Following the Money: Mapping KidBin's Cryptocurrency Infrastructure Across Darkweb

Dark web continues to host a wide range of illicit platforms that rely on anonymity, cryptocurrency, and closed communities to operate beyond the reach of traditional online services. Among the most persistent are subscription-based content platforms that monetize access through Bitcoin payments, often presenting themselves as exclusive repositories of restricted or prohibited material. While many of these sites appear isolated at first glance, their underlying infrastructure can reveal connections that are not immediately visible to visitors.

One such platform is KidBin, a subscription-based dark web service that advertises access to illicit content through cryptocurrency-funded accounts. Like many similar services, KidBin presents itself as a standalone platform with its own payment and access mechanisms. However, the infrastructure supporting these operations often extends beyond a single domain, creating opportunities to identify relationships that would otherwise remain hidden.

By examining cryptocurrency payment infrastructure associated with KidBin, this investigation uncovered a broader network of interconnected services spanning multiple dark web platforms. The findings demonstrate how following financial artifacts can expose operational overlaps, shared infrastructure, and potential links between platforms that appear unrelated on the surface.

---

Behind the KidBin Facade

The investigation began during an unrelated dark web inquiry when StealthMole identified an active onion service operating under the name KidBin:

• kidsbin3**************************************7krtqd.onion

At first glance, the platform presented itself as an "AI-Powered Adult Content Hub", promoting features such as content recommendations, automated tagging, premium streaming, and social interaction. The site's branding suggested a modern subscription-based content platform rather than a traditional dark web forum or marketplace.

However, a review of historical snapshots indexed by StealthMole quickly revealed inconsistencies between the platform's public description and the content visible within archived pages. These observations raised concerns regarding the true nature of the service and prompted a closer examination of both the platform and its supporting infrastructure.

StealthMole's Dark Web Tracker confirmed that KidBin remained operational and exposed several accessible components of its ecosystem. In addition to the main landing page, indexed content revealed a functioning login portal, topic pages, account creation workflows, and user activation pages accessible through additional platform URLs.

Unlike many dark web communities that rely on invitations or administrator approval, KidBin appeared to support automated account generation. Registration pages created user credentials on demand and presented newly generated usernames and passwords to prospective users. Multiple snapshots showed users being instructed to complete a cryptocurrency payment before access would be activated.

---

Following the Money

The presence of automated account creation and cryptocurrency-based activation raised an important question: how was access to KidBin being monetized?

To answer this, the investigation shifted toward the platform's payment infrastructure. Using StealthMole's Dark Web Tracker, multiple Bitcoin addresses associated with KidBin's registration and activation workflows were identified. In total, sixteen Bitcoin wallets were linked to the platform:

• bc1qu*********************************n3tq
• bc1qz*********************************mmgd
• bc1q4*********************************xyxu
• bc1qt*********************************jag4
• bc1q2*********************************ttw8
• bc1q9*********************************w444
• bc1qq*********************************2fwk
• bc1q9*********************************mlns
• bc1qz*********************************v0ac
• bc1ql*********************************cvpr
• bc1qt*********************************h2cm
• bc1qc*********************************a59l
• bc1q4*********************************5xc2
• bc1qt*********************************vhhs
• bc1qx*********************************slhl
• bc1q5*********************************56zs

Initial blockchain analysis revealed that not all identified wallets had been used. Several addresses showed no recorded transactions, suggesting they may have been generated for prospective users who never completed the payment process. This observation aligned with the registration workflow observed during the investigation, where unique payment addresses appeared to be assigned during account creation.

Other wallets displayed a different pattern. The following addresses showed transaction activity consistent with user payments. Several of these wallets received relatively small deposits before funds were subsequently transferred elsewhere, suggesting they functioned as temporary receiving addresses rather than long-term storage wallets.

• Bc1q5****************************56zs

• Bc1q**************************************5xc2

• Bc1q***********************************vpr

• Bc1q***********************************yxu

• bc1q***************************************mgd

The observed transaction patterns provided further evidence that KidBin was operating an active subscription-based payment model. More importantly, the wallets offered a new investigative pivot. Rather than focusing solely on the visible platform, each Bitcoin address could be used as a starting point for identifying additional infrastructure, services, and relationships hidden beyond the original onion domain.

What began as an examination of KidBin's payment system would soon reveal connections extending well beyond the platform itself.

---

Beyond KidBin: Following the Wallet Trail

The investigation expanded significantly once the Bitcoin wallets associated with KidBin were used as pivot points within StealthMole's Dark Web Tracker. While the wallets initially appeared to be part of a payment system supporting a single platform, further analysis revealed associations with several additional dark web services.

One of the earliest findings involved the wallet:

• bc1q**************************nn3tq

StealthMole linked this wallet to multiple domains, including:

• kidbin.qr.payserver**************************l5yayd.onion
• loliporn.qr.payserver*********************isll5yayd.onion
• aaolh6codj*******************************up5ibqd.onion (LoliPorn)
• cheatgpt*****************************c46blid.onion (CheatGPT AI)

Further review of indexed snapshots revealed that the same Bitcoin address appeared directly on payment pages associated with both KidBin and CheatGPT AI. This finding was particularly significant because it represented direct wallet reuse rather than a simple infrastructure overlap. While the relationship between the two services could not be conclusively attributed to a common operator, the reuse of the same payment address strongly suggested shared financial infrastructure.

Additional pivots uncovered similar patterns. The wallet:

• bc1qt2zk6************************jag4

was associated with:

• pureyoun*********************************z52wgqd.onion (PureYoung)
• pure.qr.payserver*********************************ll5yayd.onion

Like KidBin, PureYoung relied on Bitcoin-based access controls and dedicated payment workflows. The platform's payment process used QR codes and automated transaction-based account activation, mirroring operational characteristics observed elsewhere during the investigation.

The investigation also identified wallet:

• bc1q2ke8***********************wttw8

on the registration and payment pages of:

• darkweb************************************5xdad.onion

a service operating under the name "Dark Web Porn Official." StealthMole additionally associated this wallet with both LoliPorn and WormGPT-related infrastructure. Although the exact WormGPT page displaying the wallet could not be independently verified during the investigation, the association was repeatedly observed within StealthMole's indexed data.

Another wallet,

• bc1q9*************************gemlns

was similarly linked to PureYoung, WormGPT, and infrastructure associated with LoliPorn. The recurrence of these associations across multiple wallets suggested that the observed relationships were not isolated incidents.

A particularly notable finding throughout the investigation was the repeated appearance of the following onion service:

• payserver*************************5yayd.onion

The domain appeared in connection with multiple services through dedicated payment subdomains, including:

• kidbin.qr.payserver...
• pure.qr.payserver...
• loliporn.qr.payserver...

Its continued presence across unrelated platforms suggests that it may serve as a common payment component within a broader ecosystem of dark web services.

Taken individually, each wallet association could potentially be explained by shared infrastructure or payment processing services. Viewed collectively, however, the findings revealed a recurring pattern of overlapping cryptocurrency infrastructure spanning multiple platforms, including KidBin, PureYoung, LoliPorn, Dark Web Porn Official, CheatGPT AI, and WormGPT. What began as an investigation into a single onion service had evolved into the mapping of a much larger network connected through shared financial artifacts.

---

The AI Connection

One of the more unexpected findings to emerge from the investigation was the recurring presence of AI-themed services within the same ecosystem of cryptocurrency infrastructure.

The initial point of discovery, KidBin, marketed itself as an "AI-Powered Adult Content Hub", claiming to offer features such as automated content tagging, recommendations, and enhanced user experiences. While the investigation did not seek to verify the platform's AI capabilities, the use of AI-focused branding was notable given the nature of the service and the content observed within archived snapshots.

As the investigation expanded through cryptocurrency wallet analysis, additional AI-related platforms began to surface. Wallet associations identified through StealthMole linked portions of the investigated infrastructure to both CheatGPT AI and WormGPT, services commonly marketed as unrestricted alternatives to mainstream generative AI platforms. Unlike publicly available AI tools that implement safeguards and content restrictions, these services are typically advertised within underground communities as offering fewer limitations and greater anonymity.

Although the exact relationship between these platforms could not be conclusively established, their appearance alongside content-driven services such as KidBin, PureYoung, and LoliPorn highlights an emerging trend within the dark web ecosystem. Operators are increasingly incorporating AI branding, AI-powered features, or dedicated AI services into existing underground business models, either as standalone offerings or as part of a broader service portfolio.

The findings observed during this investigation suggest that AI is no longer confined to traditional cybercrime-focused communities. Instead, AI-themed services are increasingly appearing alongside other forms of illicit infrastructure, creating new intersections between emerging technologies and established underground economies.

---

Conclusion

What began as the examination of a single dark web platform ultimately revealed a much broader network of interconnected services linked through shared cryptocurrency infrastructure.

The investigation initially focused on KidBin, a platform that publicly presented itself as an AI-powered content service while operating a Bitcoin-based access model supported by automated account generation and payment workflows. Analysis of the platform's cryptocurrency infrastructure uncovered multiple Bitcoin wallets associated with user registration and activation processes, providing an opportunity to move beyond the visible website and examine the infrastructure supporting its operations.

By tracing these wallets through StealthMole's Dark Web Tracker, the investigation identified associations extending beyond KidBin itself. Multiple wallets were linked to additional services including PureYoung, LoliPorn, Dark Web Porn Official, CheatGPT AI, and WormGPT, while recurring references to the PayServer infrastructure suggested the presence of overlapping payment components used across multiple platforms.

Although the available evidence does not conclusively establish common ownership between the identified services, the repeated appearance of shared wallets, payment mechanisms, and supporting infrastructure demonstrates that cryptocurrency artifacts can expose relationships that are not immediately visible through content analysis alone. These findings illustrate how financial infrastructure can serve as a critical investigative pivot for uncovering connections between otherwise separate dark web operations.

Ultimately, the investigation demonstrates how a single cryptocurrency trail can expand the scope of an inquiry far beyond its original target, revealing a wider ecosystem of services connected through shared financial infrastructure and operational overlap.

---

Editorial Note

Dark web investigations rarely follow a predictable path. What begins as the analysis of a single platform can quickly expand into a much larger network of infrastructure, services, and relationships that are not immediately visible on the surface.

This investigation highlights the importance of following financial artifacts as investigative pivots and demonstrates how StealthMole can help uncover hidden relationships across complex dark web ecosystems, enabling analysts to move beyond isolated findings and develop a broader understanding of the infrastructure supporting illicit activity.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Beyond the Leak Blog: Investigating Nova’s Affiliate Network, Infrastructure, and Operations

Ransomware groups often leave behind more than victim names. Hidden behind leak sites and extortion notices is an ecosystem of infrastructure, communication channels, and services that keep the operation running long after a victim is posted online.

This investigation began while monitoring newly indexed ransomware activity through StealthMole. A recent victim listing attributed to NOVA drew attention to a group that, despite claiming more than a hundred victims, had received relatively little attention compared to many of its peers. Initial examination suggested NOVA was not an entirely new operation. Traces of an earlier identity appeared to remain scattered across the dark web, raising questions about how the group had evolved and what its infrastructure looked like behind the scenes.

Following those traces on StealthMole led far beyond the group's public leak site. What started as an effort to understand a ransomware operation gradually revealed a much broader network of interconnected services, recruitment activity, communication channels, and operational resources. Piece by piece, these discoveries provided a rare opportunity to examine how NOVA presents itself to affiliates, maintains its presence across underground communities, and supports the operation from within.

Incident Trigger and Initial Investigation

The investigation began on 2 June 2026 during routine monitoring of StealthMole's Ransomware Monitoring module. A newly indexed victim entry attributed to NOVA was identified on the group's dark web leak site. The listing named a France-based company operating in the rubber and plastics sector.

At first glance, the incident appeared to be a typical ransomware disclosure. However, further examination of the listing revealed that it was published through an active NOVA leak portal hosted at:

• nova*******************************************zyyd.onion

To better understand the scale of the operation behind the claim, the NOVA identifier was investigated through StealthMole's Ransomware Monitoring module. The results showed that the group had been associated with 122 victim listings between March 2025 and June 2026, indicating that this latest incident was part of a much broader campaign rather than an isolated event.

Additional analysis through StealthMole's Government Monitoring module identified six government-related victim listings between May 2025 and May 2026. The affected entities included organizations such as Badan Pangan Nasional, SECONT Secretaria de Controle e Transparência, and Pemerintah Kabupaten Bojonegoro, demonstrating that the group's targeting extended beyond private-sector organizations.

The volume of observed victims, combined with the presence of dedicated dark web infrastructure, suggested that NOVA was operating a mature ransomware ecosystem. This prompted a deeper investigation into the infrastructure, services, and operational resources supporting the group.

Tracing NOVA's Infrastructure

To better understand the operation behind the growing number of victim disclosures, the investigation shifted from victim monitoring to infrastructure analysis. Using StealthMole's Darkweb Tracker, the NOVA leak site was used as a starting point to identify related services and historical infrastructure.

• Nova********************************************zyyd.onion

The initial search uncovered several additional onion services associated with NOVA. While some of these domains remained active, others appeared to have been retired or replaced over time, suggesting that the group routinely maintained and rotated portions of its infrastructure.

• novamojnnc7n7brrnflr7evyrho2e5ynskicrjxuvhn5r6jjlxyjj4ad.onion
• rhhoh6nrrv25ks3adu3lgv3amkarj5xr2vrgau6bngeoa4dfusypaoqd.onion
• dcwrvp2r3omemjirpwlvaaunbkfebf46cw6mmeoh2mzpvo7k2fdkatid.onion
• novaf***********************************************nqid.onion
• pifk3**********************************************pdnyd.onion
• novak**********************************************tatqd.onion
• logom**********************************************sajid.onion

Several of these domains appeared to serve dedicated operational functions. For example, nova***************tatqd.onion was identified as NOVA's "Department of Support", while pifk3*************dnyd.onion was associated with "Nova Clouds". Another domain, novaf**********************nqid.onion, hosted an "AI-Assist Agent" portal.

The presence of these services suggested that NOVA maintained infrastructure beyond a traditional leak site and raised questions about how the operation supported affiliates and managed day-to-day activities.

Inside NOVA's Affiliate Ecosystem

The discovery of NOVA's support and service infrastructure raised a key question: who were these resources built for?

To answer that question, the investigation shifted toward underground forums where ransomware operators commonly recruit affiliates, advertise services, and manage business relationships. This led to the discovery of multiple NOVA-related recruitment threads across several dark web communities.

One of the earliest findings was a thread titled "Nova 2.0 (Premium Program) | Katana Version | Ransomware as a Service" posted by the user ForLord on Darknet Army (DNA Forums). The advertisement described NOVA as a ransomware-as-a-service operation supporting Windows, Linux, NAS, FreeBSD, ESXi, and ARM-based systems. It also outlined a structured affiliate model in which participants were offered an 80/20 revenue split, increasing to 85/15 after five months and 90/10 after one year. Premium partners were promised a 95/5 split.

• http://darknet*********6yd.onion/threads/nova-2***********7

The thread provided one of the first indications that NOVA was operating as a structured service rather than a standalone ransomware group. Beyond the ransomware payload itself, affiliates were promised access to victim communication systems, support services, management tools, statistics dashboards, cryptocurrency payment management, and additional operational resources.

Further investigation uncovered another thread posted by ForLord titled "APIPN (Access-Provide-Investment-Nova Program)". Unlike traditional affiliate recruitment, this program focused on acquiring access to corporate environments. The advertisement specifically sought Citrix, Fortinet SSL VPN, SonicWall, RDWeb, RDP, SSH, Cisco, and VMware access, indicating that NOVA maintained a dedicated mechanism for sourcing potential intrusion opportunities.

• http://darknet******apipn-access******nova**********36/

The same thread introduced a Session identifier:

• 054f55ec*******************************************529c79

The affiliate ecosystem extended beyond recruitment. NOVA's infrastructure revealed a dedicated ticketing system that allowed users to submit support requests, manage cases, assign priorities, upload files, and communicate with administrators. Additional portals such as "Department of Support", "Nova Clouds", and the "AI-Assist Agent" suggested that NOVA had invested in building supporting services intended to assist affiliates throughout different stages of an operation.

Another notable discovery was NOVA's apparent interest in media engagement. On the RAMP4U forum, a user operating under the NOVA name published a thread seeking journalists and proposing information-sharing arrangements. The post claimed that organizations often concealed cyber incidents from customers and suggested that NOVA was interested in working with media contacts to distribute information about attacks and data leaks.

• https://ramp4u******looking-for-journalists***********3807

Collectively, these findings painted a picture of an operation that functioned less like a conventional ransomware crew and more like a service platform designed to attract, support, and retain affiliates through dedicated infrastructure and operational resources.

Following the Trail to RALord

While reviewing NOVA's recruitment activity, several recurring identifiers began appearing across multiple forum posts. Among them was the Session identifier:

• 054f55e*********************************************529c79

as well as the TOX ID:

• 8E9A619**********************************************51BE6A51F

Both artifacts appeared repeatedly across NOVA-related recruitment threads, affiliate advertisements, and operational discussions. To determine whether these identifiers were linked to additional infrastructure, the TOX ID was investigated through StealthMole's Darkweb Tracker.

The search produced two previously unidentified onion domains:

• ralord3htj7v2dkavss2hjzviviwgsf4anfdnihn5qcjl6eb5if3cuqd.onion
• ralordt7gywtkkkkq2suldao6mpibsb7cpjvdfezpzwgltyj2laiuuid.onion

Unlike the NOVA-branded services discovered earlier, both domains prominently referenced the RALord name. Examination of the portals revealed notices informing visitors that the operation was no longer operating under the RALord brand. One notice stated that the group's business name had been changed to NOVA and directed users toward replacement infrastructure.

The migration notice also referenced several NOVA-branded services, including:

• novav75*********************************************yqyd.onion
• novavag*********************************************7cad.onion
• novavdi*********************************************czqd.onion

The presence of these links suggested that existing victims and affiliates were being redirected from legacy RALord infrastructure to newly established NOVA services.

Further investigation uncovered another NOVA-related domain:

• nova4oxpwwkuah7mayn62kp2sg3venrl3qwmhm3jcan47c22m6l4apad.onion

The service was identified as a login portal titled "Nova Panel | Login", providing additional evidence that the transition involved not only public-facing branding but also operational infrastructure used by the group.

These findings established a direct infrastructure link between RALord and NOVA. Rather than relying solely on external reporting or forum claims, the relationship could be observed through the group's own migration notices, shared infrastructure, and interconnected services discovered during the investigation.

Mapping NOVA's Operational Infrastructure

The discovery of the RALord migration notice raised another question: how extensive was NOVA's infrastructure beyond the domains already identified?

To answer this, additional pivots were performed on NOVA-related infrastructure through StealthMole's Darkweb Tracker. The results revealed a significantly larger ecosystem consisting of dedicated communication portals, management panels, and leak platforms.

Several domains appeared to function as communication portals or negotiation environments:

• chat64z5v4pblqo7qk4jtg2i3ukdyvjjavfyh4jnsftqer4juwnekwid.onion
• novafxmwxv53u3qbfaljahls5yrvpxqckhsh6bjbsj3wgo3fltreyuid.onion
• noval3kb6snxuofmqmw2we3cvzci2tfknurgxi7gdyet55xh6zhno5id.onion
• novaeogps7purkdhxmaymmnanqiwtqf3r3iu3we4khkzwegkoefbxnyd.onion
• vctmkrlntkd4fx2h5rk5lyyg6fzar2u4626gy6ywszgca74utzphkjqd.onion
• novatd4577pzlvdyy42slydhrhru7fpcflbbxlajcmbfrgzyeis6d3id.onion

In parallel, multiple domains were identified as panel infrastructure:

• raaskpzmkcoraswmzotjkzplq3aw6mcbogvd5uzbgsnhqb7az3ax2qid.onion
• novazzitmugtbjwuttc5hhsemkmvwh3iyt27oeeunu5mkw62qpfeykid.onion
• nova25eabfdep76t52dt34n2qdrhrn7vxuaeitcy5x2ovxnut767bwid.onion
• npnlc7i2mxnngj6angcj5pwesbaapksstqqez2qmtgmimezcpo4haryd.onion
• nova5cr2op6uo73korzmzkvil2btj3erjaujwtbbvtpko3yx7ivq3myd.onion

The investigation also identified several domains dedicated to leak publication and public-facing content:

• vctmy3tytuah2offux4bixzunh53pnepsnsrr2hly6blpgiewqodnzad.onion
• leak7y2247fj7dbb35rpfyxuyaqtwbshiwxp6h35ttzlhrxmhvi4fead.onion
• novaoddh3vxylxqpsfdjprliknbzgbkv6nkazpzu3cvykrgpyzuywryd.onion
• novag4k2te3mstt2xq5irywlpaw6edgkpiwgg4t2q7eecisj2qqtvbid.onion
• novaxtychr6ohlc4zr5its73p6i7unpuhpwoodtzrg2y4w4seytatlid.onion
• novad**********************************************uzyyd.onion

Rather than relying on a single portal, NOVA appeared to separate operational functions across multiple services. The infrastructure identified during the investigation suggests a deliberate division between public-facing leak resources, communication environments, and management systems. Such separation can provide operational flexibility, allow individual services to be replaced when necessary, and reduce reliance on any single domain.

The growing number of interconnected domains also reinforced a pattern observed throughout the investigation: NOVA was operating an ecosystem of services rather than a standalone leak site. Each newly discovered portal contributed another piece to a broader infrastructure designed to support the group's ongoing operations.

Identifying Communication and Financial Infrastructure

As the investigation expanded across recruitment posts, affiliate resources, and infrastructure portals, several recurring identifiers emerged that helped connect different parts of the NOVA ecosystem.

Among the most frequently observed artifacts was the Session identifier:

• 054f55********************************************29f9529c79

The identifier appeared across multiple NOVA-related recruitment posts and operational resources, making it one of the most consistent artifacts identified during the investigation.

Another recurring communication artifact was the TOX ID:

• 8E9A619********************************************1F

The identifier appeared in both recruitment and infrastructure-related discoveries and ultimately served as a pivot point leading to legacy RALord infrastructure.

Additional communication artifacts included two PGP key fingerprints associated with NOVA-branded identities:

• 59742**************************220

Associated email:

• no***********1@onionmail.org

and

• 27AC**************************A5A

Associated email:

• nova@ra********.onion

The repeated appearance of these communication channels across NOVA-related resources suggests that they were intended to facilitate interaction between the operation and its affiliates, partners, or victims.

The investigation also identified cryptocurrency payment addresses advertised within NOVA infrastructure.

Bitcoin:

• 1D1T********************ehY

The wallet was identified through NOVA infrastructure and subsequently investigated using StealthMole's Crypto Tracker.

StealthMole associated the address with a FixFloat user wallet, revealing a transaction path involving:

• bc1qn************************qfw

Further examination of blockchain activity showed that the wallet received and sent approximately 0.0207 BTC between June and July 2025. Transaction activity consisted of multiple small deposits and withdrawals rather than a single large transfer, suggesting routine operational use rather than long-term storage. At the time of analysis, the wallet maintained a negligible remaining balance, indicating that funds were regularly moved out after receipt.

Ethereum:

• 0x7d8***********************5e26

StealthMole's Crypto Tracker identified transactional relationships between the address and infrastructure associated with Kraken Exchange.

Blockchain analysis revealed a single inbound transaction of:

• 0.000185229575715313 ETH

originating from:

• 0xD028******************************DAf

The wallet contained no significant accumulated balance and showed limited observable activity. While the transaction volume was minimal, the association with exchange-linked infrastructure provided an additional data point connecting NOVA-related payment infrastructure to external cryptocurrency services.

Monero:

• 45E8RxB*********************************************FbuMh

While these observations do not establish ownership of exchange accounts, they demonstrate that the identified wallets were active and interacting with external cryptocurrency services.

Overall, these artifacts provided another layer of visibility into NOVA's operations. Beyond domains and recruitment activity, the investigation uncovered a collection of communication channels and financial identifiers that repeatedly surfaced throughout the group's infrastructure and affiliate ecosystem.

Conclusion

What began with a single victim listing ultimately revealed a much broader ransomware ecosystem operating behind the NOVA name. Through a combination of ransomware monitoring, infrastructure analysis, dark web tracking, and cryptocurrency investigation, it was possible to move beyond public victim disclosures and examine the operation from the inside out.

The investigation identified an operation that had accumulated more than one hundred victim listings while maintaining a diverse collection of supporting infrastructure. Dedicated leak portals, communication services, management panels, support resources, cryptocurrency payment channels, and affiliate-facing services all pointed toward an organized ransomware-as-a-service model rather than an isolated threat actor.

Analysis of historical infrastructure further revealed a direct connection between NOVA and the earlier RALord branding. Migration notices discovered on legacy onion services provided evidence of a transition between the two identities and offered insight into how the operation evolved over time.

Perhaps most notably, the investigation exposed elements of NOVA's affiliate ecosystem that are rarely visible through victim disclosures alone. Recruitment campaigns, access acquisition initiatives, support resources, and operational tooling demonstrated how the group sought to attract and retain participants while expanding its reach across underground communities.

These findings show that NOVA's presence extends well beyond its public leak site. The operation appears to function as a structured ecosystem supported by dedicated infrastructure, communication channels, and affiliate services that enable its continued activity across the ransomware landscape.

Editorial Note

Investigations involving ransomware groups are rarely straightforward. Infrastructure changes, rebranding efforts, and fragmented digital footprints often make it difficult to understand how an operation truly functions behind the scenes.

This case highlights how StealthMole's ability to connect data across ransomware monitoring, dark web infrastructure, underground forums, and cryptocurrency activity can help uncover relationships that may otherwise remain hidden, while recognizing that attribution and assessment are always subject to the limits of the available evidence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

From Lucky 47 to Luhansk Counter Kiev Partisans (Luckp 47): Mapping the Infrastructure Behind a Weapons Marketplace

Darkweb has long provided space for anonymous marketplaces selling weapons, forged documents, hacking services, and other illicit goods. But over the past few years, especially amid ongoing geopolitical conflicts, some of these platforms have started evolving beyond simple criminal storefronts. Instead of remaining hidden in the background, certain marketplaces now attempt to build recognizable identities through aggressive branding, ideological messaging, and carefully curated narratives designed to attract attention within underground communities.

During routine monitoring of weapons-related activity, StealthMole identified a marketplace operating through the Tor network under the name “Luckp 47 Shop.” At first glance, the platform appeared to be another weapons-focused onion service circulating within dark web ecosystems. However, several elements surrounding the marketplace, including its branding style, external references, and connected infrastructure, suggested there was a larger story behind the operation.

What followed was a broader investigation that moved far beyond a single onion domain. By tracing related infrastructure and examining references across underground platforms and Telegram-based communities, the investigation gradually exposed a wider ecosystem of interconnected services, wartime imagery, and overlapping narratives tied to the Luckp 47 operation. Rather than functioning as an isolated marketplace, the platform appeared embedded within a much broader underground environment shaped by conflict-driven themes and anonymous cross-platform promotion.

Incident Trigger and Initial Investigation

The investigation began while examining unrelated dark web infrastructure through StealthMole, during which an onion domain was identified. Although the marketplace was inactive at the time of access, archived snapshots preserved through StealthMole provided a clear view of the platform’s structure, branding, and operational claims.

• luckp47hkr3te6v6uigtfma4jn5sdmjgsvy3kuf3hbg6uxm5bpti2tyd.onion

The marketplace operated under the name “Luckp 47 Shop” and presented itself as a weapons-focused storefront offering military-style firearms, launchers, suppressors, ammunition, grenades, and tactical accessories. Listings observed on the platform included RPG-series launchers, rifle optics, ammunition packages, and other combat-related equipment, with product pricing displayed in Euros. The site also claimed worldwide shipping capabilities and instructed buyers to provide delivery coordinates during the ordering process.

Additional details on the homepage suggested the operators were attempting to project legitimacy and operational reach. The marketplace claimed that inventory was stored within the European Union and promoted multilingual support in English, German, and Russian. Payment instructions directed users toward cryptocurrency transactions, primarily Bitcoin, and included a publicly visible BTC wallet alongside QR-based payment guidance.

While the storefront itself was already notable, several visual and operational details immediately stood out during the initial review. Product photographs across the marketplace contained handwritten “Lucky 47 Shop” markings, seemingly intended to reinforce authenticity or marketplace identity. At the same time, the platform’s design, terminology, and overall presentation differed noticeably from many low-effort darknet weapon listings commonly observed across Tor-based marketplaces.

Financial Infrastructure Linked to the Primary Luckp 47 Domain

Following the initial review of the Luckp 47 marketplace, the investigation shifted toward identifying additional infrastructure connected to the primary onion service:

• luckp47hkr3te6v6uigtfma4jn5sdmjgsvy3kuf3hbg6uxm5bpti2tyd.onion

Using StealthMole’s Darkweb Tracker, the domain was found to be associated with multiple Bitcoin wallets beyond the single address publicly displayed on the marketplace homepage. In total, ten BTC wallets were linked to the domain:

• bc1************************************xgd
• bc1************************************xyg
• bc1************************************g4h
• bc1************************************hql
• bc1************************************hca
• bc1************************************fzf
• bc1************************************uhu
• bc1************************************lvs
• bc1************************************ehw
• bc1************************************03j

One of these wallets, bc1**********************03j, matched the Bitcoin address publicly visible within the marketplace payment instructions, helping validate the association between the domain and the identified wallet cluster.

Interestingly, several of the wallets showed no publicly observable transaction activity at the time of analysis. While inactive wallets alone do not confirm whether the marketplace was fully operational, the presence of multiple associated addresses suggested that the platform may have relied on rotating or pre-generated cryptocurrency wallets rather than a single static payment address.

Beyond the financial infrastructure, archived marketplace images also revealed repeated use of handwritten “Lucky 47 Shop” markings placed directly onto firearm photographs featured within the storefront. Although such imagery does not independently confirm ownership of the weapons displayed, the repeated branding suggested an effort to establish marketplace identity and visual consistency across the platform’s listings.

Expanding the Investigation Through Contact Infrastructure

After documenting the wallet infrastructure tied to the primary Luckp 47 domain, the investigation shifted toward the marketplace’s publicly listed contact information. The homepage of the original onion service referenced the email address:

• l*****7@b****mail.net

When the address was pivoted through StealthMole, the investigation rapidly expanded beyond the original storefront. Multiple additional onion domains were identified as being associated with the same contact infrastructure, including both active and inactive marketplace deployments.

The following domains were linked to the email address during the investigation:

• luckp47s6xhz26rn.onion
• luckp4k5jzwsofw6dulfvmc5clj75ww2ysgcwvj7yfunnc2i7terp4qd.onion
• luckp4z2byqzvsweqzrtlkffob7wxhdnmcno7tv7wxrnuik5euje4cqd.onion
• luckp***********************************************igyd.onion
• 27b**************************************************ryd.onion
• 27b**************************************************6id.onion

Although the domains did not all use identical branding, several shared noticeable similarities in structure and presentation. Archived snapshots revealed overlapping product categories, reused weapon imagery, similar payment instructions, and repeated marketplace layouts across multiple storefronts. Some domains continued operating under the “Luckp 47 Shop” identity, while others appeared under the name “Freedom Shop.”

The “Freedom Shop” marketplaces were particularly notable because, despite the branding differences, they displayed strong visual and operational overlap with earlier Luckp-related infrastructure. Similar storefront structures, repeated product imagery, and connected cryptocurrency infrastructure suggested that the domains were likely part of a broader interconnected marketplace ecosystem rather than unrelated standalone sites.

The investigation also revealed signs of long-term infrastructure persistence. Older domains used shorter legacy Tor v2 onion addresses, while newer deployments transitioned toward modern v3 onion services. This gradual migration indicated that the infrastructure was repeatedly redeployed and maintained over time rather than abandoned after a single operational period.

Marketplace Evolution and Operational Patterns

As the investigation expanded across the newly identified domains, a recurring operational pattern began to emerge. Several Luckp- and Freedom-related onion services contained large clusters of associated Bitcoin wallets, many of which showed no publicly observable transaction activity. This behavior appeared repeatedly across different marketplace deployments and suggested that the infrastructure relied on rotating or pre-generated wallet pools rather than a single long-term payment address.

For example, the domain:

• 27bpw*********************************xryd.onion

was associated with ten additional BTC wallets. However, analysis of those wallets showed no recorded transaction activity.

• bc1************************************w4j
• bc1************************************hmn
• bc1************************************4s2
• bc1************************************x87
• bc1************************************k2w
• bc1************************************rrk
• bc1************************************ese
• bc1************************************uur
• bc1************************************g5n
• bc1************************************3jn

Similar inactive wallet clusters later appeared across multiple other Luckp-related domains, including:

• luckp42********************************************xigyd.onion
• luckp4z2byqzvsweqzrtlkffob7wxhdnmcno7tv7wxrnuik5euje4cqd.onion
• luckp4k5jzwsofw6dulfvmc5clj75ww2ysgcwvj7yfunnc2i7terp4qd.onion

While many of these wallets remained inactive, other parts of the infrastructure displayed clearer signs of operational use. One of the more significant findings emerged from the domain:

• 27bpwhs**************************************66id.onion

where the following Bitcoin wallet showed observable transaction activity over time. Further investigation revealed that the same wallet also appeared on a separate underground platform identified as “Bitstore,” where it was referenced as an escrow wallet. Although the overlap did not conclusively establish common ownership between the platforms, it demonstrated that parts of the financial infrastructure were circulating across multiple underground services rather than remaining isolated to a single marketplace.

• 1KpBj*******************9gz

The same domain also introduced Ethereum-based payment infrastructure through the wallet:

• 0xf5f********************************de0

Unlike earlier Luckp-related domains that primarily relied on Bitcoin, this deployment showed signs of broader cryptocurrency usage. StealthMole tracking linked the Ethereum wallet back to the same onion infrastructure, while associated pages revealed references to external services and hidden wiki-style navigation structures embedded within the marketplace environment.

Another notable development appeared during analysis of:

• luckp42mxih5kz4hswcfmzllgrm5a6vn463pmssk5fxpuo2dz7xszjqd.onion

which introduced Monero payment support through the wallet:

• 85PKg**********************************************Epa

Unlike earlier storefront snapshots, this domain exposed portions of the marketplace ordering workflow itself. Archived pages displayed shipping information forms, order identifiers, cryptocurrency payment instructions, and checkout-related infrastructure integrated directly into the platform. The use of Monero, a cryptocurrency heavily associated with privacy-focused transactions, marked a noticeable shift from the earlier BTC-centric deployments observed during the investigation.

Uncovering the Meaning Behind “Luckp”

For much of the investigation, the term “Luckp” appeared to function as little more than marketplace branding. Earlier storefronts alternated between names such as “Luckp 47 Shop” and “Lucky 47 Shop,” while associated Telegram mentions and underground references often used the terms interchangeably. At that stage, the marketplace primarily appeared to be another weapons-focused onion service operating within a crowded dark web ecosystem.

That changed during analysis of the older onion domain:

• luckp47s6xhz26rn.onion

Unlike several of the newer domains identified earlier in the investigation, this marketplace preserved older archived content that exposed additional branding and narrative elements not immediately visible within the more recent infrastructure. One of the most significant discoveries was the appearance of the phrase directly alongside the Luckp branding.

• Luhansk Counter Kiev Partisans

The wording provided the first clear indication that “Luckp” was likely being used as an acronym rather than a randomly selected marketplace name. This substantially shifted the context surrounding the operation. What initially appeared to be a conventional darknet weapons storefront now carried explicit wartime and conflict-oriented messaging tied to the Russia-Ukraine conflict narrative.

The marketplace itself reinforced this positioning visually. Archived snapshots featured militarized imagery, references to the “Ukrainian War,” and branding themes centered around conflict, insurgency, and resistance-style symbolism. Compared to many generic darknet marketplaces that rely on minimalist storefront designs, the Luckp infrastructure appeared intentionally curated to project a distinct identity rather than functioning solely as an anonymous transaction platform.

At the same time, the investigation did not uncover definitive evidence linking the marketplace to any verified militant organization or real-world armed faction operating within the conflict zone. The branding may have reflected ideological positioning, deliberate marketing, or an attempt to build legitimacy within underground communities already focused on wartime narratives and weapons trafficking.

However, the discovery fundamentally changed the direction of the investigation. The case was no longer centered purely on identifying a darknet marketplace selling weapons. Instead, the infrastructure increasingly appeared to be combining illicit commerce with conflict-oriented branding designed to embed the platform within the broader symbolism and online narratives surrounding the ongoing war.

Transactional Activity and Wallet Rotation Patterns

While the ideological and wartime branding surrounding the Luckp infrastructure became clearer through archived marketplace content, the financial activity tied to the older domains revealed another important layer of the operation. Unlike many of the newer Luckp-related onion services that were associated with inactive Bitcoin wallets, the older infrastructure showed sustained transactional behavior spanning multiple years.

StealthMole identified fourteen BTC wallets associated with:

• luckp47s6xhz26rn.onion

The wallets included:

• 1Nkm6B************************Hbze
• 1ANsmz************************H2aU
• 3BPtF8************************wnxa
• 3GNrNc************************QW8b
• 3N5wGK************************Lsv4
• 3M8NGA************************mkJX
• 342bk7************************18NT
• 3Codt5************************Zfve
• 3BpHnZ************************ybGL
• 3LWZed************************i9Yu
• 329NN8************************cXsh
• 3Cm8s9************************uKDX
• bc1qwl************************yzvl
• 3HLoqZG************************uomS

Several of these wallets displayed observable transaction activity between 2017 and 2023, making this one of the most operationally active parts of the ecosystem uncovered during the investigation.

Early Wallet Activity and Transaction Volume

The older wallets generally showed larger transaction values and more consistent movement compared to the newer infrastructure observed elsewhere in the investigation. Examples included:

• 1Nkm6***********************HbzeReceived approximately 1.527 BTC between 2017 and 2018.

• 3BPtF**************************DwnxaReceived approximately 1.501 BTC during 2019.

• 3N5wG***************************Lsv4Recorded approximately 0.838 BTC in activity during 2020.

• 342bk*****************************18NTShowed approximately 0.459 BTC in observed transactions.

Several additional wallets also displayed smaller but recurring payment activity over time. Although blockchain analysis alone cannot determine whether the payments were directly tied to successful marketplace transactions, the repeated financial movement across multiple marketplace-linked wallets strongly suggested that at least parts of the infrastructure were operational rather than purely decorative or inactive storefronts.

Repeated Wallet Rotation Behavior

One of the clearest patterns observed throughout the wallet analysis was the short operational lifespan of many addresses. Rather than relying on a single long-term treasury wallet, the infrastructure repeatedly cycled through multiple payment addresses over time.

Across several wallets, the same sequence appeared repeatedly:

• Wallet receives incoming BTC transactions
• Funds remain temporarily within the wallet
• Wallet balance is later drained or reduced to near-zero
• Activity declines or stops entirely

This behavior appeared across multiple years of activity and was especially visible within the earlier Luckp infrastructure. In many cases, the wallets eventually showed:

• zero remaining balance,
• zero unspent outputs,
• or no further transactional activity after earlier payment periods.

The repeated receive-and-drain pattern suggested that the infrastructure may have relied on compartmentalized payment handling rather than maintaining large long-term wallet balances. Whether this behavior reflected operational security practices, manual fund consolidation, or short-term receiving wallets could not be independently confirmed. However, the consistency of the pattern across multiple addresses indicated that the wallet activity was unlikely to be random.

Gradual Decline in Financial Activity

Another noticeable trend emerged when comparing older wallet activity with newer Luckp-related infrastructure uncovered later in the investigation. Earlier wallets generally handled larger BTC volumes and showed clearer transactional patterns, while later deployments increasingly relied on inactive or near-empty wallet clusters.

Some of the newer wallets associated with later domains received extremely small amounts of Bitcoin or showed no observable activity at all. This contrasted sharply with the older Luckp infrastructure, which demonstrated more sustained financial movement between 2017 and 2020.

The shift may suggest several possibilities:

• operational decline,
• fragmentation of the marketplace ecosystem,
• migration toward alternative payment methods,
• increased use of privacy-focused cryptocurrencies,
• or repeated redeployment of partially inactive mirror infrastructure.

Although the exact reason could not be conclusively determined, the financial behavior observed across the investigation indicated that the Luckp ecosystem evolved significantly over time rather than remaining operationally static.

Infrastructure Persistence and Identity Continuity

As the financial analysis expanded across older and newer Luckp-related domains, another pattern began emerging beneath the rotating wallets and changing storefronts: despite repeated infrastructure shifts, several core identifiers remained surprisingly consistent over time.

One of the clearest examples involved the marketplace’s contact infrastructure. The earliest domains identified during the investigation used the email address:

• luc****7@b****ail.net

However, as additional onion services were uncovered, the investigation revealed that the operators or at minimum the infrastructure behind the marketplaces, continued reusing the “luckp47” identifier across multiple encrypted email providers.

Additional addresses identified through StealthMole included:

• lu***7@dnmx.su
• LU***7@DNMX.SU
• lu****7@sa******l.net
• lu****7@sa******l.com

The repeated reuse of the same naming convention across separate providers strongly suggested long-term continuity in branding and operational identity. While the surrounding infrastructure evolved over time, the “luckp47” label itself remained persistent across multiple marketplace generations.

The transition between providers was also notable in its own right. Earlier infrastructure relied on Bitemail, while later deployments shifted toward DNMX and Safe-mail services — platforms frequently observed within underground and privacy-focused communities. The migration appeared gradual rather than abrupt, suggesting infrastructure evolution over time instead of a single isolated redeployment.

The onion infrastructure itself reflected a similar pattern of continuity. Older Luckp-related domains used legacy Tor v2 onion addresses, while newer deployments transitioned toward longer v3 onion services introduced after Tor deprecated v2 support. This migration indicated that portions of the infrastructure were actively maintained and adapted across multiple years rather than abandoned after initial deployment.

Additional linked domains continued surfacing throughout the investigation, including:

• luckp42mxih5kz4hswcfmzllgrm5a6vn463pmssk5fxpuo2dz7xszjqd.onion
• luckp43xq757gh5w2udd4rl6fqwtie3hab57uwk5bywga4t5x5yxqjqd.onion
• luckp4bbg3jjytiao7ibd556dvs2fkpfbzcl74my6ku3omweoscmm6ad.onion

Some of these domains were inactive at the time of analysis, while others appeared partially operational or redirected toward related marketplace infrastructure. Despite differences in branding and accessibility, many retained overlapping marketplace structures, recurring imagery, and similar payment workflows.

The investigation also identified traces of the Luckp identifiers outside the onion ecosystem itself. The addresses luc***7@sa****l.net and lu**7@sa***l.com were both observed within leaked files indexed through StealthMole. While the leaked references alone did not independently establish ownership or attribution, they demonstrated that the Luckp identity extended beyond isolated Tor infrastructure and appeared across additional underground data sources.

Telegram Mentions and External Visibility

The investigation later expanded beyond the Tor ecosystem itself after StealthMole’s Telegram Tracker identified references to Luckp-related infrastructure circulating through Telegram-based underground communities.

One of the identified mentions referenced the domain within a Telegram message posted in the channel titled Mundo Dos Hackers.

• luckp47s6xhz26rn.onion

The message appeared to function as a directory-style post containing multiple onion links tied to underground marketplaces and services. Within the listing, the Luckp infrastructure was referenced under the name:

• Lucky 47 Shop

The Telegram reference was particularly notable because it demonstrated that the marketplace was not relying exclusively on Tor-based discovery. Instead, links to the infrastructure were also circulating through external messaging ecosystems commonly used to distribute dark web resources, marketplace directories, and underground service references.

The naming convention used within the Telegram message also reflected an interesting shift in how the marketplace was being referenced externally. While archived infrastructure later revealed the meaning behind the “Luckp” acronym, the Telegram ecosystem appeared to use the simplified “Lucky 47 Shop” branding instead. Whether this reflected deliberate simplification, informal renaming by third-party users, or broader recognition of the marketplace under a more accessible label could not be conclusively determined.

Conclusion

What began as the discovery of a single inactive onion marketplace gradually expanded into a broader investigation involving linked onion services, recurring cryptocurrency infrastructure, evolving marketplace branding, and years of observable operational activity.

Through StealthMole pivots across wallets, domains, Telegram references, and contact infrastructure, the investigation revealed that the Luckp ecosystem extended well beyond one storefront. Older domains showed sustained Bitcoin activity and clearer operational behavior, while newer deployments increasingly relied on rotating mirror infrastructure, inactive wallet clusters, and alternative cryptocurrency support such as Monero.

The investigation also revealed how the marketplace evolved its identity over time. What initially appeared as “Lucky 47 Shop” later exposed deeper conflict-oriented branding tied to “Luhansk Counter Kiev Partisans,” demonstrating how underground marketplaces can combine weapons trafficking narratives, wartime symbolism, and anonymous infrastructure to build long-term visibility within dark web ecosystems.

Editorial Note

Investigations involving dark web infrastructure rarely produce absolute answers. Marketplaces frequently rotate domains, reuse identifiers, abandon infrastructure, and blur the line between operational activity, propaganda, and reputation-building. StealthMole helped connect fragmented indicators spread across onion services, cryptocurrency wallets, Telegram references, and leaked data, allowing a broader infrastructure picture to emerge from what initially appeared to be an isolated marketplace listing.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com