Hitmen for Hire: Inside the Mexican Mafia Marketplace

Dark web has long been home to marketplaces advertising services that range from financial fraud and forged documents to far more serious offerings such as contract violence. While many of these platforms are little more than scams designed to steal cryptocurrency from unsuspecting buyers, others attempt to build credibility by presenting structured marketplaces, vendor profiles, discussion forums, escrow systems, and cryptocurrency payment infrastructure. Whether genuine or fraudulent, these platforms provide valuable insight into how criminal operators market themselves, establish trust, and maintain an online presence within underground communities.

One such platform is Mexican Mafia, a long-running dark web marketplace that presents itself as a directory of gang members and contract killers offering services worldwide. Beyond promoting alleged hitmen, the site also advertises other criminal services, including weapons, fraudulent documents, and opportunities for affiliates to earn commissions by driving traffic to the platform. The marketplace claims to operate through built-in and external escrow services, accepts cryptocurrency payments, and promotes anonymity for both customers and vendors.

This investigation examines the digital footprint surrounding the Mexican Mafia marketplace using StealthMole, tracing its infrastructure across historical and active onion domains, Telegram, cryptocurrency wallets, vendor profiles, and related underground resources. Rather than focusing on the claims made by the platform itself, the investigation follows the artifacts it left behind to understand how its infrastructure evolved and how different components of its ecosystem remain interconnected over time.

Behind the Landing Page

The investigation began with the discovery of an onion domain, which was indexed in StealthMole's Dark Web Tracker under the title "Mexican Mafia." The landing page presented itself as a marketplace where users could allegedly hire contract killers and other criminal service providers through an anonymous, cryptocurrency-based platform.

  • qjq35*********************************************acid.onion

At first glance, the website resembled many other illicit marketplaces operating on the dark web. It promoted a network of "gangsters" offering a range of criminal services, including contract killings, forged documents, and assistance with what it described as "difficult people." The site claimed to protect both buyers and vendors through anonymous communication, cryptocurrency payments, built-in and external escrow services, and a policy of not collecting personal information. It also advertised a workflow where payments would only be released after a requested task had been completed, presenting these features as safeguards intended to build trust among prospective users.

Rather than relying solely on the current version of the website, StealthMole's historical indexing immediately revealed that the marketplace had been observed over an extended period, with more than twenty archived snapshots available for analysis. This indicated that the platform had maintained an online presence across multiple points in time, making it a suitable candidate for a deeper infrastructure investigation. The focus therefore shifted from the marketplace's advertised services to the digital footprint surrounding it, with the objective of determining whether additional infrastructure, recurring identifiers, and historical artifacts could be uncovered beyond what was visible on the landing page.

Beyond a Single Onion Site

To determine whether the Mexican Mafia marketplace extended beyond its primary landing page, the original onion domain was further investigated using StealthMole's Dark Web Tracker. This quickly revealed that the marketplace was not operating from a single onion service. Historical records identified another active domain using the same "Mexican Mafia" title, suggesting that the operators maintained multiple versions of the platform over time.

  • tdmb4*****************************************gulyd.onion

The investigation also uncovered another onion service that functioned as a directory reviewing alleged murder-for-hire websites. The page assigned the Mexican Mafia marketplace a five-star rating and described it as "one of the few real hitman services around." While these statements cannot be independently verified and should be regarded as promotional claims published by another dark web service, the listing confirmed that the marketplace had visibility beyond its own infrastructure.

  • cnpwz**********************************************zead.onion

More importantly, this review page exposed several contact artifacts associated with vendors advertising on the marketplace. Rather than focusing solely on the websites themselves, the investigation shifted towards these reusable identifiers, which often provide more reliable pivot points for uncovering related infrastructure. Among the artifacts recovered were three email addresses together with their associated PGP fingerprints:

Email Address

PGP Fingerprint

L****@dnmx.cc

B384*******************************295

way****@proton.me

1C16*******************************CF2

isellguns@m******com

0786********************************523

Of these, isellguns@m******com stood out as the most promising investigative lead. Unlike the other contact points, this identifier continued to reappear across multiple datasets during subsequent analysis, eventually linking together additional onion domains, vendor profiles, marketplace functionality, cryptocurrency artifacts, and Telegram activity. As a result, the remainder of the investigation pivoted away from the landing page itself and began following this single identifier to determine how extensively the Mexican Mafia marketplace was connected across the underground ecosystem.

Following a Single Identity

The vendor email isellguns@m******com was selected as the next investigative pivot due to its recurring appearance within the marketplace. Rather than serving only as a contact point, reusable identifiers such as email addresses often reveal infrastructure that is not directly linked from a website itself. To determine whether the address appeared elsewhere within the underground ecosystem, it was further investigated using StealthMole's Dark Web Tracker.

The search immediately uncovered two additional onion domains. The first was an inactive directory titled "Best List of Dark Web Vendors", where the same email address was listed alongside other underground vendors. Although the directory itself could not be directly attributed to the Mexican Mafia marketplace, it demonstrated that the contact information had been advertised beyond the marketplace's own infrastructure.

  • bestlieb**********************************************ryd.onion

The second discovery proved considerably more valuable. StealthMole identified another active onion service, which presented another version of the Mexican Mafia marketplace. While maintaining the same overall branding and purpose, this deployment contained noticeably different content and exposed parts of the platform that were not visible on the original landing page. Rather than simply functioning as another access point, it provided a broader view of how the marketplace attempted to present itself to prospective customers and vendors.

  • ocqren76bqb5vdggsialpskvdn53aryyimhp4hpbufn3f6qq36o4p6ad.onion

Compared to the original homepage, this version placed greater emphasis on explaining the marketplace's operating model. It promoted features such as encrypted communication, PGP support, built-in and external escrow services, an integrated Bitcoin mixer, and anonymous customer registration. The marketplace also described an order submission process in which customers could provide detailed information about a target, select a preferred service provider, or allow the platform to assign one automatically. Throughout the site, considerable effort was made to portray the marketplace as an organised service rather than a simple criminal advertisement.

Historical snapshots recovered through StealthMole also exposed features that were absent from the current landing page. These included an unmoderated discussion forum, an affiliate programme rewarding users for referrals, publicly accessible vendor profiles, recent forum discussions, and lists of active marketplace members. Together, these sections suggested that the operators were attempting to cultivate an ongoing user community rather than relying solely on one-off transactions.

One particularly interesting observation was the marketplace's repeated effort to establish credibility. Badges promoting "Top Service," "External Escrows Accepted," and "$0 Down Payment" appeared throughout the site, while separate pages attempted to reassure visitors about anonymity, operational security, and payment protection. Although none of these claims can be independently verified, they illustrate how the operators attempted to reduce scepticism and encourage engagement from potential customers.

Further investigation of this onion service uncovered several additional domains associated with the Mexican Mafia infrastructure:

  • uuss*********************************************o6pr5yd.onion
  • wyfa**********************************************4bo6yd.onion
  • teclqm5qcfue7tnkpwkj63nodq77kppaqtacvr2gdubxx24kjadt55ad.onion
  • 35cuaq55z6d2jods.onion
  • lj5ponocadanu2vi7ol2g7o5h5btsql7twh6vlmys6ejvgybbfp22kyd.onion
  • Killers6e7jq7a7z.onion

The investigation then shifted to StealthMole's Telegram Tracker, where the same email address, isellguns@m******com, was found in a Telegram channel. Unlike a forwarded message, the email appeared in a post published directly by the channel administrator together with the contact @TheC******y, indicating that it was being actively used as a point of contact. The channel also advertised additional payment methods, including PayPal and the Bitcoin address.

  • PayPal: PayPal.me/gu****in
  • Bitcoin Wallet: 1Jac********************fBQ

The repeated appearance of the same email address across onion services and Telegram made it one of the strongest correlation points identified during the investigation. What initially appeared to be a single vendor contact ultimately connected multiple marketplace deployments, vendor profiles, communication channels, and payment infrastructure, significantly expanding the digital footprint associated with the Mexican Mafia marketplace.

Following the Mirrors

The investigation of isellguns@m*****m also led to the discovery of another Mexican Mafia mirror domain.

  • 4cfw************************************************xid.onion

Further analysis of this domain using StealthMole's Dark Web Tracker revealed that the platform itself pointed towards another active onion service, indicating that the operators maintained multiple deployments of the Mexican Mafia marketplace over time.

  • i43v6*****************************************zyqd.onion

Unlike the previously recovered domains, this mirror provided additional historical context about the platform and became another valuable investigative pivot. Examination of its archived content uncovered several more onion domains associated with the same marketplace, many of which were no longer active but remained indexed through StealthMole's historical records.

The following mirror domains were identified during this stage of the investigation:

  • uusssy2bf4bg2umkampjk2twps7hgrj7nnpv3z3nodxqh6agnz26tbyd.onion (inactive)
  • uusssyqq7mwaja5o7phdcil2zjqcaujl4e6m67ftyjlb5eujd7e4phad.onion (inactive)
  • uusssyqrsk3enryp2mg4hnuad5ogecgm4w3z2wltlm6s6i3xouvgvnqd.onion (inactive)
  • mexican**********************************************kid.onion (active)

The recovery of multiple inactive mirrors demonstrated that the marketplace's infrastructure had evolved over time rather than relying on a single persistent onion service. Although several of these domains were no longer operational, StealthMole's historical indexing preserved their relationship to the broader Mexican Mafia ecosystem, allowing the investigation to continue beyond infrastructure that had already disappeared from the live dark web.

One historical mirror proved particularly useful. Investigation of

  • uusssyqrsk3enryp2mg4hnuad5ogecgm4w3z2wltlm6s6i3xouvgvnqd.onion

revealed two Bitcoin wallet addresses embedded within the archived content:

  • bc1q*********************************7pu6j
  • bc1q**********************************ym3m

Both wallets were examined during the investigation and, at the time of analysis, neither had recorded any blockchain transactions. While this does not indicate how the addresses were intended to be used, it demonstrates that historical marketplace infrastructure preserved payment artifacts that could be investigated independently of the live website.

Hidden in Plain Sight

By this stage, the investigation had already uncovered multiple historical mirrors of the Mexican Mafia marketplace. To determine whether these archived domains contained additional intelligence beyond their webpages, one of the inactive mirrors was examined further using StealthMole's Dark Web Tracker.

  • mexican******************************************kid.onion

Rather than exposing only archived webpages, StealthMole also preserved media files associated with the marketplace. These included numerous images hosted by the onion service, many of which were used as profile photographs and avatars for vendors and marketplace users. While these images did not independently identify real-world individuals, they provided additional artifacts that could be used to extend the investigation beyond conventional webpage content.

One of these indexed media files proved particularly valuable. Analysis of its associated metadata led to the discovery of another previously unseen mirror of the Mexican Mafia marketplace:

  • mexicanw7smag2cf722ibcx3dgyluwxk4mfcwhtd3zsqsgptixxhieyd.onion

Unlike earlier mirrors, this version contained updated marketplace content that offered additional insight into how the platform continued to evolve over time. Historical snapshots recovered through StealthMole showed that the marketplace retained its core operating model while refining its presentation, expanding navigation menus, and further developing features aimed at both customers and vendors. New sections such as Top Vendors, Top Hitmen, and expanded marketplace guidance reflected an effort to present the platform as an established criminal marketplace rather than a collection of individual advertisements.

The archived pages also continued to promote customer registration, vendor recruitment, affiliate opportunities, and escrow-based transactions, demonstrating a consistent attempt to build trust within the underground community. Although these operational claims cannot be independently verified, their persistence across multiple generations of the marketplace illustrates how the operators sought to maintain a consistent identity despite repeatedly changing infrastructure.

The recovery of yet another mirror through indexed media files highlights an investigative advantage of StealthMole's historical indexing. Rather than relying solely on active onion services, archived media artifacts provided an additional pivot that exposed infrastructure which would have been difficult to identify through conventional browsing alone.

A Trail of Bitcoin

The investigation of this domain marked another turning point. Unlike the previously recovered mirrors, this version exposed a substantial amount of embedded financial infrastructure that could be used as new investigative pivots.

  • mexicanw7smag2cf722ibcx3dgyluwxk4mfcwhtd3zsqsgptixxhieyd.onion

StealthMole identified ten embedded Bitcoin wallet addresses within the archived content of the marketplace:

  • bc1q***********************************0fj
  • bc1q***********************************unp
  • bc1q***********************************nzk
  • bc1q***********************************nuy
  • bc1q***********************************dxm
  • bc1q***********************************s2l
  • bc1q***********************************arn
  • bc1q***********************************2mm
  • bc1q***********************************m7l
  • bc1q***********************************uum

The same recurring email address was once again identified within this mirror, reinforcing the pattern observed throughout the investigation. By this stage, the email had already linked multiple onion domains, vendor profiles, and marketplace deployments. Its continued presence alongside newly recovered cryptocurrency artifacts further strengthened its value as a recurring investigative identifier.

  • isellguns@m*****m

Conclusion

What began as the discovery of a single onion domain ultimately revealed a much broader ecosystem surrounding the Mexican Mafia marketplace. By pivoting through recurring identifiers, historical snapshots, archived media, mirror domains, and cryptocurrency artifacts, the investigation reconstructed multiple generations of the platform and uncovered how its infrastructure evolved over time. Rather than relying on a single website, the marketplace maintained a network of interconnected domains while repeatedly reusing contact information and other operational artifacts across different deployments.

Although the authenticity of the services advertised by the marketplace cannot be independently verified, its digital footprint provides valuable intelligence. This investigation demonstrates how StealthMole can move beyond surface-level discovery by correlating historical infrastructure, recurring identities, and cross-platform artifacts, enabling analysts to build a more complete picture of underground operations that would otherwise remain fragmented.

Editorial Note

Dark web investigations rarely rely on a single piece of evidence. Meaningful attribution is built by correlating multiple independent artifacts across different platforms and periods of time. This case illustrates how StealthMole helps investigators reconstruct hidden infrastructure, preserve disappearing evidence, and connect seemingly unrelated indicators into a coherent investigative narrative.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

The Many Doors of RansomHouse: Mapping an Evolving Ransomware Ecosystem

Ransomware groups rarely disappear when their infrastructure goes offline. Domains change, communication channels are abandoned, and public leak sites evolve over time, leaving behind fragments that can make long-term investigations difficult. While many ransomware reports focus on a single attack or victim, understanding how these groups maintain their presence across multiple platforms often provides a more complete picture of how they operate.

Among the many ransomware operations that have emerged in recent years, RansomHouse has established itself as a distinct actor. Since appearing in 2021, the group has publicly positioned itself as a data extortion operation, frequently claiming that victims are targeted for poor cybersecurity practices rather than relying solely on traditional ransomware deployment. Over time, it has published numerous victim disclosures through its leak site while continuously adapting the infrastructure used to support those operations.

This investigation takes a different approach. Instead of examining a single breach, it follows the digital footprint left behind by RansomHouse across its public infrastructure. Using StealthMole, the investigation reconstructs pieces of the group's online presence that are no longer readily accessible, revealing how websites, communication channels, and supporting infrastructure evolved over time.

Where the Trail Began

The investigation began with StealthMole's Ransomware Monitoring module, where RansomHouse was identified as an active ransomware operation. The group's most recent claimed victim at the time of investigation was a U.S.-based construction company, which appeared on the platform with an attack date of 29 June 2026. While the individual incident was noteworthy, it also raised a broader question: how extensive was RansomHouse's activity, and what digital footprint had the group left behind over the years?

To answer that, a broader search was conducted within the Ransomware Monitoring module using the RansomHouse identifier. The results showed that between May 2022 and June 2026, the group had claimed responsibility for more than 186 victim organizations, spanning multiple industries and geographic regions. The steady stream of disclosures over a four-year period suggested that RansomHouse was not a short-lived operation but one that had maintained a consistent presence within the ransomware landscape.

Beyond victim statistics, the platform also identified the group's primary leak site:

  • zohlm7********************************************2yid.onion

The leak site served as the public face of the operation, hosting victim listings and data disclosures. Rather than ending the investigation with the group's victim count, this onion domain became the next investigative pivot. By tracing the infrastructure connected to the leak portal through StealthMole's Dark Web Tracker, the investigation aimed to determine whether RansomHouse relied on additional websites, communication channels, or supporting infrastructure that could help reconstruct its broader operational ecosystem.

Inside RansomHouse

Pivoting from the leak site into StealthMole's Dark Web Tracker provided a closer look at how RansomHouse presents itself beyond its victim listings. Rather than functioning solely as a repository for leaked data, the website is structured as a centralized platform that explains the group's operating model, manages victim interactions, and facilitates communication with external parties.

At the center of the website are two categories used to organize victims: Evidence and Disclosed. Organizations listed under Evidence have samples of stolen data published as proof of compromise, while those marked as Disclosed have had their full datasets released publicly. This staged approach allows RansomHouse to apply pressure during negotiations before proceeding to a complete disclosure if an agreement cannot be reached.

The website also contains a detailed Frequently Asked Questions (FAQ) section that offers insight into how the group portrays its activities. One of the recurring themes is its attempt to distinguish itself from conventional ransomware operations. Rather than describing itself simply as a group that encrypts systems for financial gain, RansomHouse claims to target organizations with weak cybersecurity practices and presents data disclosure as a consequence of inadequate security rather than the primary objective of the operation.

For affected organizations, the FAQ explains how victims can establish contact, negotiate, or request the removal of published material. It also provides guidance for organizations wishing to purchase their undisclosed data before it is made public, illustrating that the website serves not only as a disclosure platform but also as a negotiation and transaction portal.

Interestingly, RansomHouse also dedicates a section of the website to journalists and researchers. Media representatives are encouraged to contact the group directly for additional information or clarification regarding published breaches, reflecting an effort to shape public reporting around its activities. Alongside its Tor-based infrastructure, the group also advertises alternative communication methods, including an I2P address, providing additional resilience should parts of its infrastructure become unavailable.

Following the Mirrors

With a clearer understanding of how RansomHouse presents itself, the investigation shifted from examining the contents of the website to tracing the infrastructure supporting it. Using the group's primary onion domain as the investigative pivot, StealthMole's Dark Web Tracker revealed that the public leak site represented only a small portion of a much larger network of interconnected services.

One of the first discoveries was the existence of an additional RansomHouse-branded onion domain:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although no longer active, the domain hosted a mirror of the RansomHouse leak site during its operational lifetime. The preserved records indicate that it remained active throughout 2022 before eventually disappearing. Its discovery suggests that RansomHouse maintained multiple public-facing portals over time, providing redundancy while preserving access to victim disclosures.

As the investigation expanded, StealthMole identified a much broader layer of infrastructure supporting the operation. Rather than storing stolen data directly on the main leak portal, RansomHouse relied on numerous dedicated onion-based file servers to host disclosed datasets. Hundreds of these domains were identified, many of which are now inactive. Examples include:

  • vopa354z4toilkjn4ileaf6rinkzn2givaokvj4yguq5kbiqoulxnzyd.onion
  • m7vtnbsgctdcsccqmpnmi6igg3pcuiliqqqsq6uonkzg4blpa4eysiad.onion
  • nuhnnxg3owawo36mwdffyblbzplhthfswny55mh7yhbxq74en6jihyad.onion
  • q2bwuip5xq4qjn2vyevprcddhk26cigyqfqfu6yki7korjys2rposaad.onion
  • ge74uts2ybu22kzwahiayovxelbq5fwhywl73agev5w4fef2e5ikplid.onion

The use of separate file hosting infrastructure demonstrates a deliberate separation between the group's public leak portal and the servers responsible for distributing stolen data. This layered approach not only improves operational resilience but also allows individual file servers to be rotated or abandoned without disrupting the primary website.

Additional infrastructure was uncovered while examining individual victim disclosures. One example involved Prince George County, where the published disclosure page directed investigators to another onion domain:

  • yvqyd**********************************************raid.onion

The domain appeared to function as another dedicated file server containing the victim's disclosed data, reinforcing the pattern of decentralized data hosting observed throughout the investigation.

Beyond data hosting, StealthMole also identified two onion-based negotiation portals associated with the operation:

  • secxrosqawaefsio3biv2dmi2c5yunf3t7ilwf54czq3v4bi7w6mbfad.onion
  • am26uhnrvhikyekz7h5qgjhv6x4arnzpcr2tw4wxqdg7hw525xs4o2qd.onion

These portals appear to facilitate direct communication between RansomHouse and affected organizations, complementing the public-facing leak site and supporting the negotiation process described within the group's FAQ.

More Than Just a Hash

While the infrastructure analysis revealed how RansomHouse managed its public-facing operations, StealthMole also uncovered a technical artifact that offered another avenue for investigation. Unlike onion domains or communication channels, malware hashes can serve as persistent identifiers, helping investigators associate malicious files with related infrastructure and previously observed activity.

During the investigation, StealthMole identified the following SHA-256 malware hash associated with RansomHouse:

  • efe27717*****************************************6a582

Rather than examining the hash in isolation, it was used as the next investigative pivot. This led to the discovery of another onion domain:

  • jqmxd4j***************************************fktqd.onion

Although the domain appeared in connection with the malware artifact, the available evidence did not conclusively establish that it belonged to RansomHouse. No additional infrastructure, communication channels, or operational artifacts were identified that could confidently attribute the onion service to the group.

For that reason, the domain has been retained as an investigative lead rather than a confirmed component of the RansomHouse ecosystem. Maintaining this distinction is important, particularly in cyber investigations where infrastructure may be shared, repurposed, or coincidentally linked through third-party reporting. Treating every associated artifact as confirmed infrastructure risks creating inaccurate attribution.

Beyond the Onion

By this stage, the investigation had revealed a substantial network of websites, file servers, and negotiation portals supporting RansomHouse's public operations. However, ransomware groups rarely rely on websites alone. Communication platforms often provide a more dynamic view of how these groups announce new victims, interact with followers, and direct users across their infrastructure. With this in mind, the investigation expanded into StealthMole's Telegram Tracker to identify any channels or accounts associated with RansomHouse.

One of the first artifacts identified was the Telegram channel:

  • https://t.me/ransom*******e

The channel primarily served as a public announcement platform, publishing updates on newly disclosed victims while directing users back to the group's onion infrastructure. During its investigation, StealthMole also identified another RansomHouse-branded onion domain referenced through the channel:

  • xw7au5pnwtl6lozbsudkmyd32n6gnqdngitjdppybudan3x3pjgpmpid.onion

Although the domain is now inactive, its discovery further supports the observation that RansomHouse maintained multiple public-facing portals throughout its operation.

The investigation then shifted to another Telegram artifact:

  • https://t.me/R********s

Unlike the announcement channel, this account contained very little publicly available information. No significant digital footprint or public activity was observed, suggesting that it primarily functioned as a point of contact rather than a channel used for publishing operational updates.

Further analysis led to https://t.me/RH****s, which proved to be considerably more active. StealthMole identified both the associated user account @RH******s and the public Telegram channel of the same name. Historical records also showed that the account had changed its username on three separate occasions, indicating that its identity had evolved over time while remaining connected to the group's communication ecosystem.

Within the channel, investigators also identified an invitation to a private Telegram group named RH_Group:

  • https://t.me/+VzR**********DUx

Alongside the invitation, the channel directed users to @RH******s as the primary contact point, illustrating how RansomHouse separated public announcements from direct communication.

Conclusion

What began as a routine review of a ransomware operation in StealthMole's Ransomware Monitoring module quickly evolved into a broader investigation of RansomHouse's digital footprint. Rather than identifying a single leak site, the investigation uncovered an interconnected ecosystem consisting of historical mirror domains, dedicated file servers, negotiation portals, malware artifacts, and a structured Telegram presence that supported the group's public operations.

The findings also highlight an important aspect of cyber threat investigations: the visible leak site is often only one component of a much larger infrastructure. By following each investigative pivot, it was possible to reconstruct parts of RansomHouse's operational ecosystem that are no longer publicly accessible, while also distinguishing verified infrastructure from artifacts requiring further validation. Maintaining this level of attribution discipline is essential, particularly when infrastructure overlaps or redistributed content can easily create misleading associations between unrelated threat actors.

This investigation demonstrates how StealthMole enables analysts to move beyond individual ransomware incidents and develop a broader understanding of how threat actors build, maintain, and adapt their digital infrastructure over time. By connecting historical records, dark web infrastructure, malware artifacts, and communication channels, investigators can reconstruct operational ecosystems that would otherwise remain fragmented across multiple sources.

Editorial Note

Attributing cybercriminal infrastructure is rarely straightforward. Domains are abandoned, communication channels change, and leaked data is frequently redistributed by unrelated actors, making careful validation an essential part of any investigation. This case illustrates StealthMole allows investigators to piece together a more complete picture while avoiding unsupported attribution, reinforcing the importance of evidence-driven intelligence throughout the investigative process.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com


Labels: ,

The Mosad Playbook: How One Alias Built a Cross-Platform Leak Network

Underground data leak operators rarely rely on a single platform. To reach buyers, build credibility, and keep their content available despite takedowns or forum closures, they often maintain a presence across multiple forums, encrypted messaging platforms, and mirrored communities. What begins as a single leak advertisement can quickly branch into a much larger network of accounts, channels, and communication points that are designed to reinforce one another.

This investigation began with the alias Mosad, an active seller advertising alleged government, military, and law enforcement datasets across several underground forums. Rather than examining the advertised leaks in isolation, the investigation followed the digital trail left behind by the alias itself. By pivoting across forum profiles, Telegram channels, and shared identifiers, it became possible to map a broader ecosystem that extended well beyond individual posts.

The findings show how a single underground identity can establish a coordinated presence across multiple platforms, using interconnected infrastructure to distribute content, promote new leak announcements, and direct users toward associated communities. This report documents that network and demonstrates how following one alias can uncover a much wider operational footprint than initially appears.

Following the First Lead

The investigation began after Mosad was flagged in StealthMole's Suspect Tracker as a database seller. To understand whether the alias was associated with a broader operation, the first step was to search the username across StealthMole's datasets rather than focusing on a single forum post.

An initial search in Leaked Monitoring returned 36 listings published between April and June 2026, many of which advertised alleged government, military, and law enforcement data. Instead of targeting a single country or organization, the listings referenced a wide range of sensitive material, including documents allegedly linked to intelligence agencies, diplomatic communications, defense organizations, and police departments. The volume and consistency of these advertisements suggested that Mosad was maintaining an active presence rather than promoting a one-off leak.

To better understand how these listings were being distributed, one of the advertisements was selected for closer examination. Beyond the advertised dataset itself, the thread contained several communication points, including a Telegram account, along with additional identifiers that could be used to trace the actor across other platforms. Rather than marking the end of the investigation, the forum post became the first pivot into a much larger network.

  • https://darkforums.**/Thread-Selling**********1B-Revenue-FOR-SALE

The First Pivot

The DarkForums thread titled "Selling 80k+ Working Access to Fortune Companies ($1B+ Revenue) FOR SALE" was selected for closer examination as it offered more than a typical marketplace advertisement. While the post promoted access to compromised corporate environments, it also served as a central point for directing prospective buyers toward the actor's preferred communication channels. Unlike many underground listings that simply advertise a product, this thread exposed several operational identifiers that could be used to continue the investigation beyond the forum itself.

The thread was further analyzed using StealthMole's Dark Web Tracker, which extracted the communication points embedded within the page. The following identifiers were recovered:

  • Telegram: https://t.me/m*********d
  • Jabber: c******@jabber.fr
  • Session ID: 0520*************************************15c696b
  • TOX ID: AA39*******************************************5007

The thread also reflected a posting style that appeared repeatedly throughout the investigation. In addition to the sale advertisement, it included preview material intended to demonstrate the value of the offering, a consistent profile image associated with the alias, and clearly defined communication channels for buyer engagement. These recurring elements suggested that the advertisement was part of a structured operational approach rather than an isolated forum post.

At this stage, the communication identifiers themselves were more valuable than the advertised dataset. Each represented a potential pivot into another platform or service, allowing the investigation to move beyond individual forum advertisements and begin reconstructing the broader infrastructure supporting the Mosad alias.

One Alias, Many Forums

The communication identifiers recovered from the initial DarkForums advertisement became the next investigative pivot. Using StealthMole's Dark Web Tracker, the username mosad was searched across indexed underground forums to determine whether the actor maintained additional identities or advertisements elsewhere.

The search revealed that the same alias maintained a widespread presence across multiple underground communities. Rather than operating from a single marketplace, Mosad was found advertising alleged government, military, intelligence, and law enforcement datasets while maintaining profile pages across numerous forums.

  • https://shieldforum.***/members/mosad****/
  • https://demonforums.****/mosad
  • https://spear.**/***mosad
  • https://pwnforums.**/****mosad
  • https://breachforum.**/***mosad
  • https://breached.**/***mosad
  • https://breached.**/members/mosad***/
  • https://darkforums.**/**mosad
  • https://raidforums.***/****mosad

The same search also uncovered advertisements distributed across multiple underground forums, including:

  • https://shieldforum.***/threads/rus-secret-fsb-ukraine*******25/
  • https://breached.**/threads/rus-secret-fsb-ukraine***********35/
  • https://darkforums.**/Thread-DATABASE-USA-New-York**********LEAK
  • https://spear.**/Thread-Free-NATO**********************GREENLAND
  • https://pwnforums.**/Thread-DOCUMENTS************************LEAK
  • https://xforums.**/threads/usa-virginia***********************25/

Across these posts, several recurring characteristics emerged. The advertisements consistently focused on alleged government, military, intelligence, and law enforcement material, while the same profile image and @mosad branding appeared repeatedly. Sample images of the purported datasets were also embedded within several listings, including documents presented as classified South Korean defense material bearing repeated @mosad watermarks. Together, these recurring artifacts reinforced the consistency of the alias across otherwise independent underground communities.

Following the Breadcrumbs

The investigation did not end with the forum advertisements. Several of the recovered artifacts pointed directly to Telegram, suggesting that the forums were primarily being used to attract attention, while communication and content distribution continued elsewhere. Each Telegram identifier recovered during the previous stage was used as a new investigative pivot within StealthMole's Telegram Tracker.

The first pivot began with the Telegram account advertised in the DarkForums thread:

  • Telegram: https://t.me/m*********d

From there, the investigation identified an interconnected network of Telegram channels and communities associated with the alias.

Telegram infrastructure identified during the investigation:

  • Mosad Leaks
    • https://t.me/B*********h

  • Mosad Intelligence Agency
    • https://t.me/be************e
    • Also advertised as: https://t.me/d*****r

  • InsideMossad
    • https://t.me/*********d

  • Telegram Chat Folder
    • https://t.me/addlist/**************k
    • Folder title: Mosad Groups

Rather than operating independently, these Telegram assets consistently referenced one another. The Mosad Groups chat folder bundled the three primary Telegram assets into a single subscription folder, allowing users to join the actor's entire communication ecosystem in one step.

This same chat folder was repeatedly embedded within multiple underground forum advertisements, alongside download links and community invitations, indicating that it formed a deliberate part of the actor's distribution strategy rather than serving as an isolated Telegram feature.

Further examination of the Telegram channels revealed additional communication artifacts that had not appeared during the initial forum analysis.

Additional identifiers recovered from Telegram included:

  • Matrix: @m*******g:matrix.org

The investigation also confirmed the continued use of previously identified communication points across the Telegram ecosystem:

  • Telegram: @mosad
  • Jabber: calimao@jabber.fr
  • Session ID: 052009b60169e247022a0f929a8a698d8551655e936cbc0103fd59d9e8315c696b
  • TOX ID: AA397F6879FEC8A52CCDFEC3F4B816E61F0104E6D0FEB3AFD5D29B918A2A0232A5011FB15007

Rather than introducing new identifiers for each platform, the repeated use of the same communication artifacts across forum advertisements and Telegram channels strengthened the attribution of these assets to the same operational identity. Instead of functioning as separate communication channels, the forums and Telegram infrastructure appeared to reinforce one another, creating a consistent pathway for buyers to move from public advertisements into the actor's broader ecosystem.

A Network That Reinforces Itself

By this stage of the investigation, it had become clear that Mosad's infrastructure extended beyond maintaining accounts on multiple forums or operating several Telegram channels. Instead, the various platforms functioned as a coordinated ecosystem, with each reinforcing the others and directing users toward additional communication channels.

One of the strongest indicators of this coordination was the user Telegram account, which appeared consistently throughout the investigation. The same account was advertised within forum posts, referenced across multiple Telegram channels, and identified within the InsideMossad community. The account also reused the same profile image that appeared across the actor's underground forum profiles, providing a consistent visual identity regardless of platform.

Within the InsideMossad community, the actor also promoted additional underground profiles, further expanding the identified infrastructure.

Forum profiles shared directly by the actor included:

  • https://darkforums.***/*****mosad
  • https://spear.***/******mosad
  • https://leakforum****/mosad
  • https://patched**/User/mosad****y
  • https://voided.***/mosad

Unlike profiles discovered through independent searching, these accounts were promoted directly from the actor's own Telegram community, strengthening the association between the various identities.

The investigation also identified a PGP-signed announcement published within the Mosad Intelligence Agency channel stating that m*****d was the only Telegram account the actor intended to use. While the signature itself was not independently verified during this investigation, the statement demonstrated an effort to establish a single trusted communication channel and reduce the risk of impersonation.

The investigation revealed a deliberate operational model. Underground forums were used to publish advertisements and attract potential buyers, while Telegram served as the primary communication hub through dedicated channels, community discussions, and centralized contact points. Rather than existing as isolated assets, the forums, Telegram channels, chat folder, and recurring communication identifiers formed a self-reinforcing network that allowed the Mosad alias to maintain a consistent presence across multiple underground platforms.

Conclusion

What began as the investigation of a single database seller evolved into the mapping of a coordinated cross-platform infrastructure. Starting with an alias identified in StealthMole's Suspect Tracker, each successive pivot revealed another layer of the actor's operational footprint, extending from underground forum advertisements to interconnected Telegram channels, community groups, and recurring communication identifiers.

Rather than relying on a single marketplace or communication platform, Mosad maintained a distributed presence that allowed advertisements, user profiles, and messaging channels to reinforce one another. Consistent branding, repeated contact identifiers, and self-promoted profiles created a recognizable digital identity that persisted across multiple underground communities. While the authenticity of the advertised datasets was outside the scope of this investigation, the infrastructure supporting the alias was both extensive and consistently maintained.

This investigation demonstrates how seemingly routine marketplace advertisements can provide the starting point for uncovering a much broader operational ecosystem. By correlating forum activity, messaging platforms, and shared identifiers, StealthMole transformed a single alias into a detailed map of the actor's cross-platform presence, providing analysts with a clearer understanding of how underground operators build visibility, maintain communication, and extend their reach beyond any single platform.

Editorial Note

Attribution within underground communities is rarely straightforward. Threat actors frequently reuse aliases, migrate between platforms, and adopt new communication channels to maintain their presence or avoid disruption. While no single artifact is sufficient to establish attribution on its own, correlating multiple independent indicators can reveal meaningful relationships that would otherwise remain hidden.

This investigation highlights how StealthMole's ability to connect data across forums, Telegram, and other underground sources helps analysts move beyond isolated observations and develop a more complete understanding of an actor's operational footprint.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com



Labels: ,

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report