Mirrors of Free City: Investigating the Chinese Marketplace Across Dark & Deep Web

The Chinese-language dark web ecosystem rarely attracts the same public attention as ransomware gangs or leak sites operating in Western underground communities, yet it remains one of the most active and fragmented underground environments online. Spread across Tor hidden services, Telegram channels, automated bots, and constantly shifting mirror domains, these networks operate through tightly connected ecosystems that are often difficult to map from a single entry point.

Over the past few years, Telegram has become increasingly intertwined with these underground operations. What once existed primarily through standalone onion marketplaces has gradually evolved into interconnected communities where advertisements, escrow services, account support, mirror updates, automated replies, and underground promotions all move through Telegram in parallel with dark web infrastructure. In many cases, Telegram acts as both a communication layer and a resilience mechanism, allowing marketplaces to survive domain instability, takedowns, or operational disruptions.

Unlike highly publicized Western marketplaces that frequently rely on reputation through media exposure, many Chinese-language underground platforms grow through closed communities, repost networks, bot automation, and cross-channel promotion. The result is an ecosystem that feels less centralized and more adaptive, where infrastructure constantly shifts while the surrounding network remains active.

This operational model makes investigations significantly more challenging. A single Telegram channel can lead to multiple onion mirrors, bot accounts, administrative channels, escrow systems, and interconnected services spread across different platforms. What initially appears to be a single marketplace often reveals a much broader infrastructure designed to maintain persistence and visibility even as domains rotate or services disappear.

Incident Trigger and Initial Investigation

The investigation began while reviewing unrelated Chinese-language dark web activity, where an onion domain repeatedly surfaced during routine monitoring:

• anwan*****************************************ruyd.onion

At first glance, the site looked different from many short-lived or poorly maintained onion marketplaces that frequently appear across underground forums. The platform, operating under the name “自由城” (“Free City”), presented itself as a structured anonymous escrow marketplace and community forum rather than a simple storefront or leak page.

The marketplace interface suggested an active and relatively organized ecosystem. Visible sections referenced digital goods trading, underground services, anonymous transactions, and community-based activity tied to Telegram. Several marketplace categories also appeared geographically segmented through province-based filters, something more commonly seen in Chinese-language underground communities than in Western-facing darknet markets.

What made the platform particularly interesting during the initial review was the way it blended multiple functions into a single environment. Alongside marketplace listings, the site promoted escrow-style transactions, community interaction, and external communication channels, giving the impression that the platform operated as part of a larger ecosystem rather than a standalone onion site.

The marketplace also appeared unusually persistent. Historical snapshot data indicated that the domain had been observed for several years, a notable detail considering how frequently underground marketplaces disappear due to operational instability, scams, or infrastructure takedowns.

Expansion of the Free City Infrastructure

To better understand whether Free City operated as an isolated marketplace or part of a larger network, the original onion domain was further investigated using StealthMole’s Darkweb Tracker. The results quickly suggested that the platform maintained additional infrastructure beyond the initially identified marketplace.

The first notable discovery was the identification of two associated onion domains connected to the original Free City marketplace:

• freecitvpzyu2dwmnak5fzuasowmkswxbknh7oj3i4recf4nj4nqdpqd.onion
• xbtpp***********************************************fjyd.onion

The freecit naming convention immediately stood out because it directly aligned with the platform’s “Free City” branding. Although the domain appeared inactive, it suggested that the marketplace may have operated through earlier infrastructure before transitioning to newer onion services.

In contrast, the xbtppbb domain remained active and displayed a marketplace interface visually similar to the original Free City site, including matching layout structures, forum-style navigation, and escrow-related terminology.

At this stage of the investigation, Free City was already beginning to resemble a marketplace operating through layered infrastructure rather than a single standalone onion service.

Further investigation into related infrastructure uncovered two additional onion domains:

• anwangokadzm5drfhz4464slrnhtsxnztyaqkujct5xrznqlqy2utuyd.onion
• xbtppbb7xdqdiebess2nsxagae3tcelr3tfqo6sgjvtpb7tvibl665qd.onion

The repeated appearance of the anwangok and xbtppbb naming patterns became increasingly significant as the investigation progressed. Both domains continued to display similar marketplace branding, registration pages, login portals, and forum-oriented navigation structures associated with Free City.

The infrastructure pattern became even more apparent after another related onion domain was identified:

• anwangok3embyqisu6i7fip6dex74hzhf72llqs7eyfi6h2yo4xlnwyd.onion

By this point, the repeated use of the anwangok prefix across multiple domains no longer appeared coincidental. Instead, the infrastructure suggested deliberate domain rotation or mirror deployment designed to preserve accessibility and operational continuity across the marketplace ecosystem.

Historical snapshot data further reinforced this pattern. Some identified domains appeared to represent older or inactive infrastructure, while others remained operational and actively accessible. Rather than relying on a single persistent onion service, Free City appeared to maintain multiple entry points capable of supporting the broader marketplace environment over time.

As additional domains were identified, the infrastructure surrounding Free City increasingly reflected the operational behavior commonly observed in more mature underground ecosystems, where mirrored services and rotating access points are used to reduce dependence on any single domain and maintain resilience against instability or disruption.

Telegram Ecosystem and Operational Coordination

As the infrastructure investigation expanded, it became increasingly difficult to separate the Free City marketplace from its Telegram presence. Multiple references embedded within the marketplace environment pointed toward a broader communication network operating alongside the onion infrastructure, suggesting that Telegram played a central role in maintaining visibility, coordination, and user engagement across the ecosystem.

The first major pivot came through the Telegram channel:

• https://t.me/free*******l

The channel described itself as an official Free City escrow trading community and contained direct references to the marketplace’s onion infrastructure. Unlike temporary promotional channels often seen around underground services, the channel appeared structured and actively maintained, functioning as a central hub connecting users to marketplace activity, announcements, and related services.

Further investigation into the ecosystem identified several additional Telegram channels and administrative accounts associated with the platform:

Associated Telegram Infrastructure

• https://t.me/free********l
• https://t.me/free********m
• https://t.me/free********n
• https://t.me/free********y
• https://t.me/free********e
• https://t.me/free********t

The naming conventions and channel structure suggested a deliberate separation of operational functions. Some channels focused on announcements and marketplace updates, while others appeared dedicated to tutorials, community discussions, or scam-related exposure content tied to the broader underground ecosystem.

Additional confirmation of these relationships emerged after a leaked text file referencing the original Free City onion domain was identified during the investigation. The file contained several of the same Telegram references connected to the marketplace. To better organize the findings, the file was further analyzed using StealthMole’s MoleChat capability, which extracted multiple recurring identifiers associated with the platform.

Identified Platform References

• Admin account: @free*****n
• Community channel: @free*******l
• Announcement channel: @free*****m
• Tutorial channel: @free******y
• Scam exposure channel: @free*****e

The investigation became more revealing after activity connected to @free****y was reviewed through Telegram Tracker. One screenshot linked to the channel was found circulating within another Telegram community:

• https://t.me/e****1

The channel focused on scam exposure and underground disputes, introducing a different perspective on the Free City ecosystem. Discussions and reposted screenshots referenced marketplace-related conflicts, allegations involving transactions, and broader reputation issues connected to underground activity surrounding the platform. While these discussions did not independently confirm fraudulent activity by Free City itself, they demonstrated that the marketplace had become visible enough within underground communities to generate external discussion, criticism, and monitoring.

Further investigation into Telegram activity connected to the original onion domain revealed repeated marketplace references across multiple Chinese-language underground communities. The marketplace was frequently discussed alongside Tor access instructions, anonymous escrow services, underground resources, and darknet-related community activity. Over time, these references painted a clearer picture of how Free City maintained visibility beyond its onion infrastructure alone.

One of the more significant findings during this stage involved the account:

• @free******n

The account repeatedly appeared in forwarded messages, announcement activity, and marketplace-related discussions connected to the ecosystem. Administrative posts referenced platform upgrades, changes to deposit and withdrawal thresholds, marketplace maintenance, and search-related functionality tied to Telegram groups and channels. These operational announcements suggested ongoing administrative management rather than an abandoned or purely automated marketplace environment.

The investigation also revealed the presence of:

• @Free*****t

Unlike standard promotional accounts, the bot appeared integrated into the broader ecosystem and was repeatedly linked alongside marketplace references, onion domains, and associated Telegram channels. Activity connected to the bot included automated marketplace promotion, reposted advertisements, and ecosystem-related messaging distributed across Telegram communities.

Telegram no longer appeared to function merely as a promotional layer surrounding the marketplace. Instead, it operated as a parallel operational environment supporting communication, announcements, ecosystem coordination, automated activity, and continued marketplace visibility even as onion infrastructure evolved over time.

Marketplace Activity and Ecosystem Behavior

As more infrastructure and Telegram activity surrounding Free City was identified, the marketplace itself began revealing a broader picture of the ecosystem it was supporting. The platform no longer appeared limited to a narrow cybercrime marketplace or isolated escrow service. Instead, Free City functioned more like a multi-layered underground environment where marketplace activity, community interaction, and service promotion existed side by side.

Marketplace categories and promotional content observed during the investigation referenced a wide range of underground activity, including:

Observed Marketplace Themes

• Digital goods trading
• Escrow-based anonymous transactions
• Account trading and virtual resources
• Data-related services
• Telegram-linked underground communities
• Fraud-related marketplace activity
• Underground tutorials and resource sharing
• Regionally segmented marketplace listings

Several marketplace sections appeared geographically organized through province-based filtering, an operational detail more commonly associated with Chinese-language underground communities than broader international darknet markets. The marketplace interface also blended forum-style interaction with listing-based marketplace activity, allowing users to move between advertisements, discussions, and service-related content within the same environment.

As Telegram activity surrounding the ecosystem was further reviewed, recurring references to marketplace behavior and platform reputation also began surfacing across unrelated underground communities. Some discussions described Free City as a long-running anonymous escrow marketplace, while others referenced withdrawal problems, disputed transactions, or operational distrust connected to the platform.

The investigation also revealed that parts of the ecosystem appeared heavily dependent on reposting and cross-channel propagation. Marketplace advertisements, onion domains, automated bot messages, and promotional material frequently circulated across Telegram groups focused on darknet activity, underground resources, fraud exposure, and anonymous marketplace services. This distribution pattern made the ecosystem appear less centralized and more adaptive, allowing marketplace visibility to persist even outside Free City’s directly associated channels.

Conclusion

What initially appeared to be a single Chinese-language onion marketplace gradually revealed a much broader operational ecosystem built across mirrored infrastructure, Telegram communities, administrative channels, and automated bot activity. As the investigation progressed, Free City consistently demonstrated patterns associated with more mature underground environments, particularly through its use of multiple onion domains and Telegram-based coordination.

The investigation also highlighted how closely Telegram and Tor infrastructure now operate together within parts of the Chinese-language underground ecosystem. Marketplace visibility, announcements, escrow-related communication, and promotional activity were no longer confined to hidden services alone, but instead distributed across interconnected Telegram channels and repost networks that helped sustain the platform’s presence over time.

At the same time, the fragmented nature of these ecosystems made attribution and infrastructure mapping significantly more challenging. Marketplace references, mirrored domains, automated activity, and community discussions frequently overlapped across unrelated underground spaces, making it difficult to separate direct operational infrastructure from broader ecosystem noise without continuous pivot-based investigation.

Although Free City appeared to function as an anonymous escrow marketplace and underground community platform, the investigation ultimately demonstrated something larger: modern underground marketplaces increasingly survive not through a single hidden service, but through distributed ecosystems designed to maintain visibility, continuity, and resilience across multiple interconnected platforms.

Editorial Note

Investigations involving dark web marketplaces and underground Telegram ecosystems rarely produce perfectly linear attribution. Infrastructure changes constantly, domains rotate, and unrelated activity often overlaps within the same underground spaces. This investigation demonstrates how StealthMole’s ability to pivot across onion infrastructure, Telegram activity, leaked data, and automated ecosystem indicators can help connect fragmented findings and provide broader visibility into underground networks that would otherwise remain difficult to map.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Dark Web Store Rebranded: Tracking the Transition to Cartel Market Through Digital Footprints

There’s a certain pattern you start to notice after spending enough time tracking dark web marketplaces. They rarely appear as something entirely new. Instead, they evolve: shifting names, reusing infrastructure, recycling contact points, and quietly migrating users from one platform to another. On the surface, each site tries to present itself as a “trusted” marketplace, but underneath, it’s often the same network adapting to survive.

That’s what makes these ecosystems interesting. They’re not static websites, they’re fluid operations. When one domain goes down, another appears. When a brand loses credibility, it rebrands. Vendors follow, buyers follow, and slowly, a new “marketplace” forms that looks different but feels strangely familiar.

In this investigation, what initially appeared to be a standalone dark web marketplace quickly unfolded into something more layered. Multiple onion domains, overlapping email addresses, reused visual assets, and interconnected Telegram channels began to surface. What looked like separate entities, “Cartel Market” and “Dark Web Store”, started showing signs of being part of the same operational network.

By following these traces across StealthMole’s Darkweb and Telegram tracking capabilities, a clearer picture began to emerge, not just of a marketplace, but of an evolving infrastructure designed to maintain continuity despite constant disruption.

Incident Trigger and Initial Investigation

This investigation didn’t begin with “Cartel Market” or “Dark Web Store” as a target. In fact, neither name was even on the radar at the start. The entry point was far less direct, a single onion domain that surfaced while working through an unrelated case.

That domain was:

• muwgjdxm2d4vokvnr6b5cede5qvdf73rydmx2vnhgmrxf7vgo3sptvad.onion

When run through StealthMole’s Darkweb Tracker, it immediately stood out as more than just a dead or placeholder page. The snapshot showed a structured storefront: product categories, a login panel, and listings that pointed toward drugs, firearms, research chemicals, and forged documents. It had the look and feel of an active marketplace rather than a simple scam landing page.

At first glance, nothing about it seemed particularly unique. Dark web marketplaces tend to follow similar templates, and this one fits that pattern. But small details began to stand out on closer inspection.

One of those was the presence of external communication options, including a WhatsApp prompt, which is not typical for more established marketplaces that usually keep interactions within their own systems. Alongside that, StealthMole surfaced product visuals tied to the same domain, including pills and mushrooms, suggesting that the listings weren’t just decorative, they were part of an active offering.

Individually, none of these indicators were unusual. But together, they created just enough friction to warrant a deeper look. It didn’t feel like a one-off marketplace. It felt like an entry point, something connected to a larger structure that wasn’t immediately visible.

That’s when the investigation shifted from observing a single domain to following the traces around it.

Infrastructure Expansion and Linked Domains

What initially looked like a single marketplace began to change once the domain was pivoted further through StealthMole’s Darkweb Tracker. Instead of isolating one site, the search started surfacing additional onion domains that shared noticeable similarities in structure, content, and naming patterns.

Three of these domains stood out:

• muwgjd6dboihbq2ofzqkb36mqw2nh6332zy27532pwxjqgdrl66hnaad.onion
• td6zxeyev45v4fwhrfn27dhlqjcszm4rdavwy5mbp7xd5bnto6xzfiad.onion
• muwgjd2vpu33qyq4cf56brw7o3gfzlkwiqwcthmhpnr6sbbtjftxj7qd.onion
• muwgjdxm2d4vokvnr6b5cede5qvdf73rydmx2vnhgmrxf7vgo3sptvad.onion (initial entry point)

All of them were inactive at the time of analysis, but their historical snapshots told a more complete story.

Two of the domains shared a distinct prefix, “muwgjd”, which is not something you would expect to see repeated across unrelated services. That alone suggested a level of coordination. When their page content was reviewed, the connection became harder to ignore. The same product categories appeared across these sites: firearms, drugs, forged documents, and financial instruments. Even the structure felt familiar, similar layouts, similar messaging, and in some cases, identical design elements.

More telling was the reuse of media. The same product images, including a PayPal balance screenshot and visuals of illicit goods, appeared across multiple domains. These weren’t just similar assets; they were identical, indicating that the sites were either managed by the same operator or built from the same backend resources.

One of the domains also revealed traces of an earlier identity: “Dark Web Store.” References to this name, along with overlapping contact points observed elsewhere in the investigation, suggested that what was now being seen as “Cartel Market” may not have been a new operation at all, but rather a continuation or evolution of something that already existed.

At this point, the investigation was no longer about a single marketplace. It had expanded into a network of related domains, some active, some abandoned, all pointing toward a shared infrastructure that had been reused, reshaped, and redeployed over time.

Identity and Contact Layer

Once the infrastructure began to take shape, the next step was to look at how this network communicated and that’s where things started to connect more clearly.

Across the different domains, a consistent pattern of contact points began to emerge. Instead of isolated identifiers, there was a recognizable naming convention repeating itself across multiple platforms, particularly around the terms “cartelmarket” and “cartelmarket247.”

The following email addresses were observed across the investigated domains:

• cartel*****t@gmail.com
• cart********@proton.me
• cartel********7@gmail.com
• cartel********7@proton.me
• cartel*****7@protonmail.com
• cartel********7@protonamil.me

Alongside these, a second cluster appeared under a slightly different identity:

• darkweb*****e@tuta.com
• darkweb*******e@keemail.me

In addition to these, one recurring email stood out:

• ale*******0@gmail.com

This address appeared across multiple environments and acted as a subtle bridge between the two naming clusters. While it does not present itself as a primary contact point, its repeated presence suggests it may be tied to vendor activity or an associated account operating within the same ecosystem.

Not every identifier carried equal weight. Some email addresses appeared only once and are likely tied to individual users or vendors rather than the operators themselves. Others, such as template-related contacts embedded within site structures, were identified as irrelevant and excluded from further analysis. What remained, however, was a consistent set of recurring identifiers that pointed toward a shared operational layer.

The same pattern extended beyond email. A Telegram account linked to the handle @dark****re was identified, showing multiple username changes over time. Unlike static contact points, this account demonstrated activity, including short messages and participation within channels, suggesting direct engagement rather than passive presence.

Further pivoting led to the discovery of a Telegram channel:

• https://t.me/DarkWeb*****7

The channel appeared to function as a promotional extension of the marketplace, advertising categories such as drugs, firearms, cloned cards, and digital payment services. Its branding and messaging closely aligned with what had already been observed across the onion domains.

Financial and Transaction Indicators

As the infrastructure and contact layer became clearer, the next piece of the puzzle was understanding how transactions were handled across this ecosystem. Unlike communication channels, which showed some level of consistency, the financial layer appeared more distributed but not unstructured.

Across the investigated domains, multiple Bitcoin wallet addresses were identified, often tied to specific versions of the marketplace rather than a single centralized point.

From the primary domain:

• muwgjdxm2d4vokvnr6b5cede5qvdf73rydmx2vnhgmrxf7vgo3sptvad.onion

the following wallets were observed:

• bc1q***********************************8z3
• bc1q***********************************25h

Additional wallets were identified across related domains within the same ecosystem, including:

• bc1q7**********************************khx
• bc1qm**********************************tdl
• bc1q4**********************************fxm
• bc1q6**********************************0lm

Rather than pointing to fragmentation, this distribution appears intentional. Wallets are reused within the same network of domains, suggesting a shared backend or at least coordinated operation. At the same time, the presence of multiple addresses indicates a level of rotation, whether for operational convenience, transaction separation, or basic obfuscation.

Alongside cryptocurrency, another recurring element stood out: a PayPal balance screenshot that appeared across multiple domains. While there is no direct evidence of PayPal being used as a transactional method within the marketplace itself, its repeated inclusion suggests it served as a visual trust signal, a way to present legitimacy to potential buyers.

The financial layer reflects the same pattern seen throughout the investigation. It is not tightly centralized, but it is also not random. Wallets, like domains and contact points, are reused, redistributed, and adapted, forming a system that continues to function even as individual components go offline.

External Promotion and Ecosystem Visibility

Up to this point, most of the investigation had been contained within the marketplace itself: its domains, its contact points, and its internal structure. But the picture became more complete when traces of the same operation started appearing outside of the onion environment.

One of the first indicators was a Telegram channel:

• https://t.me/Dark******7

Unlike the previously identified Telegram account, which showed signs of direct interaction, this channel appeared to serve a different purpose. It functioned more like a broadcast layer: promoting the marketplace and advertising the same range of products observed across the onion domains, including drugs, firearms, cloned cards, and digital payment services.

The branding used within the channel closely matched what had already been seen elsewhere. The name “Dark Web Store” reappeared, along with similar messaging and category descriptions. It didn’t introduce new information, but it reinforced something important: the marketplace was not operating in isolation. It was actively maintaining visibility and reach beyond its core infrastructure.

This became even clearer when the same identifiers surfaced on an external forum thread on GhostHub. The post referenced:

• The Telegram channel (Dark*****7)
• An associated contact email following the same naming pattern
• A related onion domain consistent with the previously identified infrastructure

The content of the thread aligned closely with what had already been observed, listings for substances such as Xanax and MDMA, along with the same promotional tone seen on the Telegram channel. It wasn’t just a mention; it was an extension of the same ecosystem.

What makes this layer significant is not the content itself, but the confirmation it provides. Until this point, the connections between domains, emails, and Telegram activity were internally consistent but still contained within the same investigative scope. The GhostHub reference adds an external dimension, showing that the same identifiers are being used publicly to promote and distribute access to the marketplace.

Operational Assessment

When all the pieces are viewed together, what emerges is not a large, highly structured marketplace, but something more fluid, an operation that relies on reuse, adaptability, and persistence rather than scale or sophistication.

The infrastructure tells that story first. Multiple onion domains appear over time, some going offline while others take their place. They share naming patterns, layouts, and even identical media assets, suggesting that new instances are not built from scratch but redeployed from existing components. This kind of setup doesn’t require advanced capability, it requires consistency.

The contact layer reinforces the same idea. Instead of a single, clearly defined identity, there is a cluster of emails built around repeating naming conventions, along with Telegram presence that shifts over time through username changes and channel activity. It’s not tightly controlled, but it’s not random either. It sits somewhere in between, structured enough to function, loose enough to remain flexible.

Financially, the use of multiple Bitcoin wallets follows a similar pattern. There is no single point of collection. Instead, wallets appear across different domains, suggesting rotation or distribution rather than centralization. Combined with the use of visual trust signals like the recurring PayPal screenshot, it points toward an operation that is trying to maintain credibility without investing heavily in more secure or complex systems.

There are also indicators of low operational maturity. The presence of external communication methods such as WhatsApp, broken or poorly rendered site elements, and reliance on template-based structures all suggest that this is not a high-tier marketplace competing with established platforms. It is more likely a smaller, independent operation, one that prioritizes speed and continuity over polish.

At the same time, the consistent overlap between “Dark Web Store” and “Cartel Market” suggests that this is not a one-off attempt. It appears to be an evolving setup, one that adapts when needed, reuses what works, and continues operating under different names when circumstances change.

Conclusion

What started as a single domain discovered during an unrelated investigation gradually unfolded into something much broader. The initial marketplace, seemingly standalone, revealed multiple layers of connection once examined closely. Additional onion domains, overlapping email patterns, reused media assets, and linked Telegram presence all pointed in the same direction: this was not an isolated setup.

The relationship between “Dark Web Store” and “Cartel Market” sits at the center of that finding. While not explicitly declared, the shared identifiers, infrastructure similarities, and consistent content strongly suggest continuity between the two. Rather than a new marketplace emerging independently, it appears more likely that the operation evolved, reusing existing components while shifting its outward identity.

At the same time, the structure of the ecosystem reflects a certain level of limitation. The reliance on template-based sites, external communication channels, and distributed wallets indicates an operation that is functional but not highly sophisticated. It does not resemble large, established marketplaces with layered security and vendor systems. Instead, it fits the pattern of a smaller, adaptable network that prioritizes persistence over complexity.

That balance, between continuity and simplicity, is what defines this case. The marketplace does not stand out because of scale or innovation, but because of how it maintains itself. Domains go offline, new ones appear, names change, but the underlying structure remains recognizable.

In the end, the investigation does not point to a single fixed entity, but to an evolving system, one that survives by reusing what works, adjusting what doesn’t, and continuing just beneath the surface.

Editorial Note

Investigations like this rarely offer clean or absolute answers. Attribution on the dark web is often built on patterns: reused infrastructure, recurring identifiers, and behavioral consistency, rather than definitive proof. What this case highlights is how easily operations can shift identities while maintaining continuity beneath the surface.

It also reflects how careful analysis, supported by StealthMole’s ability to connect fragmented data across domains, channels, and artifacts, can bring structure to what initially appears scattered and disconnected.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

From Eraleign (APT73) to BASHE: Uncovering the Evolution of a Ransomware Operation

At first glance, BASHE looks like just another ransomware leak site: dark web panels, countdown timers, and rows of victim data quietly sitting behind onion links. But a closer look tells a different story.

What initially appears as a standalone operation starts to unravel into something deeper. Familiar infrastructure patterns, reused communication channels, and subtle overlaps begin to point toward an earlier identity: one that operated under a completely different name. That trail leads to “APT73” and a lesser-known platform called Eraleign, hinting that BASHE may not be new at all, just reintroduced.

As the investigation progressed, what stood out wasn’t just the volume of leaked data or the number of mirror domains, but how deliberately everything was structured, from affiliate onboarding to communication channels and even internal messaging. It suggests planning, continuity, and a level of organization that doesn’t usually come with newly surfaced groups.

This report follows that thread, starting from a single BASHE domain and gradually uncovering the connections that reshape how this group should be understood.

Incident Trigger and Initial Investigation

This investigation began with a single entry.

While monitoring ransomware activity on StealthMole, a Saudi Arabia–based organization appeared on a BASHE-linked leak page:

• http://bashe*******************hyd.onion/page_company*********5

At first, it looked routine: another victim page, another dataset at risk. But the presence of structured listings, dedicated URLs, and exposed data previews suggested something more active than a one-off post. It pointed to an operational leak site, not just a placeholder.

That raised a simple question: was this isolated or part of something larger?

To answer that, the investigation pivoted into StealthMole’s Ransomware Monitoring module. What initially seemed like a single incident quickly expanded into a much broader picture. BASHE was linked to 114 victims between April 2024 and April 2026, revealing a pattern of sustained activity rather than sporadic leaks.

As those entries were reviewed, another detail started to stand out. The victims weren’t concentrated in one region or industry. Instead, they were scattered, across countries like Saudi Arabia, the United States, Mexico, Serbia, Indonesia, and Ghana, and across sectors ranging from healthcare and insurance to construction and membership organizations.

It didn’t look targeted. It looked opportunistic, but consistent.

At that point, the focus shifted. BASHE was no longer just a name attached to a single victim page, it was an operation with reach, structure, and continuity. And that made one thing clear: to understand it properly, the investigation had to move beyond victims and into the infrastructure that was holding everything together.

Infrastructure Discovery and Leak Site Analysis

Following the shift in focus from victims to infrastructure, the investigation returned to the BASHE leak site itself, this time with a different objective: understanding how the operation was structured behind the scenes.

The primary entry point remained:

• bashe**********************************************hyd.onion

At surface level, the site followed the familiar layout of a ransomware leak platform: victim listings, countdown timers, and segmented data disclosures. But as different sections of the panel were explored, it became clear that this wasn’t just a static leak board.

Multiple internal pages revealed how the operation was organized:

• /contact_us.php - outlining communication channels and response expectations
• /mirrors.php - providing alternative domains to maintain uninterrupted access
• /how_to_buy_bitcoin.php - guiding victims through ransom payment methods
• /affiliate/affiliate program EU.php - detailing how external actors could join the operation
• /bug_bounty.php - encouraging vulnerability discovery and platform testing

Taken together, these sections pointed to a structured ecosystem rather than a simple leak site. The presence of an affiliate program, in particular, suggested a Ransomware-as-a-Service (RaaS)-like model, where external participants could contribute to operations in exchange for a share of the ransom.

Further analysis of the mirrors section expanded the infrastructure footprint significantly. In addition to the primary domain, nine active onion domains were identified, all following a consistent naming pattern and serving as alternative access points:

• bashe***********************************************hyad.onion
• bashe***********************************************kyqd.onion
• bashe***********************************************77qd.onion
• bashe***********************************************t3ad.onion
• bashe***********************************************ofid.onion
• bashe***********************************************fpid.onion
• bashe***********************************************x4ad.onion
• bashe***********************************************hzqd.onion
• bashe***********************************************eayd.onion

This level of redundancy indicated an effort to ensure resilience against takedowns or access disruptions, something typically seen in more established operations.

As the infrastructure mapping expanded, additional details began to emerge. Contact points embedded within the platform, such as ba******m@onionmail.org and t********e@onionmail.org, along with a dedicated TOX ID and Telegram channels, provided further pivot points for investigation.

At this stage, BASHE no longer appeared as a single leak site, but as a coordinated environment with multiple layers: access points, communication channels, and onboarding mechanisms. And it was through these layers, particularly the external communication channels, that the investigation began to uncover connections that did not align with BASHE’s current branding.

Telegram Activity and Cross-Platform Promotion

With BASHE’s infrastructure mapped, the investigation shifted toward its external communication footprint, particularly Telegram, where ransomware groups often promote leaks, distribute links, and amplify visibility.

One of the identified BASHE mirror domains was used as a pivot point in StealthMole’s Telegram Tracker. This quickly surfaced multiple messages where the domain was being circulated, not in isolation, but as part of broader ransomware-related discussions.

• bashe*****************************************ofid.onion

What stood out was where these mentions were coming from.

The domain appeared in messages associated with known ransomware ecosystems, including channels linked to LockBit 4.0 Group Communication and RaidForums | Discussion. In these messages, BASHE-associated links were shared alongside victim data descriptions and downloadable archives, suggesting that the group’s leak infrastructure was being actively promoted beyond its own controlled channels.

These weren’t original BASHE announcements. Many of the messages were forwarded posts, indicating that BASHE content was being redistributed across different Telegram communities, effectively extending its reach.

A similar pattern emerged when analyzing other BASHE-associated domains, such as:

• bashe*****************************************zqd.onion

This domain, too, appeared in Telegram messages describing leaked datasets, again tied to victim organizations and accompanied by download links hosted on BASHE infrastructure.

As more messages were reviewed, it became clear that BASHE’s presence on Telegram wasn’t limited to a single official channel. Instead, its infrastructure was being circulated across multiple communities, sometimes directly, sometimes through forwards, blurring the line between original source and secondary distribution.

This pattern raised an important question: was BASHE simply being promoted by others, or was it more deeply embedded within these existing ransomware ecosystems?

Tracing the Previous Identity: APT73 and Eraleign

Telegram activity raised more than just questions about promotion, it introduced inconsistencies.

While pivoting on one of the BASHE-associated domains, a different naming pattern began to surface. Instead of BASHE, references started pointing toward “APT73”, a name that had not appeared anywhere on BASHE’s current leak site.

• bashe*****************************************4ad.onion

Following this lead, StealthMole’s Darkweb Tracker was used to expand the search. This is where the first clear overlap emerged: a surface-accessible site tied to the same ecosystem.

• http://era*******s.com

The site presented itself as a leak blog under the name Eraleign (APT73), featuring similar structural elements: victim listings, publication-style posts, and references to leaked datasets. The layout and content format closely resembled what had already been observed on BASHE’s onion-based leak site.

Further details reinforced the connection:

• Email: apt73******p@onionmail.org
• Telegram: https://t.me/apt*******l
• Twitter: https://twitter.com/Apt73*******p

At this point, the investigation wasn’t dealing with coincidence, it was encountering continuity.

To validate this further, the Eraleign domain was run through the Telegram Tracker. The results showed that it had been circulated across multiple ransomware-related Telegram channels, much like BASHE domains. However, the links shared alongside it pointed to a different onion domain:

• http://wn6vonooq6fggjdgyocp7bioykmfjket7sbp47cwhgubvowwd7ws5pyd.onion

This domain was explicitly referenced in Telegram messages as the APT73 leak site, with accompanying descriptions offering free access to leaked data and invitations to join the group.

Running this onion domain in StealthMole’s Darkweb Tracker brought everything together. The same communication channels, Telegram and Twitter, reappeared, matching those previously linked to Eraleign.

But the most telling detail came from historical Telegram data.

When the channel https://t.me/apt73******l was analyzed, it revealed that the account had undergone a transformation. Historical indexing showed that this was the same channel currently operating as BASHE TEAM, with changes in both username and title over time.

This wasn’t just an overlap. It was a rebrand.

What initially appeared as two separate entities, APT73 and BASHE, now pointed toward a single operation evolving over time, carrying forward its infrastructure, communication channels, and operational model under a new identity.

Operational Model and Ecosystem Structure

By this stage of the investigation, BASHE was no longer just a leak site with multiple access points or a group with a prior identity. What began to take shape instead was a structured operation with clearly defined roles, workflows, and monetization paths.

This became evident through sections of the leak site that went beyond victim listings. One of the most telling was the affiliate program, which outlined how external actors could participate in BASHE’s operations. The model followed a familiar structure: affiliates were responsible for gaining access to target networks and extracting data, while BASHE provided the infrastructure for hosting leaks, managing negotiations, and handling payments. The revenue split, favoring affiliates, suggested an effort to attract a steady pipeline of contributors rather than relying on a closed internal team.

The scope of activity wasn’t limited to encryption-based attacks. The platform described multiple approaches to monetization, including direct data extortion and the sale of stolen access or datasets. This flexibility pointed to an operation that adapts based on opportunity, rather than following a rigid attack pattern.

Another detail that stood out was the presence of a bug bounty page, an unusual feature in this context. It encouraged users to identify vulnerabilities within BASHE’s own infrastructure, including potential weaknesses in the leak site, communication channels, and underlying systems. While framed as a reward mechanism, it also reflected a level of caution and awareness around operational security.

These elements revealed an ecosystem rather than a single-function platform. BASHE appeared to operate as a coordinated environment where infrastructure, affiliates, and communication channels worked in parallel, supporting both the execution of attacks and the controlled release of stolen data.

At this point, the group’s activity was no longer defined solely by its victims or its past identity. Instead, it was the structure behind it, the way everything was organized and interconnected, that provided the clearest insight into how BASHE operates.

Conclusion

What began as a single victim entry led to something far more layered.

BASHE presents itself as a relatively recent ransomware operation, but the investigation shows that its roots extend beyond its current branding. The transition from Eraleign (APT73) to BASHE, supported by shared infrastructure and unchanged communication channels, points to continuity rather than emergence. This is not a new group, it is an existing operation adapting its identity.

At the same time, its current setup reflects a deliberate effort to scale. The combination of multiple mirror domains, structured leak infrastructure, and an affiliate-driven model suggests a system designed to sustain activity rather than operate in short bursts. Its presence across Telegram channels further extends its reach, allowing leaked data to circulate beyond its own controlled environment.

What stands out is not just the group’s activity, but how it positions itself. BASHE operates in a way that blends visibility with resilience, maintaining a public-facing leak presence while distributing its infrastructure and communication across multiple layers. This makes it harder to treat as a single point of failure and easier for the operation to persist, even under pressure.

In that sense, BASHE reflects a broader pattern within the ransomware landscape: groups are not disappearing, they are evolving, reshaping their identity while keeping the core of their operations intact.

Editorial Note

Investigations like this rarely offer clean, definitive answers. Attribution in the ransomware space is often shaped by fragments: shared infrastructure, reused channels, and patterns that only make sense when viewed together. What appears to be a new group can turn out to be a continuation, while what looks connected may sometimes be coincidence.

This case highlights how navigating that uncertainty requires careful correlation rather than assumptions. At the same time, it shows how StealthMole enables that process, by bringing together dark web, Telegram, and infrastructure-level insights in a way that allows those hidden connections to surface.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com