RansomedVC and Stormous: Partnership, Rebranding, and Ecosystem Convergence

In late 2023, a Telegram channel operating under the name Ransomed News began appearing across multiple cybercrime touchpoints. At first, it looked like many others: sharing updates, promoting activity, and attempting to attract attention within an already crowded ransomware space.

But as its activity unfolded, the channel did not remain static. Its name changed repeatedly, its messaging shifted, and its scope expanded beyond simple announcements. What initially seemed like a standalone presence began to show signs of deeper connections, both in the way it operated and in the platforms it relied on.

These changes raised a key question: was this just another short-lived rebrand, or part of something more structured?

By following its digital footprint across Telegram, dark web infrastructure, and forum activity using StealthMole, this investigation traces how a single channel evolved into something far more interconnected, revealing patterns that point toward a broader and more coordinated ecosystem.

Incident Trigger and Initial Investigation

The investigation began during a separate analysis when a Tor-based URL was identified

• pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion

Accessing this address revealed a site titled “Stormous.V4 BLOG”, which appeared to function as a public-facing platform listing multiple organizations alongside descriptions of compromised data. Although the site was no longer consistently accessible at the time of analysis, the available listings indicated a high level of activity, with victims spanning different industries and regions.

This discovery prompted further validation through StealthMole’s Dark Web Tracker. Running the same onion URL surfaced additional linked infrastructure, including:

• ransekgbpijp56bflufgxptwn5hej2rztx423v6sim2zrzz7xetnr2qd.onion
• ransubr7flrzz4did5ness4aufumhroymiuiahnruwh5dfbskoxyx2ad.onion
• kxlpsf4uua2k36quvcob3mjlguurbc3rhjkwt7thoyi52o7y6tf2wrad.onion

Two of these domains, labeled “RanStreet,” contained structured listings with file sizes and references to downloadable data, suggesting a dedicated distribution layer. Another domain appeared to function as a login panel, indicating the possible presence of a restricted backend or affiliate interface.

Further interaction with the primary onion address revealed an updated version of the site, identified as “Stormous V5”, along with a separate page referencing “Stormous Ransomware.”

A contact section was also identified at:

• http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion/contact.html

This page provided a TOX-based communication method:

• C2867*******************************************CBC6

At this stage, the findings indicated that the platform was not limited to publishing breach claims, but likely formed part of a broader operational structure involving data distribution and direct negotiation channels. This initial discovery established the foundation for deeper analysis into the infrastructure and actors connected to the Stormous ecosystem.

Infrastructure and Operational Expansion

Building on the initial discovery of the Stormous V4 blog, further analysis through StealthMole revealed that the identified onion infrastructure was not isolated, but part of a broader and layered operational setup.

In addition to the primary blog, another domain was identified, which appeared to serve as an earlier version of the same platform. Although inactive at the time of investigation, it contained multiple structured endpoints, including pages dedicated to affiliate onboarding, service access, and operational rules.

• stmxylixiz4atpmkspvhkym4xccjvpcv3v67uh3dze7xwwhtnz4faxid.onion

These included:

• Paid access portal
• Free access entry point
• PYV (Post Your Victim) service page
• Affiliate rules and participation guidelines
• Additional portal interfaces for platform interaction

The presence of these structured pages indicates that the operation was not limited to publishing data leaks, but was designed as a service-based platform with defined user roles and onboarding flows.

Further examination of the earlier infrastructure also revealed a separate onion-based environment:

• http://secretsmt222qvdg6rcmgvx4dqqc2673yzyxjrrnabwklnn6qddyv5ad.onion/members/s*****2/

This “SECRET” panel appeared to operate as a closed communication or coordination space, distinct from the public-facing blog and distribution layers.

Overall, the infrastructure reflects a segmented architecture composed of:

• A public leak blog for visibility
• Distribution nodes for hosting and sharing data
• Access-controlled panels for platform interaction
• A restricted environment for internal coordination

This separation of functions suggests a deliberate design, enabling the operation to manage visibility, access, and interaction across different layers without relying on a single point of exposure.

Telegram Activity and Operational Insights

To further understand how the identified infrastructure was being used operationally, associated Telegram channels were analyzed through StealthMole’s Telegram Tracker. This revealed that Telegram played a central role in communication, recruitment, and coordination across the ecosystem.

One of the key channels identified was:

• https://t.me/StmXRansomware

StealthMole indexing showed that this channel dates back to March 2022, when it originally operated under a different handle:

• https://t.me/STORMOUSS

This historical continuity indicates that the channel has been active for an extended period, undergoing changes in branding and structure over time while maintaining its core function.

Messages within the channel provided detailed insight into how the operation functioned. These included structured announcements outlining participation models, access tiers, and operational workflows. The platform offered two primary modes of access:

• A paid version, which provided direct access to a control panel, enabling affiliates to manage victims and conduct negotiations
• A free version, where participants operated through existing affiliates, without direct access to the platform interface

In addition to these, a separate PYV (Post Your Victim) service was promoted, allowing external actors to submit compromised targets for publication or sale. This model required users to provide details such as the target organization, data size, and proof samples, indicating a controlled intake process rather than unrestricted submissions.

The channel also shared structured resource lists, including:

• Blog links (multiple versions of the platform)
• Access pages for paid and free participation
• Affiliate rules and operational guidelines
• Portal interfaces for interacting with the system

Communication methods were consistently reinforced, with the reuse of a primary TOX ID, as well as references to an internal communication environment hosted on the SECRET onion panel.

• C286720F7592E5668A932F1D06EDEECBAFACB3BE369632C908F9511D072C142575BA8109CBC6

Further messages revealed operational policies governing how affiliates interacted with victims. These included:

• Requirements for verifying attacks before publication
• Conditions under which victims would be listed or removed
• Negotiation guidelines, including potential ransom adjustments based on financial assessment
• Rules preventing interference from multiple parties during negotiations

The channel also outlined broader operational practices, including:

• Affiliate recruitment and onboarding
• Updates on program versions and structural changes
• Coordination with external partners and associated channels
• Guidance on using the platform and resolving operational issues

Overall, the Telegram activity provides a direct view into how the operation functioned in practice. Rather than serving as a simple announcement channel, it acted as a central hub where infrastructure, access, and operational rules were communicated, linking together the different components of the ecosystem into a coordinated workflow.

Channel Evolution and Ecosystem Convergence

To understand how the Stormous-linked ecosystem expanded beyond a single channel, further analysis was conducted on:

• https://t.me/StmXGhostLocker

Unlike the previously identified channels, this one provided a longer historical view, revealing a pattern of repeated rebranding and operational shifts over time.

StealthMole tracking showed that the channel had undergone multiple name changes, including:

• Ransomed News
• Ransomed_vc / Ransomed vc
• Ransomed.vc Channel
• Ransomed News
• Ražnatović Channel
• Stormous.X Store (V3.0)
• Stm.X | GhostLocker 1.0 Service
• Stm.X | GhostLocker V2.0 Service

These changes were not random. Early activity under the RansomedVC identity focused on recruitment, announcements, and initial breach claims. Over time, the channel expanded its scope, promoting services such as marketplaces, DDoS offerings, and partnerships with other actors.

A notable shift occurred in late 2023, when the channel began advertising a marketplace (ran*********t.com) and actively seeking partnerships with other cybercrime services, including RaaS operators and account sellers. This phase marked a transition from a single-group presence toward a broader service-oriented model.

During the same period, the channel referenced operational challenges, including the arrest of individuals linked to its administration and the removal of multiple affiliates. These messages highlighted internal strain and concerns around operational security, suggesting that the group was adapting in response to external pressure.

Following this phase, the channel underwent another identity shift, rebranding as Ražnatović Channel before eventually transitioning into the Stm.X | GhostLocker identity. Alongside this transition, the messaging became more structured, focusing on defined participation models, service tiers, and platform-based operations.

Under the Stm.X | GhostLocker branding, the channel presented a more organized framework, including:

• Tiered access models (paid and free participation)
• Defined onboarding processes
• A structured affiliate system
• Integration with existing infrastructure and communication methods

The same communication identifier, specifically the previously observed TOX ID, continued to appear across these phases, providing continuity despite the repeated rebranding.

Rather than indicating a clean break between entities, this progression suggests a gradual alignment. The channel’s transition from RansomedVC to Stm.X | GhostLocker, combined with references to Stormous infrastructure and services, points toward a convergence of operations within a shared ecosystem.

This evolution reflects a shift from a loosely organized channel into a more structured environment, where branding, services, and infrastructure became increasingly interconnected.

Affiliate Activity and Actor Linkages

Beyond infrastructure and channel activity, further analysis identified the presence of external actors interacting with and leveraging the Stormous-linked ecosystem. These actors were primarily observed on underground forums, where they promoted access, advertised data, or facilitated sales using shared infrastructure and communication methods.

One such instance was identified on DarkForums:

• Thread: https://darkforums.me/Thread-Document-Hy-Vee-Internal-Breach-2025-StormouS-X
• Username: SuperNova

In this post, the actor explicitly described themselves as an affiliate of the Stormous group. The listing included references to previously identified onion infrastructure, directing users to access data through Tor-based links. The actor also provided a dedicated TOX ID for communication:

• 0E67D9*********************************************716

The structure of the post followed a consistent pattern: offering a sample of compromised data, describing the nature of the breach, and indicating that the full dataset would be available for purchase or negotiation. This aligns with the broader monetization approach observed across the ecosystem.

A second instance was identified on BreachForums:

• Thread: https://breachforums.is/Thread-SELLING-We-offer-an-exclusive-access-service-to-a-one-Brazilian-university-network
• Username: crowSTM

This actor advertised exclusive access to a university network, offering time-limited access to a single buyer. The contact details provided in the thread included:

• Email: st**************p@onionmail.org
• A TOX ID consistent with Stormous-linked communication methods

The reuse of these identifiers across different platforms suggests that the actor was operating within, or in coordination with, the same ecosystem.

In addition to forum activity, multiple email addresses were identified through StealthMole indexing and Telegram analysis:

• s******s@onionmail.org
• s******p@onionmail.org
• s*****s@protonmail.com

These addresses appeared across different contexts, including Telegram channels, forum posts, and contact listings, indicating a consistent set of communication points used within the operation.

A separate Telegram channel was also identified, containing similar contact details and breach-related messaging. However, this channel was flagged by users as potentially unreliable or impersonating, introducing ambiguity regarding its authenticity. Despite this, the reuse of known identifiers suggests some level of connection or at minimum an attempt to leverage the Stormous brand.

• https://t.me/STORMOUS_HACKER

These findings indicate that the ecosystem is not limited to a single controlled group of operators. Instead, it includes affiliates and external actors who utilize shared infrastructure, communication channels, and branding to conduct operations and monetize access or data.

This distributed activity model reinforces the presence of a broader network, where multiple participants operate semi-independently while remaining connected through common systems and identifiers.

Conclusion

The investigation into Stormous and its associated ecosystem reveals a coordinated yet flexible operational model built on shared infrastructure, consistent communication channels, and a distributed network of participants. Rather than functioning as a single, tightly controlled group, the ecosystem operates through a combination of core infrastructure and external actors who engage at different levels, ranging from affiliates to independent contributors.

At the center of this model is a structured platform that enables onboarding, data publication, and negotiation through clearly defined processes. The presence of tiered participation, controlled submission requirements, and dedicated communication methods indicates a system designed to manage scale while maintaining a degree of oversight.

The historical activity observed across Telegram further highlights how this ecosystem has adapted over time. Rebranding efforts, platform migrations, and shifts in messaging suggest a continuous process of adjustment, likely influenced by both operational needs and external pressures. Despite these changes, key elements, such as communication identifiers and infrastructure patterns, remain consistent, providing continuity across different phases.

Importantly, the relationship between RansomedVC and Stormous is best understood not as a direct transformation, but as a gradual alignment. The progression of the channel, combined with shared infrastructure and operational similarities, points toward a convergence within a broader ecosystem rather than a single unified entity.

Overall, these findings illustrate an operation that balances structure with adaptability, capable of maintaining coordinated activity while integrating external actors and evolving its presence across platforms.

Editorial Note

Investigations into dark web and cybercriminal ecosystems rarely present a complete or definitive picture. Identities shift, infrastructure is frequently replaced or repurposed, and relationships between actors are often fluid rather than fixed. As seen in this case, distinguishing between partnership, alignment, and direct control requires careful interpretation of available evidence rather than assumption.

This analysis, built on data surfaced through StealthMole, highlights how patterns across platforms, rather than isolated findings, can be used to trace continuity and uncover structure within an otherwise fragmented environment.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Inside the HellCat Access Ecosystem: Mapping Miyako’s Multi-Identity Operations

HellCat ecosystem has emerged as a structured ransomware operation where different roles appear to be distributed across multiple actors rather than concentrated within a single identity. Public leaks, underground discussions, and platform activity suggest a model that depends not only on encryption and extortion, but also on a steady supply of compromised network access. This reliance introduces a supporting layer of actors whose role is to source, advertise, and transfer access into target environments.

During the course of investigating HellCat-linked activity, one name began to surface repeatedly in connection with this access layer: Miyako.

The actor was first observed within Telegram channels associated with access sales, where listings referenced high-value targets and sector-specific environments. What initially appeared to be a single account gradually expanded into a set of overlapping identities, each operating within the same channels or their successive versions. Across these instances, the messaging style, offerings, and timing remained consistent, suggesting continuity behind the changing profiles.

What makes Miyako particularly relevant is the apparent positioning within this broader structure. Rather than engaging in ransomware deployment or public leak announcements, the activity observed centers around the earlier stage of the intrusion chain, where access is introduced into the ecosystem. At the same time, the persistence of the identity across channel migrations, bans, and rebranding efforts indicates a deeper level of involvement than a one-off seller.

This report focuses on mapping Miyako as an operational persona within the HellCat landscape, tracing how the identity shifts, where it appears, and how its activity aligns with the ecosystem’s dependency on initial access.

Incident Trigger and Initial Investigation

This investigation began as a continuation of the broader HellCat ecosystem analysis.

While mapping infrastructure, actors, and supporting activity around HellCat, one name appeared repeatedly in the background: Miyako. Unlike more visible personas associated with leaks or coordination, this name surfaced in a different context, often tied to access-related discussions and listings. That recurring presence made it difficult to ignore.

Rather than treating it as another peripheral alias, the decision was made to follow the lead independently.

The first step was straightforward. The keyword “Miyako” was queried in StealthMole’s Leaked Monitoring tool to establish whether the actor had a measurable footprint across indexed breach activity. The results immediately stood out. A total of 71 victim entries were identified between January 2023 and September 2025, indicating sustained activity over an extended period rather than isolated posts.

More importantly, these entries were not confined to a single platform. Two primary sources appeared consistently:

• https://breachforums.st
• https://breachsta.rs

This distribution suggested that Miyako was operating across multiple forums rather than relying on a single identity or marketplace.

To move beyond aggregated listings, individual threads were examined. One of the earliest meaningful pivots came from the following post:

• https://breachsta.rs/topic/access-online-casino-database-15000-users-q767ka1xzssz

The thread itself advertised access to a database containing approximately 15,000 users, aligning with the type of activity already observed in the monitoring results. However, the focus quickly shifted away from the dataset and toward the actor behind it.

Running the thread through StealthMole’s Dark Web Tracker revealed additional artifacts, including:

• BreachStars profile: https://breachsta.rs/profile/miyako
• Session ID: 058************************************e918

The session identifier was particularly important. This same ID had already surfaced during the earlier HellCat ecosystem investigation, linking Miyako to previously observed activity. Unlike usernames, which can be changed or abandoned, session identifiers tend to persist, making them a more reliable tracking point.

Thread-Level Analysis: Access Listings and Service Positioning

With the initial foothold established through BreachStars, the investigation moved toward examining Miyako’s activity across BreachForums to better understand how the actor operated beyond isolated listings.

One of the most relevant threads identified was:

• https://breachforums.st/Thread-The-only-real-hacker-for-hire-service-on-breachforums

Unlike the earlier BreachStars post, which focused on a specific dataset, this thread presented a different model. Instead of advertising a single access point, Miyako positioned the offering as an ongoing service. The post invited users to submit target domains, with the promise of delivering access on request and payment expected after successful compromise.

This distinction was important.

Rather than acting purely as a reseller of already obtained data, the actor appeared to be offering on-demand access acquisition, indicating a more active role within the intrusion process.

Further examination of the thread revealed the same session identifier:

• 0583*******************************************e918

The recurrence of this identifier across both BreachStars and BreachForums confirmed that the activity was tied to the same underlying operator, despite differences in platform and post format.

In addition to the session ID, the thread also introduced an external communication channel:

• https://t.me/FreshAccess

This Telegram link marked a transition point. While the forum posts served as entry points for visibility, the inclusion of a direct channel suggested that further interaction, negotiation, delivery, and coordination, was likely taking place off-platform.

The associated BreachForums profile provided additional context:

• https://breachforums.st/User-miyako

The profile explicitly identified the role as Initial Access Broker, aligning with the behavior observed across both threads. The bio also referenced a HellCat-linked onion domain, reinforcing the connection to the broader ecosystem already established in earlier analysis.

Taken together, these elements begin to define Miyako’s operational position more clearly. The activity is not limited to isolated leaks or one-time sales. Instead, it reflects a structured approach centered around:

• acquiring or sourcing access
• advertising capability through forums
• moving engagement to Telegram
• fulfilling requests based on demand

At this point in the investigation, Miyako is no longer just a recurring name in monitoring results, but an actor operating with a defined role within the access layer that supports the wider HellCat ecosystem.

Session-Based Expansion: Multi-Platform Presence and Alias Evolution

With the session ID established as a reliable anchor, the next step was to expand the investigation beyond individual threads and map where else this identifier appeared.

The same session ID was queried across StealthMole’s Dark Web Tracker, which revealed a much broader footprint than initially expected.

Rather than being limited to a single forum or account, the identifier was associated with multiple profiles across different BreachForums domains, including:

• https://breachforums.bf/User-miyako
• https://breachforums.jp/User-miyako
• https://breachforums.as/User-miyako
• https://breachforums.st/User-miyako

At first glance, this could appear as separate instances of the same username across different platforms. However, these domains represent mirrored or parallel instances of the same forum ecosystem. The consistency of the session ID across these environments indicates persistence of the same actor rather than duplication by unrelated users.

Beyond exact username matches, variations of the identity also began to surface. These included:

• https://breachforums.st/User-miyak0
• https://breachforums.st/User-MIYAK000
• https://breachforums.st/User-nastya-miyako

Despite differences in naming, these profiles shared common characteristics, including similar bio structure, role designation, and references to external communication channels. The variations suggest controlled modification of the alias rather than random impersonation.

A particularly important pivot emerged from the following thread:

• https://breachforums.bf/Thread-miyako-s-Staff-Application

This thread introduced another related profile:

• https://breachforums.bf/User-miya

Unlike the more visible “miyako” accounts, this identity appeared to represent an earlier stage in the actor’s presence. The profile retained the same underlying identifiers and role classification, but also included additional context through the staff application itself.

Within this post, the actor explicitly described their role as an Initial Access Broker, along with references to prior experience and intent to operate within the forum. This is significant because it moves beyond inferred behavior, here, the role is directly stated by the actor.

At the same time, the account was marked as banned on the platform, with the reason listed as suspected scamming. While this label originates from forum moderation rather than independent verification, it provides insight into how the actor’s activity was perceived within the community.

The same session ID also led to activity beyond BreachForums, including presence on DarkForums domains such as:

• https://darkforums.me/User-miyako
• https://darkforums.io/User-miyako
• https://darkforums.hn/User-miyako
• https://darkforums.st/User-miyako

Associated threads included access sale listings such as:

• https://darkforums.me/Thread-Selling-Access-U-S-Department-of-the-Treasury
• https://darkforums.st/Thread-Selling-Honduras-Microfinance-RCE-Admin-CLI

These posts followed a consistent pattern, advertising access to organizational environments with varying levels of privilege, including references to RCE, administrative access, and firewall exposure.

In one instance, the same session-linked activity appeared under a different username:

• https://breachforums.st/Thread-Chinese-Web-Development-Initial-Access
• Username: mommy

While the username differs, the shared session identifier suggests that this activity is connected at the account level, even if the visible alias changes.

What emerges instead is a pattern of controlled alias variation, cross-platform persistence, and consistent role alignment, all tied together through a stable session identifier. This reinforces the view of Miyako not as a single static profile, but as an evolving operational presence maintaining continuity across platforms, usernames, and environments.

Telegram Infrastructure and Channel Evolution

While forum activity provided visibility into how Miyako advertised access, the investigation began to shift more heavily toward Telegram, where much of the operational activity appeared to take place.

The first clear pivot came from the BreachForums thread, which referenced the channel:

• https://t.me/FreshAccess

At the time of investigation, the channel was no longer accessible. However, historical indexing revealed that this was not a standalone entity, but part of a continuously evolving Telegram infrastructure.

Further analysis showed that the same channel had previously operated under a different URL:

• https://t.me/BFDWC

More importantly, both URLs resolved to the same Telegram channel ID, confirming that this was not a new channel but a renamed and rebranded version of the original.

Tracking historical snapshots allowed the channel’s evolution to be reconstructed:

• November 2024 → BF DWC
• January 2025 → HELLCAT Access Team
• February 2025 → Fresh Access

Despite these changes in name and presentation, the underlying activity remained consistent: access listings, short transactional posts, and instructions to move conversations into private messages.

This continuity is important.

Rather than creating entirely new channels, the operator appears to have retained the same infrastructure while modifying its outward identity, allowing the operation to persist while adapting to platform pressure, bans, or shifting branding strategies.

The channel’s connection to BreachForums was further reinforced through the profile:

• https://breachforums.st/User-mommy

This account explicitly referenced the Telegram link associated with the earlier BFDWC version of the channel. The shared channel reference creates a clear overlap between forum activity and Telegram-based operations.

In addition to the primary channel, a secondary channel was also identified:

• https://t.me/FreshAccess2

The presence of a secondary channel suggests redundancy, either as a backup in case of disruption or as part of a broader migration strategy. This aligns with patterns commonly observed in Telegram-based operations, where channels are frequently rotated or duplicated to maintain continuity.

Telegram Actor Cluster: Account Mapping and Behavioral Patterns

With the Telegram channels established as a central part of the operation, the next step was to identify the individual accounts operating within and around this infrastructure.

Historical message data from the Fresh Access channel and its earlier iterations revealed multiple user accounts associated with Miyako-linked activity. These included:

• miyak0 — ID: 70******40
• miya — ID: 7651702330
• miyako (@miyuhko) — ID: 6108518793
  • Previous names: Kiro, ikia
  • Previous usernames: @LKIEJHDJ, @kuuonline
• miya — ID: 7075206687

At first glance, these appear to be separate users. However, several patterns suggest they are either controlled by the same operator or operate in very close coordination.

The most immediate indicator is naming consistency. Variations of “miyako” and “miya” appear across all identified accounts, with minor alterations rather than completely unrelated aliases. This aligns with patterns already observed on forum platforms, where the actor modified usernames without abandoning the core identity.

Beyond naming, behavioral overlap becomes more apparent when examining message activity.

Across different accounts, the communication style remains consistent:

• short, transactional messages
• minimal description of access
• emphasis on urgency or exclusivity
• repeated instruction to move discussions into direct messages

This pattern is particularly characteristic of access brokerage, where speed and discretion are prioritized over detailed listings.

Another key observation is account instability.

Several of these accounts were observed as:

• deleted
• renamed
• or replaced over time

This aligns with earlier findings around channel evolution and suggests an environment where accounts are frequently rotated, either due to bans, operational security practices, or deliberate identity cycling.

Despite this instability, continuity is preserved through:

• repeated naming patterns
• presence within the same channels
• consistent message structure
• shared operational role

At this stage, the investigation does not rely on a single account to define the actor. Instead, it reveals a cluster of identities that collectively represent Miyako’s presence on Telegram.

This cluster-based view is important.

Rather than treating Miyako as a fixed username, the activity suggests a more fluid identity, one that shifts across accounts while maintaining recognizable patterns in behavior and function. This allows the operation to persist even as individual accounts are lost or replaced.

These findings reinforce the idea that Miyako’s presence on Telegram is not tied to a single account, but to a repeatable operational pattern carried across multiple identities within the same infrastructure.

Access Offerings and Targeting Patterns

With the Telegram infrastructure and associated accounts mapped, the next step was to examine the nature of the access being advertised and what it reveals about Miyako’s operational focus.

Messages recovered from the Fresh Access channel and its earlier iterations show a consistent pattern in how access is presented. The listings are brief, often limited to a few lines, but they follow a recognizable structure:

• geographic or sector-based identifier
• type of access available
• occasional reference to revenue or scale
• price indication
• instruction to continue via direct message

Examples of these listings include references to:

• U.S. government aerospace and defense environments
• Chinese crypto insurance infrastructure
• Spanish ISP networks with multi-billion revenue indicators

Across these posts, one detail stands out, the actor explicitly states: “I sell access not data”

This distinction is important.

Unlike data leak actors who focus on selling or distributing stolen information, Miyako’s activity is centered on entry points into systems. The value lies not in what has already been extracted, but in what can be accessed next.

The types of access advertised further reinforce this positioning. Across forum threads and Telegram messages, listings reference:

• RCE (Remote Code Execution)
• administrative or CLI-level control
• firewall access (including FortiOS environments)
• VPN-based entry points into corporate networks

These are not superficial compromises. They represent footholds that can be expanded into deeper system control, making them valuable to actors involved in later stages of intrusion, such as ransomware deployment or data exfiltration.

Another notable aspect is the pricing model.

Access listings are typically priced within a mid-range bracket, with observed examples including:

• Approximately $400–$1000 depending on target and privilege level

This pricing suggests a balance between accessibility and perceived value, low enough to attract buyers, but high enough to reflect the effort or rarity of the access.

The targeting itself does not appear random. Listings span:

• government-related environments
• financial and insurance sectors
• telecommunications infrastructure
• regional enterprise networks

This spread indicates opportunistic targeting rather than a single vertical focus, which is consistent with access brokers who acquire entry points from multiple sources and sell them based on availability.

At this stage, Miyako’s role becomes more clearly defined.

The actor is not presenting completed attacks or large-scale leaks. Instead, the activity sits earlier in the intrusion lifecycle, providing the initial foothold that enables subsequent operations. This aligns directly with the role already identified on forum profiles: Initial Access Broker.

Conclusion

What began as a simple pivot on a recurring name developed into a clear view of Miyako as a consistent presence within the access layer of the HellCat ecosystem.

Across forums and Telegram, the investigation traced a pattern of activity that remains stable despite shifting usernames, accounts, and channels. The linkage between these elements is not based on a single artifact, but on the combination of session identifiers, platform transitions, and repeated behavioral patterns that persist over time.

Rather than operating as a visible front-facing actor, Miyako’s activity sits earlier in the intrusion chain: focused on sourcing and advertising access that can be leveraged by others. This positioning, combined with cross-platform continuity, highlights a role that is both specialized and persistent within the broader environment.

At its core, this case illustrates how access brokerage operates in practice: not through static identities, but through adaptable structures that maintain function even as individual components change.

Editorial Note

As with most dark web investigations, the findings in this report are based on observable activity and verifiable linkages rather than definitive attribution. Identities in these environments are fluid, often shaped by reuse, overlap, and deliberate obfuscation. This case reflects how StealthMole enables analysts to navigate that uncertainty: connecting fragments across platforms to build a coherent, evidence-based understanding of actor behavior without relying on assumptions.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com