Rey: Mapping a HellCat-Linked Persona Across the Dark Web

Among the various personas that surfaced during the HellCat investigation, one name appeared with unusual consistency: Rey.

Initially encountered through forum threads linked to HellCat-related data leaks, the actor’s presence extended far beyond a single username. References to the alias emerged across BreachForums, Telegram, encrypted messaging platforms, paste services, and public-facing contact pages, gradually revealing a broader and more deliberate online footprint.

What makes Rey particularly significant is not just the frequency with which the name appears, but the role it appears to occupy within the HellCat ecosystem. Across multiple threads and communications, the actor is directly or indirectly positioned alongside other known HellCat-linked profiles, with repeated indications of administrative or coordinating involvement.

At the same time, public reporting and underground discussions have introduced conflicting narratives around Rey’s identity and affiliations. External attribution attempts have linked the actor to other aliases, while the actor has publicly disputed these claims. This tension between observed evidence and external reporting adds another layer of complexity to the investigation.

This report focuses on profiling Rey as an operational persona: tracing how the identity evolved, how it moved across platforms, and how its presence intersects with HellCat-linked activity. Rather than attempting to force definitive attribution, the objective is to examine the observable infrastructure, artifacts, and behavioral patterns that define the actor’s footprint.

Incident Trigger and Initial Investigation

This report began as a natural continuation of the earlier HellCat ecosystem investigation.

While tracing HellCat’s infrastructure, associated forum accounts, and communication channels, one name kept surfacing in the background: Rey. At first, it appeared only as a supporting alias in forum threads and actor references. But the more the investigation progressed, the harder it became to ignore how frequently the name was showing up alongside HellCat-linked activity.

That recurring presence was what prompted a deeper look.

Rather than treating Rey as just another username within the broader ecosystem, the decision was made to follow the trail independently and determine whether this was simply a peripheral actor or someone playing a more central role.

What made the case even more interesting was that, during the early stages of this process, it became clear that KELA Cyber and KrebsOnSecurity had already published attribution research on the same persona. Instead of making the investigation redundant, this made it more compelling. It presented an opportunity to see how far the same conclusions could be reached through StealthMole’s own cross-platform visibility and whether the observed evidence would support, complicate, or challenge the existing narrative.

The practical investigation began with a simpler lead.

Rather than starting from external reporting, the decision was made to begin with Rey’s observable footprint inside the HellCat environment itself. The alias had already appeared in actor references, forum discussions, and related communication artifacts during the previous report, making it the most natural point of entry.

The objective at this stage was not attribution, but identity validation: to establish whether Rey represented a standalone actor, an administrative role within HellCat, or an alias that had evolved from earlier personas.

From that point onward, the investigation shifted from tracking HellCat as an ecosystem to tracking Rey as an actor profile.

Backward Persona Mapping: Rey to Hikki-Chan

The first concrete pivot was Rey’s BreachForums profile. A Dark Web Tracker search on the alias returned the profile:

• https://breachforums.st/User-Rey

This became the first strong identity artifact in the case.

What immediately stood out was that the profile did not treat Rey as a standalone persona. Instead, the account information explicitly listed:

• a.k.a Hikki-Chan & Rey

This was the first point where the investigation began moving backward through older personas.

Rather than discovering Hikki-Chan first, the trail led there through Rey’s more recent footprint.

The profile preserved several historical details that helped strengthen continuity:

• Joined: 20 February 2024
• User Identifier: 130559
• Username Changes: 1

Most importantly, the user identifier 130559 became a recurring technical artifact across later threads, allowing multiple forum activities to be tied back to the same account.

That linkage became clearer in another thread discovered during the same pivot:

• https://breachforums.st/Thread-SELLING-Femboy-Thigh-Paradise-3

Although the thread itself was clearly performative in tone, the author block contained an important operational detail.

The same account was explicitly labeled as:

• HELLCAT Administrator
• user_130559

This was one of the clearest forum-based indicators placing Rey in an administrative role within the HellCat environment.

The significance here was not the content of the thread itself, but the continuity of identifiers.

The repeated appearance of user_130559, combined with the explicit HellCat administrator label, strengthened the case that Rey was not simply adjacent to the ecosystem but likely held an active role within it.

From there, the investigation moved further backward in time.

A later historical thread provided the strongest bridge between the two personas:

• https://breachforums.bf/Thread-Staff-Application-Rey-Hikki-Chan

This artifact was especially important because it removed much of the ambiguity around alias mapping.

In the staff application, the actor explicitly stated:

• “I’m Rey, also known as Hikki-Chan.”

This self-identification was one of the strongest attribution artifacts found during the investigation.

Rather than relying on inferred overlaps in writing style, profile images, or external reporting, the actor directly linked the two names.

Chronologically, this also helped establish the direction of persona evolution.

At this stage of the investigation, Rey appears to represent the more recent and operationally active identity, while Hikki-Chan emerges as an earlier alias preserved in historical forum records and leak posts.

This backward progression became critical to understanding how the actor’s presence evolved over time.

With that alias relationship established through Rey’s own forum footprint, the investigation could then move into older leak-related activity where Hikki-Chan appeared as the public-facing persona.

Rey’s Active Communication and Financial Footprint

Before tracing the persona further backward into older aliases, the investigation next focused on Rey’s more recent operational footprint.

This step was important because it helped establish the latest observable state of the actor before moving into earlier identities.

One of the most significant artifacts at this stage was the Telegram handle:

• @wristller

Unlike the older identifiers that would later emerge through historical leak activity, @wristller appeared as one of the more recent communication points associated with Rey.

A StealthMole pivot through Telegram Tracker showed that the account was no longer active at the time of analysis.

However, historical indexing preserved multiple earlier states of the profile.

Archived snapshots from January 2025 showed that the same account had previously operated with the usernames:

• @wristller
• @leaking

This was particularly useful because it connected the persona directly to leak-oriented activity rather than a purely personal handle.

The profile bio also contained the reference:

• not sure | nohello.net

This suggests an additional external web reference tied to the same persona and reinforces Rey’s tendency to maintain a distributed cross-platform presence.

Another important artifact linked to this Telegram footprint was a Bitcoin wallet identified through activity in the Jacuzzi channel:

• bc1************************************9x

This wallet was directly associated with Rey-linked discussions and content redistribution.

Observed transaction activity was limited and consisted of relatively small-value transfers.

This is analytically significant.

The low transaction volume does not align with the financial behavior typically seen in mature ransomware or extortion actors.

Instead, it suggests either smaller-scale monetization or that revenue generation may be occurring through data sales and forum activity rather than structured ransom payments.

Additional artifacts further strengthened the Rey footprint.

A previously observed Florida office leak-related screenshot associated with the forum identity was later found redistributed in the Jacuzzi channel, providing a useful cross-platform continuity marker.

The investigation also revisited the email artifact:

• rey@c****k.lu

A Dark Web Tracker pivot on this email led to the paste page:

• https://pst.in*****i.net/paste/zt8*************wb

This page explicitly linked:

• Rey
• Hikki-Chan
• Telegram references
• forum-related contact details

This became one of the strongest direct identity bridges in the case. Unlike behavioral or stylistic overlap, this artifact explicitly connected multiple platforms through the actor’s own published contact details.

A further expansion point emerged through leak monitoring. An XSS thread linked to the Orange database leak was identified under the alias:

• ReyXS

This introduces a possible later variation of the Rey persona. At this stage, the relationship remains unresolved.

Two possibilities remain open:

• Rey operating under a slightly modified alias on XSS
• independent impersonation using an already established name

Given the timing and thematic overlap, the connection remains relevant, but should be treated as unconfirmed rather than asserted.

With the more recent operational footprint mapped, the investigation then moved backward into older historical traces, where earlier aliases and communication handles began to surface.

Historical Activity Under the Hikki-Chan Alias

With the relationship between Rey and Hikki-Chan now established through forum records, the next step was to move further back and examine how the older alias had been operating before the Rey persona became more prominent.

The investigation began by pivoting on Hikki-Chan in StealthMole’s Leaked Monitoring.

This search returned 23 victims indexed between March 2024 and November 2024, with the majority of the results traced back to BreachForums leak posts and related underground discussions.

At this point, the case still looked like a forum-based leak actor.

The alias was surfacing repeatedly across multiple threads, but there was not yet enough evidence to determine whether this represented a temporary leak persona, a seller identity, or an actor with a broader operational role.

That changed when one of the earliest indexed threads stood out as a likely starting point for deeper profiling:

• https://breachforums.cx/Thread-DATABASE-New-York-Education-Leaked-Download

This thread quickly became the real turning point in the investigation.

While the post itself was attributed to Hikki-Chan, what made it significant was not simply the leak content.

What stood out was the fact that this thread appeared early in the timeline and was supported by a visible forum presence that showed sustained activity, thread history, and growing reputation.

This suggested that the alias was not being used as a disposable one-off identity.

Instead, it appeared to be part of a more persistent actor footprint.

From that point onward, the focus moved beyond the leak post itself and into the surrounding identity environment.

What initially looked like a single forum alias began to suggest something broader: a persona extending beyond BreachForums into external communication channels and associated profiles.

This was the point where the investigation shifted from tracking posts to tracking the actor behind them.

Cross-Platform Identity Mapping: From Hikki-Chan to Wristmug

Once the New York Education leak thread was established as the earliest meaningful activity under the Hikki-Chan alias, the investigation moved beyond the forum post itself and into the actor’s surrounding identity footprint.

The thread was the starting point, not the conclusion.

Rather than continuing to focus on the leaked dataset, the next step was to pivot on the actor profile and outbound references attached to the post.

At first, Hikki-Chan still appeared to be a fairly standard BreachForums persona: an active username, multiple leak-related posts, and a steadily growing reputation within the forum environment.

However, a closer review of the thread revealed the first major expansion point.

At the end of the post, the actor explicitly referenced the Telegram handle:

• @wristmug

This was the first strong pivot beyond BreachForums and the point where the investigation began expanding into cross-platform identity mapping.

Using StealthMole’s Telegram Tracker, historical indexing of the handle revealed that although the account has since been deleted, multiple earlier snapshots had been preserved.

These historical snapshots became one of the strongest continuity artifacts in the case.

Archived records showed that the same Telegram account had previously operated under:

• Rey
• @wristmug

This was especially significant because the name Rey had already surfaced repeatedly during the earlier HellCat ecosystem investigation and had now been independently linked through forum-based artifacts.

At this point, the investigation was no longer looking at isolated aliases.

Instead, the evidence was beginning to show a continuous identity progression across platforms.

Several preserved profile snapshots further strengthened this line of inquiry.

Earlier versions of the Telegram profile showed:

• repeated anime-style avatars
• persistent use of @wristmug
• evolving bios over time

These snapshots suggested continuity of the same operator rather than recycled access or account transfer.

More importantly, the profile bios revealed recurring linguistic patterns that aligned closely with earlier Rey-linked artifacts.

One earlier indexed bio contained the Russian-language text:

• “время иллюзия, жизнь не реальна, смерть неизбежна :3 @J****sX”

This roughly translates to a nihilistic statement about time, life, and death, followed by another tagged handle.

A later bio contained another phrase that had already appeared elsewhere in the investigation:

• “slightly down, femboy thighs cover it”

This became a particularly useful behavioral marker.

On its own, this kind of phrase might appear informal or irrelevant.

However, when viewed alongside the earlier Rey-linked BreachForums thread that used the same recurring “femboy thigh” motif, it became a valuable continuity indicator.

This is where the analysis shifted from technical overlap to behavioral overlap.

The strength of these artifacts was not the content itself, but the repeated tone, phrasing style, and self-branding patterns across platforms and over time.

Further Telegram channel activity added another layer of context.

The same account was observed participating in underground channels including:

• Baphchat
• Jacuzzi 2.0

Archived messages included statements such as:

• “i actually want to ban India ips range”
• “I GOT EXPOSED”

These messages are particularly noteworthy because they suggest an awareness of active scrutiny, exposure, or ongoing discussion around the actor during that period.

One archived exchange also included a posted address:

• 172121 Dublin, Ireland

This artifact should be handled cautiously.

Based on the surrounding conversation context, it appears more consistent with mocking, trolling, or deliberate misdirection than a reliable geolocation indicator.

As such, it is best documented as an observed artifact rather than actionable location intelligence.

This distinction is important because actor-led deception is common in underground communication spaces.

By this stage, the investigation had moved well beyond a single forum-based leak persona.

The emerging profile suggested an actor moving fluidly between:

• BreachForums leak activity
• Telegram identity persistence
• underground channel conversations
• HellCat-adjacent ecosystem references

This was the point where Hikki-Chan increasingly began converging toward Rey as a persistent, cross-platform identity.

What first appeared to be an older leak alias was now clearly feeding into the more recent Rey persona already observed in the HellCat investigation.

Leaked BreachForums Dataset Analysis: Expanding Rey’s Artifact Footprint

After establishing the connection between Hikki-Chan, @wristmug, @wristller, @leaking and Rey, the investigation moved toward identifying additional artifacts that could further expand the actor’s footprint.

This phase was triggered by the discovery of a leaked BreachForums dataset, which contained user-related records, messaging logs, and associated identifiers. Rather than treating it as a standalone source, the dataset was used as a pivot to explore whether any new infrastructure or accounts could be linked back to the same actor.

A review of the dataset surfaced several new identifiers associated with Rey, including:

• Telegram handle: @meow31337
• Signal: mk*****n.*1
• Email: h*****n@proton.me
• User ID: 13****9

The Telegram handle provided the most immediate lead.

Using StealthMole’s Telegram Tracker, the handle @meow31337 was resolved to the user ID: 8042142303. This was the first time this specific Telegram user ID appeared in the investigation, making it a new data point rather than a confirmed continuation of previously tracked accounts.

To understand whether this was a separate actor or part of the same identity cluster, historical indexing of the account was reviewed. Earlier snapshots showed that the account had previously used the username: @wristting.

This detail became important. While the user ID itself had not been seen before, the naming pattern closely aligned with earlier aliases such as @wristmug, suggesting a possible continuation rather than a coincidence.

At this stage, the linkage is best understood as behavioral and contextual, rather than technically confirmed.

Additional profile details supported this direction.

The account bio included a reference to:

• nohello.net

This same reference had already appeared in earlier Rey-linked profiles. While not unique on its own, its repeated use across different accounts adds weight when combined with the username pattern.

The dataset also provided visibility into the account’s Telegram activity.

The user was active across several channels, including:

• https://t.me/rrcc******n
• https://t.me/Po*******ion
• https://t.me/breac*****irc
• https://t.me/Si*****at
• https://t.me/b*******at

Unlike earlier stages of the investigation, this data included message-level interactions.

The account was actively engaging with other users, including individuals claiming affiliation with BreachForums operations.

One exchange in particular stood out: a conversation with a user identified as HasanBroker.

Within this discussion, HasanBroker presented himself as connected to BreachForums staff and referenced IntelBroker-related activity, pointing toward ongoing impersonation attempts and internal disputes.

The interaction between the two showed clear friction, suggesting prior awareness of each other rather than a one-off exchange.

The conversation escalated when HasanBroker shared an Ethereum wallet address:

• 0x7af*****************************e33

The wallet was introduced as being linked to Rey, with the suggestion that transaction patterns could reveal meaningful insights.

A review of the wallet showed no remaining balance, with previous activity consisting of small-value transfers. At this stage, the wallet attribution remains unverified, as it is based on claims made within the conversation.

However, Rey’s response adds useful context:

“are you legit trying to dox me by one of my addresses”

This indicates that the wallet is not entirely unrelated to the actor.

Further messages provide additional insight into how the actor approaches cryptocurrency usage:

• “a address out of 12 address wont lead to anything :)”
• “thats already cleaned”
• “do you think i’d depo you with my main?”

HasanBroker even went on to describe it as:

“money laundering at its finest”

The dataset also surfaced an additional external account:

• https://x.com/ReyXBF/

The account is now suspended, but the naming pattern aligns with BreachForums-related identity signaling, suggesting intentional association with that ecosystem.

Finally, the repeated use of nohello.net was reviewed in context. The site itself is benign and commonly used as a cultural reference encouraging direct communication. Its significance here lies in its consistency across multiple profiles, reinforcing behavioral continuity.

Conclusion

What began as a continuation of the broader HellCat ecosystem investigation gradually evolved into a focused actor profile centered on Rey.

Over the course of the investigation, the persona was traced through a layered progression of identities and artifacts, from Rey’s presence across BreachForums and Telegram to earlier aliases such as Hikki-Chan, @wristmug, and @wristller. Rather than relying on a single indicator, the linkage between these identities was supported by a consistent pattern of cross-platform references, historical profile transitions, recurring linguistic markers, forum self-identification, communication handles, and associated financial artifacts.

The addition of data from the leaked BreachForums dataset further strengthened this profile, introducing new identifiers while reinforcing previously observed behavioral and structural continuity. This allowed the investigation to move beyond surface-level alias tracking and toward a more complete understanding of how the persona operates across platforms.

Overall, these findings position Rey not as a disposable forum alias, but as a persistent and evolving presence within the HellCat-linked ecosystem, one that maintains continuity while adapting identifiers over time.

Editorial Note

Attribution in cyber and dark web investigations is rarely absolute. Personas evolve, aliases change, and actors often move across platforms in ways that deliberately blur identity boundaries. This case is a good example of why disciplined analysis matters: not every public attribution can or should be accepted without independently observable overlap.

By following the evidence trail from current artifacts into historical personas and parallel identity clusters, this investigation highlights how StealthMole can help navigate uncertainty while preserving analytical rigor and avoiding unsupported conclusions.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

HellCat Ransomware Group: Infrastructure, Affiliations, and Activity on the Dark Web

In early 2024, a series of data leak posts began appearing across underground forums, gradually drawing attention to an actor operating under the name HellCat. What initially seemed like isolated disclosures soon revealed a more consistent pattern: one that pointed toward an emerging presence within the ransomware and data extortion ecosystem.

Unlike well-established ransomware groups that rely on polished branding and structured operations, HellCat’s activity appears more fluid, with traces scattered across multiple platforms including breach forums, Telegram channels, and publicly accessible paste services. These fragments, when viewed in isolation, offer limited insight. However, when correlated through StealthMole’s monitoring capabilities, a clearer picture begins to take shape.

This report examines HellCat not as a single isolated entity, but as part of a broader underground environment: one where aliases, shared resources, and overlapping communities often blur the lines between individual actors and collective operations. By following these traces across platforms, the investigation uncovers patterns of activity, communication, and potential affiliations that suggest a more interconnected presence than initially apparent.

Incident Trigger and Initial Investigation

To move from scattered observations to something more concrete, the next step was to test how consistently the HellCat name appeared across monitored data sources.

The investigation began by running the keyword “HellCat” within StealthMole’s Ransomware Monitoring module. This immediately surfaced 21 victims, all attributed to the same name, with activity recorded between October 2024 and May 2025. What initially looked like isolated mentions started to align into a more consistent pattern, reinforcing the idea that this was not a one-off actor.

To see whether this activity extended beyond corporate targets, the same keyword was then queried in the Government Monitoring module. This returned 3 additional incidents, dated between October 2024 and December 2024, indicating that the activity wasn’t limited to a single sector.

At this stage, the focus was still on the name itself. But a closer look at the results revealed something more useful than the victim listings.

Across both datasets, the same onion domain appeared repeatedly as the source where these incidents were originally posted:

• http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion/

This overlap shifted the direction of the investigation. Instead of treating each listing as a separate data leak, the focus moved to the underlying source. The repeated reference to a single domain suggested that these posts were not randomly distributed, but were being published from a centralized location.

That domain became the starting point for deeper analysis.

Onion Infrastructure and Leak Platform Analysis

With the onion domain identified as a recurring source across both ransomware and government-related incidents, the next step was to examine it more closely through StealthMole’s Dark Web Tracker.

• http://hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion/

The domain did not exist in isolation. When pivoted within the tracker, it revealed a cluster of seven related onion domains, all associated with the same naming pattern and likely part of the same infrastructure.

• hellcatj6xgvho4qxnr2nbzzthsqel577i5wvzcpfjgavbo3d5l657id.onion
• hellcatdohzngkuh7zruzhi2wojrawbnzbyzljtkw6iluv5ussfer4id.onion
• hellcatdcy653ma43t2ryf2ztw5yfanqsbfmapndbqvteh5itctoijyd.onion
• hellcatdue7rasyoi4oh6t3fhra5bpcj5t6xmrm4vjicfqdvrl24ijid.onion
• hellcatdnrsu4i5uctbklunpfyv2ppiioh5sb3leu4dfgizinrve3gqd.onion
• hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad.onion

Among these, only one domain was observed to be active at the time of analysis:

• hcat*************************************************ayd.onion

This instance was labeled as “HellCat Files” and presented a simple file-listing interface. The structure was minimal, with entries such as compressed files (.zip) available for download, without detailed descriptions, victim context, or negotiation interfaces typically seen in more mature ransomware leak sites.

The presence of multiple inactive domains suggests that the group has either rotated its infrastructure over time or experimented with different hosting instances. Rather than maintaining a stable, persistent leak site, the setup appears fragmented, with several domains no longer in use.

The active panel itself did not resemble a conventional ransomware data leak site. There were no visible victim listings, countdown timers, or negotiation mechanisms. Instead, the interface functioned more like a basic file repository, where content could be uploaded and accessed directly.

This shift, from victim listings to a simplified file distribution model, adds an important layer to understanding HellCat’s operations. It suggests that the group’s infrastructure is not built around structured extortion workflows, but rather around flexible and low-complexity content hosting.

At this point, the investigation moved beyond identifying the infrastructure itself and focused on uncovering the communication channels and identifiers embedded within it.

Communication Channels and Operational Setup

Following the identification of HellCat’s onion infrastructure, the next step was to examine what was embedded within these domains beyond file hosting. Using StealthMole’s Dark Web Tracker, several communication artifacts were identified across the indexed pages.

One of the first indicators was the presence of multiple TOX identifiers, including:

• 898************************************************************E4
• F97D**********************************************************E7F

These were consistently referenced within contact pages and error panels, indicating their role as primary communication channels. The use of TOX, a decentralized and encrypted messaging protocol, aligns with common practices among underground actors seeking to avoid traceable communication platforms.

In addition to TOX, multiple email addresses were identified:

• he*******t@5**2.de
• h****p@firemail.cc
• h*****p@h****t.*w

These addresses followed a consistent naming pattern, suggesting they were part of a coordinated communication setup rather than isolated contacts. One of these entries was further linked to a PGP fingerprint:

• 2A0**********************************F81
• 1EE**********************************9A9

The presence of PGP keys indicates that encrypted communication was supported, likely for exchanging sensitive information such as data samples, credentials, or negotiation details.

Further exploration of the infrastructure revealed that HellCat maintained a broader operational interface beyond simple leak hosting. Certain onion pages included sections dedicated to:

• Instructions on setting up TOX
• Guides for using XMPP-based messaging
• Basic walkthroughs on acquiring Bitcoin
• A temporary note-sharing service for exchanging information

This combination of tools suggests an environment designed not only for publishing data, but also for facilitating interaction with external parties. The inclusion of step-by-step guides, particularly for cryptocurrency usage, indicates that the setup may be intended for users with varying levels of technical familiarity.

At the same time, parts of the interface appeared incomplete or templated. For example, generic placeholders such as user@jabber.com were present, suggesting that some components were not fully configured or were reused across deployments without customization.

Overall, the communication layer reflects a structured but relatively lightweight setup. Rather than relying on a single channel, HellCat appears to maintain multiple parallel methods of interaction, combining encrypted messaging, email, and public-facing interfaces to support its operations.

Associated Actors and Forum Presence

With the onion infrastructure and communication channels mapped, the next step was to identify whether this activity could be tied to specific actors operating across underground forums.

The pivot began from the active onion link:

• hcat********************************************ayd.onion

When this domain was further investigated using StealthMole’s Dark Web Tracker, it led to a BreachForums thread associated with a dataset leak:

• https://breachforums.**/Thread-DOCUMENTS**********Leaked-Download

This thread became a key entry point into identifying the actors operating around HellCat-related activity. From this thread and related pivots, multiple user profiles were identified:

• https://breachforums.**/User-prx
• https://breachforums.**/User-gwap
• https://breachforums.**/User-Rey
• https://breachforums.**/User-SMeu
• https://breachforums.**/User-miyako
• https://breachforums.**/User-AnonBF

These profiles were not randomly selected. Each of them appeared either directly within the thread, in associated discussions, or through cross-references observed during further navigation.

A closer review of these profiles revealed several points of overlap:

• The user Rey maintained visible references to other accounts within their forum signature, including mentions of prx and SMeu.
• The profile miyako was categorized as an Initial Access Broker, indicating involvement in selling or providing access to compromised systems rather than just sharing leaked data.
• Multiple profiles referenced external communication channels (Telegram, Session), aligning with the communication infrastructure previously identified.

Beyond visible interactions, a more concrete layer of linkage emerged through communication identifiers. Several of these actors were associated with Session-based messaging IDs, which appeared across profiles and external communication references, including:

• 05651**************************************************1328 (Gwap)
• 05833*************************************************e918 (Miyako)
• 0552e***************************************************5e5e (Pryx)
• 05669***************************************************e00 (SMeu)
• 05e5d**************************************************c9849 (Rey)

These identifiers provide a stronger technical basis for linking forum personas to off-platform communication channels. Unlike usernames, which can be easily changed or reused, Session IDs tend to remain consistent, making them useful for tracking continuity across environments.

In addition to forum activity, certain posts linked to external resources, including dataset previews and download links, reinforcing the connection between forum discussions and the onion-based file hosting infrastructure.

The same cluster of usernames was also observed in relation to data sale and leak posts beyond a single thread. For example, activity linked to HellCat-related datasets appeared in threads offering large-scale data packages, often accompanied by sample files and escrow-based transactions.

This pattern indicates that the activity is not limited to a single post or campaign, but instead reflects ongoing participation within underground data exchange environments.

While none of these accounts explicitly declare themselves as part of a formal “HellCat group,” the repeated overlap in forum threads, shared references, communication channels, and proximity to HellCat-linked infrastructure suggests the presence of a loosely connected cluster of actors.

Rather than operating as a tightly structured organization, HellCat appears to exist within a network where different individuals contribute to different parts of the workflow, from access acquisition to data distribution.

Technical Artifacts and Cross-Platform Indicators

As the investigation moved deeper into HellCat’s infrastructure and forum activity, additional artifacts began to surface that helped connect different parts of the ecosystem. These were not isolated findings, but recurring identifiers that appeared across onion sites, forum profiles, and communication channels.

One of the more significant observations came from the analysis of the primary onion domain, where seven different malware hashes were indexed. These were associated with the same infrastructure.

• f9c1*********************************************************5e5
• f8b6*********************************************************641
• 7f28*********************************************************27c
• 393b*********************************************************6f2
• 15a2*********************************************************f0b
• dcd7*********************************************************ac2
• b8e7*********************************************************be7

These hashes are particularly important because, unlike domains or usernames, they remain consistent even if the actor changes infrastructure. Their presence suggests that HellCat is not only distributing leaked data but is also associated with ransomware files.

Alongside these technical indicators, multiple communication identifiers were observed across platforms. Session-based messaging IDs appeared repeatedly in connection with forum profiles and external communication channels, including:

• 05e5d********************************************************9849
• 05c9d********************************************************df73

These identifiers provided a consistent thread between different environments, linking forum activity to off-platform communication methods. Their reuse across contexts suggests continuity rather than isolated accounts, reinforcing the idea of a connected operational layer.

Similarly, the investigation identified one more TOX identifier used for encrypted communication:

• 1F571****************************************************8F

The presence of multiple TOX IDs suggests either role separation or multiple individuals operating within the same environment. Rather than relying on a single communication channel, HellCat appears to maintain parallel options, which aligns with the fragmented infrastructure observed earlier.

Financial indicators also emerged during the investigation. A Bitcoin wallet was identified in connection with HellCat-linked activity:

• bc1q****************************9x

The transaction activity associated with this wallet was limited and relatively low in value. This stands in contrast to the large-scale financial flows typically observed in established ransomware operations, where payments are often substantial and frequent. The modest activity here suggests that monetization may not be fully developed, or that the actor operates at a smaller scale than more mature ransomware groups.

Finally, Telegram activity provided additional context. Accounts associated with HellCat-related operations were observed sharing leaked content and interacting with other users. In several cases, content posted on forums was later redistributed through Telegram channels, indicating a pattern of cross-platform amplification. Some of these accounts were subsequently deleted, which may reflect attempts to reduce visibility or adapt to increased scrutiny.

Overall, these artifacts do more than just confirm presence, they help define the nature of the operation. The combination of persistent technical indicators, reused communication channels, and limited financial activity points toward an environment that is active but not fully structured. Rather than a tightly controlled ransomware operation, HellCat appears to operate within a flexible setup where tools, identities, and platforms are reused as needed.

Conclusion

What initially appeared as a series of isolated leak posts linked to the name HellCat gradually revealed a more structured pattern when examined through StealthMole. The activity traced back to a shared onion-based infrastructure, supported by multiple communication channels and a recurring set of forum actors operating in close proximity to one another.

At the infrastructure level, the environment does not follow the conventions of established ransomware operations. Instead of maintaining a stable and structured leak site, HellCat relies on a fragmented setup, with multiple inactive domains and a single active instance functioning as a simple file repository. This suggests a level of operational inconsistency and a preference for flexibility over permanence.

In contrast, the communication layer shows a more deliberate approach. The use of multiple TOX identifiers, Session IDs, email addresses, and PGP keys indicates that the actors maintain several parallel channels, allowing them to adapt if any single method becomes unavailable. This balance between loosely maintained infrastructure and layered communication reflects a hybrid operational model.

The actor ecosystem further supports this interpretation. Rather than a clearly defined group, the activity is distributed across several forum profiles with different roles, including data sharing and access brokerage. These actors are connected not through explicit declarations, but through repeated overlap in threads, shared identifiers, and consistent proximity to HellCat-linked activity.

Technical artifacts add another dimension to this picture. While ransomware-classified files are present, the limited financial activity associated with identified cryptocurrency wallets does not align with large-scale extortion operations. This suggests that the activity may be driven more by data distribution and marketplace engagement than by structured ransom-based monetization.

Together, HellCat does not fit neatly into a single category. It operates within a fluid and loosely connected ecosystem where infrastructure, identities, and roles are reused and adapted as needed. Rather than functioning as a centralized ransomware group, it reflects an emerging model of underground activity that prioritizes flexibility over structure.

Editorial Note

Attribution in cyber and dark web investigations is rarely definitive. The findings in this report are based on observable artifacts, platform correlations, and patterns identified through StealthMole. While these connections provide a strong analytical foundation, they do not imply absolute ownership or control by any single entity. This case highlights how seemingly unrelated data points, when explored systematically, can reveal meaningful patterns, while also reinforcing the need for caution in drawing conclusions within complex and evolving underground environments.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com