these were addresses such as

• Bc1q8x*******************************px43
• bc1qax*******************************3lnl
• bc1q2g*******************************qvfy
• bc1qut******************************va5ju
• bc1qry******************************s4py6
• bc1qzk******************************pnhhs
• bc1q4*********************************rnv7
• bc1qm*********************************md7h
• bc1qj*********************************rvrg
• bc1qa*********************************tu78

Most of the identified wallets showed no observable transaction history, suggesting either low usage or preparatory provisioning rather than active throughput. One address, however, displayed confirmed activity, distinguishing it from the broader set.

• bc1q4*******************************rnv7

A separate, Yab Yum–linked domain,4ogv76wvasufotajocqxlobk3bwsqi2loqd7znu4bkxqovov6pgr6oyd.onion,exposed an additional wallet:

• bc1q8****************************g8w

Taken together, the wallet infrastructure suggested deliberate readiness to accept cryptocurrency payments, even if actual usage appeared uneven.

External References and Promotion

The platform’s presence was not limited to its own onion infrastructure. One of the Yab Yum–associated domains was identified in a Telegram channel named Silent Cyber Force. In that context, the link was promoted explicitly as an online prostitution platform.

• 4ogv76w4nm5egekasxxudinby3uhowv6mt2pjtp2zcbrdsrdb65fp4id.onion

This reference was external and third-party in nature, but it demonstrated that the service circulated beyond passive dark web discovery. Whether promoted intentionally by the operator or shared organically, the appearance of the link in Telegram indicated that the platform was perceived as operational and worth advertising within adjacent communities.

Conclusion

Following the Daulatdia Brothel onion service back through its infrastructure revealed a platform that evolved rather than appeared suddenly. Through rebranding, mirror rotation, and reuse of core technical elements, the service transitioned from its earlier Yab Yum identity while maintaining operational continuity.

Stable artifacts, particularly a reused PGP fingerprint, recurring contact details, and shared backend structure, tied these iterations together more convincingly than any single domain could. Financial infrastructure and external promotion further suggested a platform built with persistence and scalability in mind, even if its real-world impact remains difficult to measure.

By focusing on infrastructure, identifiers, and contextual traces rather than the platform’s own claims, this investigation reconstructs how the service emerged, adapted, and sustained itself within the dark web environment.

Editorial Note

Dark web investigations rarely provide complete certainty. Services fragment their infrastructure, rotate identities, and allow components to lapse and resurface over time. This case demonstrates how methodical correlation of domains, cryptographic identifiers, financial artifacts, and external references can reveal continuity where none is immediately apparent, and how StealthMole enables such analysis without relying on speculation or assumption.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Old Data, New Actor: Investigating Solonik’s Alleged Instagram 17 M Leak

In early January 2026, a threat actor operating under the name Solonik began gaining attention across dark web forums and Telegram channels after advertising a large-scale Instagram data leak allegedly tied to a “2024 API breach.” The dataset was marketed as containing 17 million Instagram user records, including usernames, emails, phone numbers, and internal IDs. Given Instagram’s global footprint and the scale claimed, the leak quickly drew interest from buyers and researchers alike.

At first glance, Solonik appeared to be a rapidly emerging actor. StealthMole monitoring showed a sharp spike in activity associated with his handle, with dozens of leaks posted in a short time frame and multiple distribution channels emerging almost simultaneously. The pace, volume, and confidence of Solonik’s claims suggested either privileged access to new data sources or a coordinated effort to appear established.

However, as the investigation progressed, inconsistencies began to surface. While the dataset was promoted as new and tied to a 2024–2026 breach window, early indicators suggested that identical data samples had circulated years earlier. This raised the possibility that the “new” Instagram leak was not a fresh compromise but a recycled dataset being reintroduced under a different narrative.

This report documents how StealthMole was used to trace the origins, movement, and rebranding of this dataset across forums, Telegram channels, and domains, ultimately challenging Solonik’s claims and highlighting the growing trend of breach recirculation under false timelines.

Incident Trigger and Initial Investigation

The investigation began when Solonik published a thread titled “INSTAGRAM.COM 17M USERS — 2024 API LEAK (USERNAMES, EMAILS, PHONES, IDS)” on Dark Forums.

• https://darkforums.****/Thread-INSTAGRAM-COM-17M****Solonik-****

To assess the actor’s credibility and scale, the identifier Solonik was queried through StealthMole’s Leaked Monitoring module. This revealed that between 7 January 2026 and 20 January 2026, Solonik had been associated with leaks affecting approximately 105 distinct victims, ranging from social media datasets to regional institutional records. This level of activity suggested either a highly active reseller or a coordinated operation.

One of the earliest corroborating signals came from Solonik’s Telegram presence. Using StealthMole’s Telegram Tracker, the channel https://t.me/solonik_*****s was identified as a public-facing vouch and transaction channel. From there, StealthMole uncovered an additional invite-only Telegram group at https://t.me/+iS5*******k, where screenshots showed buyers negotiating prices, confirming cryptocurrency transactions, and receiving CSV database files.

Notably, this Telegram infrastructure had already been indexed by StealthMole under CVE-2025-14847 and CVE-2026-21858 linking Solonik’s ecosystem to previously flagged malicious distribution activity. This connection established that the actor was not operating in isolation and had already intersected with known high-risk Telegram clusters.

Expansion of Infrastructure and the “BAPHOMET” Reference

Further investigation into Solonik’s online footprint revealed the domain solonik.***, which was queried through StealthMole’s Darkweb Tracker. The results were significant: StealthMole indexed 999+ leaked files associated with this domain, many labeled with Instagram-related filenames such as Instagram@Solonik_BF.json.

Among these results, a second Instagram-related leak surfaced on 14 January 2026, tied to a BreachForums thread advertising 45K Korean Hospital Patient & System Records. In Solonik’s forum bio on this thread, he included the phrase “blessed by BAPHOMET.”

This phrase prompted a deeper investigation. Through Telegram tracking, StealthMole identified a video circulating in one of Solonik’s channels in which he screen-recorded a BreachForums interaction. In the video, a user identified as BAPHOMET thanked Solonik for previously disclosing information about an SQL vulnerability in the forum’s structure, specifically referencing the my tabs column.

The video also displayed BAPHOMET’s BreachForums profile, showing the account as permanently banned, but historically influential. The message claimed that Solonik had “saved” the forum from a breach years earlier and framed their interaction as proof of legitimacy and insider status. While the claim itself could not be independently verified, its inclusion served as a credibility signal aimed at potential buyers.

This was a critical turning point. The narrative was no longer just about a dataset, but about lineage, reputation, and implied authority within the breach ecosystem.

Data Lineage Analysis: Tracing the Instagram Dataset Backward

To validate Solonik’s claim that the Instagram data originated from a 2024 API breach, the dataset itself was examined. Using StealthMole’s Telegram Tracker, the keyword “Instagram Leak 17M Lines ⭐ ️” was queried across historical Telegram messages. This surfaced a forwarded message dated 2023-11-28, originating from the channel The Jacuzzi.

That forwarded message led directly to a LeakBase thread posted in March 2023 by a user named Chucky. The LeakBase snapshot showed the thread title “Json No Pass Cloud Instagram Leak 17M Lines”, with sample JSON entries containing usernames, emails, phone numbers, and IDs, structurally identical to the samples advertised by Solonik in 2026.

• https://leakbase.la/threads/instagram-leak-17*************/

Further comparison confirmed that the raw data fields, ordering, and sample values matched across the 2023 LeakBase post and Solonik’s 2026 offering. No new columns, timestamps, or indicators suggested that the dataset had been refreshed or expanded.

This same dataset appeared again in 2024 on Hydra Forums, posted by administrator Pavlov under the title “Instagram Leak 17M Lines ⭐️”:

• https://hydraforums.io/Threads-*****************************8F

The Hydra Forums snapshot showed the same JSON samples, confirming that the data had circulated unchanged for at least three years.

These findings directly contradicted Solonik’s framing of the leak as a “2024 API breach” and strongly indicated dataset recycling rather than a new compromise.

Chucky, Chucky_lucky, and Identity Overlap

Solonik later claimed in Telegram messages that his previous BreachForums account, “Chucky_lucky,” had been taken down by a moderator named L****i. To assess this claim, Chucky_lucky was queried in StealthMole’s Leaked Monitoring module. The results showed five victims, including a global jewellery brand breach from 2023.

This activity aligned temporally with the original LeakBase Instagram post by Chucky, strengthening the hypothesis that Chucky, Chucky_lucky, and Solonik may be connected. Additional Telegram channels reinforced this pattern, including https://t.me/chucky***f and https://t.me/chucky_*******a, where screenshots showed Chucky listed among the “richest users” on a forum consistent with BreachForums.

These overlaps do not conclusively prove shared ownership, but they demonstrate continuity in datasets, platforms, and monetization strategies. The repeated appearance of the same Instagram data under different aliases across years suggests deliberate rebranding rather than independent rediscovery.

Telegram Attribution and Iranian Infrastructure

The investigation expanded further when the Telegram channel https://t.me/solonik***t was analyzed. StealthMole identified a user Solonik BF. From this channel, a phone number was extracted: +98 9*********8. While usernames on Telegram are easily changed, user IDs are persistent, making this identifier particularly valuable for further analysis.

The country code +98 indicates Iran. When this number was queried through StealthMole’s Darkweb Tracker, it appeared in a file labeled Iran_Telegram.json, part of previously leaked Iranian Telegram datasets. This does not confirm Solonik’s physical location, but it provides a rare infrastructural linkage between his Telegram presence and known leaked data repositories.

This file is part of a broader collection of leaked Iranian Telegram user data and contains structured records linking phone numbers to Telegram usernames and internal user IDs. Within this dataset, the number is explicitly associated with the username Sa*****n, once again tied to user ID 46******7, conclusively linking the Iranian Telegram leak data to the same account now operating as @Solonik*****F.

Historical analysis of this Telegram user ID provided additional context. When user ID 4********7 was pivoted through StealthMole’s Telegram Tracker, earlier activity associated with the same identifier was identified. Records dating back to October 2022 show the account operating under the username @Sa*****n, with display names recorded as S**** / T***t. This confirms that the identity linked to Solonik predates the 2026 Instagram leak claims by several years, suggesting a long-standing Telegram presence rather than a newly created persona.

Further examination of historical Telegram data showed that this account had been active as early as October 2020, based on StealthMole’s historical indexing. This timeline places the operator well before the emergence of the Instagram dataset later circulated in 2023, 2024, and 2026. The persistence of the same user ID across multiple usernames reinforces the continuity of control over the account, even as outward-facing identities evolved over time.

Additional contextual signals emerged when this Telegram identity was traced across group interactions. The same user ID was referenced within a Persian-speaking Telegram group titled Tavern Club, accessible at https://t.me/g*******b. While participation in such groups does not independently confirm attribution, it further situated the account within an Iranian-language Telegram ecosystem.

Taken together, these findings strengthen the infrastructural linkage between Solonik’s Telegram presence and Iranian-linked Telegram data exposure. The reuse of the same Telegram user ID across multiple usernames, its appearance in leaked Iranian Telegram datasets, and its interaction within regionally aligned Telegram groups suggest operational continuity rather than coincidence. This infrastructure-level overlap does not definitively attribute Solonik to a specific individual or location, but it provides a consistent and traceable framework that aligns with other elements observed throughout the investigation.

Conclusion

The investigation demonstrates that the Instagram “17M users” dataset advertised by Solonik in January 2026 is not new. Through StealthMole’s historical indexing and cross-platform tracking, the data can be traced back to at least March 2023, with confirmed appearances in 2023 (LeakBase) and 2024 (Hydra Forums) before resurfacing in 2026.

Instagram has publicly denied any 2026 breach, further undermining Solonik’s claims. While Solonik has successfully leveraged volume, presentation, and reputation signaling to attract buyers, the underlying data tells a different story, one of recirculation rather than compromise.

Whether Solonik is the same individual as Chucky or Chucky_lucky cannot be stated with certainty. However, the continuity of datasets, platforms, Telegram infrastructure, and monetization patterns strongly suggests either direct identity overlap or close operational alignment.

Editorial Note

Attribution in dark web investigations is rarely absolute. Actors reuse data, identities fragments, and narratives are intentionally blurred. This case underscores how easily old breaches can be reframed as new incidents and how critical longitudinal visibility is in cutting through those claims. By correlating historical leaks, Telegram activity, and infrastructure signals, StealthMole enabled a clearer understanding of what was genuinely new, what was recycled, and where uncertainty still remains.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

8Base Revisited: Tracing a Dormant Ransomware Operation

8Base surfaced as a ransomware operation built around visibility. Victim disclosures were central to its strategy, with listings published across Tor-based leak sites and, at times, mirrored through surface-level infrastructure. Throughout 2023 and into early 2024, the group remained consistently present in ransomware reporting, maintaining a steady cadence of victim publications before abruptly going quiet.

That silence followed the seizure of its primary onion site by law enforcement. After the takedown, 8Base stopped appearing in new victim disclosures and gradually faded from public view, leading many to treat the operation as concluded. But ransomware groups rarely vanish cleanly, and disappearance alone is often a poor indicator of whether an operation has truly ended.

This investigation revisits 8Base with a different question in mind, not whether it was taken down, but what traces it left behind. By examining residual infrastructure, dormant communication channels, and technical artifacts preserved through StealthMole’s historical indexing, dark web tracking, and Telegram monitoring, the analysis reconstructs how the operation evolved over time. What emerges is not a clean shutdown, but a fragmented footprint that overlaps with other ransomware ecosystems, suggesting continuity beneath the surface even after the brand itself went quiet.

Incident Trigger and Initial Investigation

The decision to investigate 8Base came from its absence rather than its activity. By the time this case was initiated, the group had been offline for several months, and most public reporting treated it as a concluded ransomware operation. That assumption raised a simple question: was 8Base truly gone, or had it merely gone quiet?

Rather than looking for new victims or fresh extortion attempts, the investigation focused on what might still be accessible. Ransomware groups rarely disappear cleanly. Even after takedowns, traces often remain in the form of abandoned infrastructure, forgotten communication channels, or technical artifacts that outlive the brand itself. The goal was to map those remnants and assess whether anything of intelligence value still persisted.

The first step was to ground the investigation in confirmed activity. A review of 8Base within StealthMole’s ransomware monitoring tool showed that the group had recorded 459 victims between May 2023 and February 2025. This confirmed that 8Base was active far more recently than many assumed and provided a clear operational timeframe to work within.

The final recorded victim, dated 1 February 2025, was St. Nicholas School in Brazil, which became the starting point for tracing 8Base’s infrastructure backward, following the same path an analyst would have followed while the group was still active.

Tracing the Primary Leak Site

Following the final victim listing led directly to the ransomware leak site where the disclosure had been published. When accessed during the investigation, the site was still reachable over Tor but displayed a law enforcement seizure banner, confirming that authorities had taken control of the infrastructure rather than simply going offline.

• http://xfycpauc22t5jsmfjcaz2oydrrrfy75zuk6chr32664bsscq4fgyaaqd.onion/

Using StealthMole’s historical indexing feature, it was possible to view how the site appeared prior to the seizure. Archived snapshots showed a fully functioning extortion portal, complete with victim pages, descriptive summaries, and publication timelines. This confirmed that the site was not a mirror or scraped archive, but a core component of 8Base’s operation.

When the site was analyzed further using StealthMole’s dark web tracker, a malware hash surfaced in connection with the infrastructure:

• e31d56289c1957053630383ff71959cba08521874410bd78e46680788490e9cd

This discovery shifted the focus of the investigation. While domains can be seized and channels abandoned, malware hashes tend to persist, offering a longer-lasting signal than any single piece of infrastructure.

Telegram as the Remaining Communication Layer

With the primary infrastructure identified, attention turned to whether 8Base had maintained any communication presence beyond its seized site. The onion domain was searched across StealthMole’s Telegram tracker, which surfaced an invite-only chat channel that had circulated the same onion address shortly before the takedown:

• https://t.me/+GxHjaDP0bOphZjNh

Although the channel is no longer accessible, historical messages provide context into how 8Base-linked infrastructure was being discussed in the period surrounding the takedown. One message explicitly stated that 8Base had been compromised and referenced the seized onion site. While the identity of the poster cannot be verified, the message reflects how the takedown was perceived within adjacent communities.

Further analysis revealed a second Telegram channel with a different purpose and structure:

• https://t.me/eightbase

This channel described itself as the official 8Base channel and functioned as a broadcast outlet rather than an open chat. Unlike the invite-only channel, it remains online, though its administrators have been inactive for months. The contrast between these two channels suggests a layered communication strategy rather than a single point of contact.

Official Messaging, Social Media, and Infrastructure Changes

The official Telegram channel provided a clearer timeline of 8Base’s public-facing activity. Created in May 2023, it was used to post announcements, infrastructure updates, and links to external platforms. While activity has ceased, the historical messages remain accessible and offer insight into how the group managed disruption.

Within the channel, 8Base linked to its X account:

• https://x.com/8BASEHOME

Messages from 2023 explained that a previous Twitter account had been suspended, prompting the creation of this replacement. The X account itself remains online but has shown no activity since 2 February 2025, closely aligning with the group’s disappearance elsewhere.

One Telegram post from late 2023 announced a change to the group’s website and shared a new onion address:

• xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion

This was not the site later seized by law enforcement, indicating that 8Base had already begun rotating infrastructure well before any coordinated takedown.

Earlier Infrastructure and Surface-Level Presence

By the time the official Telegram channel was identified, it had already become clear that 8Base did not rely on a single piece of infrastructure throughout its lifetime. Further analysis of the channel revealed another onion domain linked to the group:

• basemmnnqwxevlymli5bs36o5ynti55xojzvn246spahniugwkff2pad.onion

Unlike the site that was later seized by law enforcement, this domain was already offline by the time it appeared in StealthMole’s historical records. There was no seizure banner and no indication of intervention, suggesting it had been abandoned earlier as part of routine infrastructure churn rather than forced takedown. This places the domain as an earlier iteration rather than a successor.

This detail matters because it suggests that 8Base was already accustomed to rotating or discarding infrastructure well before external pressure became visible. Rather than reacting to disruption, the group appears to have operated with an expectation that sites would eventually fail, be blocked, or become liabilities. In that sense, the law enforcement seizure did not interrupt a stable system, it simply accelerated an already transient model.

The presence of a surface-level site reinforces this pattern. Telegram messages pointed to a publicly accessible IP address that hosted 8Base-branded content:

• http://92.118.36.204

The decision to maintain a surface site alongside Tor infrastructure is notable. While riskier, it provides broader visibility, easier access for journalists or intermediaries, and redundancy if Tor services become unreliable. At the same time, it dramatically increases exposure to monitoring and attribution, which may explain why the site was eventually abandoned rather than defended.

Viewed together, these infrastructure layers suggest that 8Base treated domains as disposable assets rather than fixed anchors. Onion services came and went, surface infrastructure was briefly leveraged, and communication channels carried the continuity instead. This approach aligns more closely with ransomware-as-a-service ecosystems than with tightly controlled, single-group operations.

How 8Base Framed Its Own Operations

Insight into how 8Base claimed to operate came primarily from the FAQ page hosted on its surface-level site, accessible at:

• http://92.118.36.204/faq/44

While the site is no longer online, historical snapshots preserved by StealthMole provide a detailed view of how the group structured its extortion workflow and victim interactions. Unlike brief ransom notes or generic leak pages, the FAQ laid out a multi-stage process that attempted to formalize how victims were handled from initial compromise to potential disclosure.

8Base divided victim cases into distinct stages. Newly compromised organizations were first placed in an “evidence” state, where limited proof of access or data theft was shown. This phase functioned as a pressure mechanism without immediate full disclosure. If negotiations failed or communication stopped, victims were moved to a “disclosed” state, where broader datasets were published publicly. This tiered approach mirrors common ransomware extortion models but shows deliberate staging rather than immediate escalation.

Negotiation was positioned as central to the operation. The FAQ emphasized Telegram as the primary channel for communication, directing victims to engage through designated Telegram accounts rather than email or web forms. It also described a “last chance” negotiation window, suggesting that victims retained the ability to engage even late in the process, though under increasing time pressure. This indicates that 8Base prioritized real-time, controllable communication channels that could be abandoned or replaced quickly if compromised.

The group also described internal rules around what data would be published and what could potentially be withheld. While these claims cannot be verified, they outline how 8Base attempted to standardize decision-making across cases, rather than treating each victim as an ad hoc negotiation. The FAQ mentioned limits on the volume of personal data released and conditions under which partial removal might occur, suggesting an effort to balance pressure with perceived credibility.

Beyond victim negotiations, the FAQ also outlined how 8Base managed external communication. Journalists were encouraged to make contact through dedicated Telegram channels and were offered early access to data prior to public release. This reflects an understanding of media amplification as an extension of the extortion process, using publicity to increase pressure on victims rather than relying solely on private negotiation.

Malware Hashes and a Broader Ransomware Ecosystem

The most analytically significant findings emerged when one of the rotated onion domains xb6q2aggycmlcrjtbjendcnnwpmmwbosqaugxsqb4nx6cmod3emy7sad.onion was examined through StealthMole’s dark web tracker. This analysis surfaced four malware hashes associated with the infrastructure:

• 212f02ec96732a9b12e73633730cbf3286f12ffe2078091a331d818befbd68cf
• 51a36760c4142f14db6add806d3920f1aa0662ea049ef4ea1dfce598ab675f91
• 9f628cfed8996f974a6c6d39d41d82d8e29972117591605ccceff0bd5c6fd432
• 5bc9478d90533ebccf09c7204999853bae36db997b230e2809090c7827c8ced0

At first glance, the presence of multiple hashes tied to a single onion site might suggest routine tooling updates or payload variations. However, the significance lies not in their quantity, but in their reuse beyond 8Base’s infrastructure.

Two of these hashes: 9f628cfed8996f974a6c6d39d41d82d8e29972117591605ccceff0bd5c6fd432 and 5bc9478d90533ebccf09c7204999853bae36db997b230e2809090c7827c8ced0 were also observed across onion sites associated with several other ransomware operations, including ALPHV, BianLian, Knight, and Play:

• Alphvmmm27o3abo3r2mlmjrpdmzle3rykajqc5xsj7j7ejksbpsa36ad.onion
• bianlianlbc5an4kgnay3opdemgcryg2kpfcbgczopmm3dnbz3uaunad.onion
• knight3xppu263m7g4ag3xlit2qxpryjwueobh7vjdc3zrscqlfu3pqd.onion
• mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion

A deeper look at the malware itself helps clarify this overlap. Strings extracted from the binary show that it was written in Go and includes a fully developed extortion workflow, not just encryption logic. Embedded messages reference data exfiltration, staged disclosure timelines, proof-of-compromise materials, and media pressure, elements that align closely with how large ransomware operations structure negotiations. This suggests the malware was designed to integrate directly with leak-site-driven extortion rather than function as a standalone locker.

More notably, the strings explicitly reference multiple ransomware leak sites and communication channels, including onion URLs associated with ALPHV, BianLian, Knight, Play, and 8Base itself. This indicates that the overlap was not accidental reuse or post-compromise contamination, but deliberate design. The malware appears to have been built with awareness of multiple branded operations, capable of operating within different extortion ecosystems depending on deployment. In other words, the same tooling could support multiple “groups” without requiring each to maintain its own bespoke malware.

This reframes how 8Base should be understood. Rather than operating as a fully independent ransomware group with unique infrastructure and tooling, 8Base fits more naturally into a shared-backend model. Under this structure, branding, victim portals, and Telegram channels form the visible layer, while malware development and infrastructure provisioning sit beneath it. When a brand becomes exposed or compromised, as 8Base eventually was, it can be retired without disrupting the underlying technical framework.

From an intelligence perspective, this is precisely why the malware hashes matter more than the seized domains. Onion sites can be rebuilt, Telegram channels can be renamed, and brands can be abandoned. Malware artifacts, especially when reused across multiple ecosystems, offer a far more stable signal. If these hashes or closely related variants surface again, they provide a direct line back to this cluster of activity, regardless of what name is attached to it next.

Conclusion

The takedown of 8Base’s primary leak site marked the end of its public operations, but it did not erase the group’s footprint. The investigation shows that infrastructure was already fluid before enforcement action, with multiple onion domains, a short-lived surface presence, and communication channels that gradually fell silent rather than being dismantled. What remains is a set of artifacts that reflect how the operation functioned, adapted, and ultimately fragmented.

The most significant insight comes from the malware artifacts linked to 8Base infrastructure. Hash overlap with several other ransomware operations suggests that 8Base was embedded within a shared ecosystem rather than operating in isolation. This points to common tooling or infrastructure dependencies that outlived the brand itself, offering a more durable signal than any single domain or channel.

Taken together, these findings position 8Base as a dormant operation rather than a resolved one. While the name may no longer appear in victim disclosures, the technical traces mapped in this investigation remain relevant. If related activity resurfaces under a different identity, those same remnants are likely to provide the first indication of continuity.

Editorial Note

Investigating ransomware groups after takedown often means working with fragments rather than conclusions. Infrastructure disappears unevenly, narratives fade, and attribution becomes less certain over time. This case illustrates how focusing on residual signals, rather than live activity, can still yield meaningful intelligence.

By using StealthMole to reconstruct infrastructure history, trace communication layers, and correlate technical artifacts, this investigation demonstrates how uncertainty can be navigated without overreach. In the case of 8Base, what remains offers more insight than what was taken down.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com