Following BadBox 2.0 Artifacts: The Zhu Zhiyu Trail

In early 2026, widespread reporting brought renewed attention to BadBox 2.0, a large-scale Android botnet embedded primarily in low-cost consumer devices such as TV boxes and media players. Investigations highlighted how the botnet leveraged preinstalled malware and backend control infrastructure to enable activities ranging from ad fraud to proxy abuse, often without the device owner’s awareness. Much of the public focus understandably centered on the technical mechanics of the operation: its scale, persistence, and the challenges of disrupting a supply-chain based threat.

Alongside those technical findings, reporting also exposed fragments of human-facing artifacts visible within operational systems, including administrative panels, usernames, and email addresses. These elements, while not central to the botnet’s functionality, offered rare glimpses into the identities interacting with or present around the infrastructure.

This investigation was conducted to examine how far those fragments could be followed using StealthMole alone. Starting from identifiers already published in a KrebsOnSecurity report, specifically email addresses visible inside a BadBox 2.0 control panel screenshot, the goal was not to re-investigate the botnet itself, but to assess how operational artifacts propagate across unrelated datasets when identities are reused over time.

One such identifier became the starting point for this identity trail. What followed was a dense, internally consistent cluster of leaked records spanning Chinese consumer platforms, Western breach datasets, travel records, and social media accounts, repeatedly converging on a single individual: Zhu Zhiyu (朱志宇), also appearing under the English name Xavier Zhu.

Panel-Linked Identifier and Initial Expansion

The investigation began with xavierzhu@qq.com, an email address visible within a BadBox 2.0 control panel screenshot published by KrebsOnSecurity. Its presence in the administrative interface placed it squarely within the operational context of the botnet, making it a suitable anchor for further analysis.

When queried through StealthMole’s dark web tracker, this address appeared in multiple leaked datasets. Several of those datasets also referenced cathead@gmail.com, an email already established in the Chen Daihai investigation, indicating early overlap between administrative identity clusters rather than isolated usage.

Across these datasets, xavierzhu@qq.com repeatedly resolved to:

• Name: Zhu Zhiyu (朱志宇)
• Username/handle: xavierzhu
• Mobile phone number: 13*********9
• Hash/ID field: 97b8********************************e0
• A government-style identification number: 21*****************1

The consistency of these identifiers across different breach sources suggested long-term reuse rather than one-off exposure, immediately elevating the relevance of the identity behind the email.

Gmail Pivot and Cross-Regional Exposure

Pivoting on the phone number: 13********9 revealed a second core address: xavierzhu@gmail.com. This Gmail account significantly broadened the investigation’s scope, appearing in approximately three dozen leaked datasets spanning Chinese consumer platforms and international services.

A JD.com dataset associated the Gmail address with:

• Chinese name: 朱志宇
• Phone numbers: 13************9 and 010********3

Separately, a breach attributed to MGM Grand Hotels listed:

• Name: Xavier Zhu
• Date of birth: 26 October 1986
• Address: Northville, Michigan, USA
• Email: xavierzhu@gmail.com

The convergence of Chinese-language retail data and an English-language hospitality dataset is significant. The reuse of the same Gmail address and phone numbers across both contexts strongly indicates a single individual operating across regions, rather than coincidental overlap or name collision. This dual exposure also suggests that the identity associated with BadBox-linked artifacts was not confined to underground or operational systems, but actively used in mainstream consumer environments.

Social Media Presence and Temporal Persistence

Further enrichment linked xavierzhu@gmail.com to a Twitter account, @x*********1, created in 2017. While the account showed no public posts or visible engagement, its existence adds temporal depth to the identity cluster, demonstrating sustained use of the same naming conventions and email infrastructure over several years.

In investigations of operationally sensitive identities, low-activity or dormant social media accounts are frequently observed. Rather than serving as public personas, such accounts often function as recovery anchors, registration artifacts, or identity placeholders. When viewed alongside repeated credential exposure elsewhere, the account aligns with a pattern of long-term identity persistence rather than casual use.

Credential Exposure and Identity Convergence

Beyond account records, credential-style dumps and combo binder results played a critical role in collapsing the remaining distance between identity variants. Searches conducted across StealthMole revealed extensive credential exposure associated with xavierzhu@gmail.com, including nearly one hundred leaked password entries.

More importantly than the volume itself was the pattern of reuse. The same passwords appeared repeatedly across:

• xavierzhu@gmail.com
• zhuzhiyu@gmail.com

These repetitions occurred across unrelated breach sources, indicating long-term credential reuse rather than a single compromised platform. Such reuse effectively tied together Gmail, QQ, and auxiliary email identities into a single control cluster, reinforcing the conclusion that they were managed by the same individual.

From an analytical standpoint, this pattern is significant. Credential reuse across personal, professional, and operational contexts increases the likelihood that exposure in one environment can compromise others. In the case of BadBox 2.0, it provides a plausible explanation for how administrative identifiers surfaced publicly in the first place.

Additional Identity Surface: Zhu Zhiyu Variants

Further searches using the Chinese name 朱志宇 uncovered an additional email address: zhuzhiyu@gmail.com, associated with:

• Phone number: 13*************4
• Address: 2nd Floor, Building 12, Gudang Science & Technology Park, No. 38 Zijinhua Road

This address appeared consistently across multiple Chinese-language datasets, including e-commerce records. The presence of a structured science and technology park address suggests usage in a professional or semi-professional capacity rather than casual registration.

Credential dumps linked to zhuzhiyu@gmail.com showed password reuse consistent with patterns observed in the xavierzhu@gmail.com account, further reinforcing the convergence of these identities. Additional records also referenced a numeric email variant (13**********4@163.com), a common practice in Chinese online ecosystems, again tied to the same phone number.

Conclusion

Starting from a single email address visible in a BadBox 2.0 control panel screenshot published by KrebsOnSecurity, this investigation demonstrates how operational artifacts can be expanded into a comprehensive identity trail when examined through leaked and underground data sources. In the case of Zhu Zhiyu, panel-linked identifiers unfolded into a persistent cluster spanning QQ accounts, Gmail addresses, phone numbers, credential dumps, consumer platforms, and international breach data.

While much of the foundational linkage between these identifiers and BadBox 2.0 had already been established through public reporting, the StealthMole-driven analysis surfaced additional depth. This included the scale of credential exposure, repeated password reuse across identity variants, the existence of a long-standing Twitter account, and the alignment of Chinese and U.S.-based records under a single individual.

Collectively, these findings reinforce a broader pattern observed in BadBox 2.0–related investigations: the most durable links between infrastructure and operators often emerge not from malware or servers, but from human behaviors, credential reuse, identity persistence, and the quiet accumulation of exposure across years of online activity.

Editorial Note

Investigations involving the dark web and leaked data rarely offer absolute certainty. Records may be incomplete, outdated, or partially inaccurate, and attribution must always be approached with caution. This case illustrates how StealthMole helps analysts navigate that uncertainty by correlating fragmented data across sources, allowing patterns to emerge while preserving analytical restraint.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Tracing Identity Exposure Around BadBox 2.0: The Chen Daihai Case

In early 2026, widespread reporting brought renewed attention to BadBox 2.0, a large-scale Android botnet embedded primarily in low-cost consumer devices such as TV boxes and media players. Investigations highlighted how the botnet leveraged preinstalled malware and backend control infrastructure to enable activities ranging from ad fraud to proxy abuse, often without the device owner’s awareness. Much of the public focus understandably centered on the technical mechanics of the operation: its scale, persistence, and the challenges of disrupting a supply-chain based threat.

Alongside those technical findings, reporting also exposed fragments of human-facing artifacts visible within operational systems, including administrative panels, usernames, and email addresses. These elements, while not central to the botnet’s functionality, offered rare glimpses into the identities interacting with or present around the infrastructure. However, beyond brief mentions, little was publicly documented about how far those identifiers extended outside the immediate BadBox context.

This report documents an identity-centric investigation conducted using StealthMole, starting deliberately from one such publicly shared artifact: a BadBox 2.0 control panel screenshot featured in a KrebsOnSecurity report. Rather than attempting to re-attribute the botnet or expand on its technical architecture, the investigation set out to explore a narrower question: what additional context becomes visible when already-reported identifiers are traced across leaked and underground datasets.

By following those data trails, the investigation surfaced a dense and recurring cluster of exposed identifiers that consistently converged on a single name: Chen Daihai (陈代海).

Incident Trigger and Initial Investigation

The investigation was initiated using a screenshot of a BadBox 2.0 control panel published by KrebsOnSecurity. One visible element within that screenshot was an administrator email address:

• 189308024@qq.com

This email was used as the starting point and searched within StealthMole’s dark web tracker. The query returned two leaked datasets containing identical records tied to the address.

Using StealthMole’s AI MoleChat feature, the following associations were observed within the same dataset entry:

• Linked QQ identifier: 189308024
• Linked phone number: 18681627767

Subsequent searches for the phone number returned nine leaked files. However, across all results, the only recurring identifier linked to the number was the same internal ID 189308024, indicating a tightly scoped identity cluster rather than broad reuse.

Expansion of the Chen Daihai Identity Cluster

Further searching of the internal identifier 189308024 revealed an additional leaked document containing Chinese-language records. One dataset associated this identifier with:

• Name: Zh***g Zh******n (张***)
• ID number: 53***************51

While recorded, this identity was not linked to any further BadBox-related artifacts and was treated cautiously as potentially unrelated noise.

Attention then shifted to another email visible in the original control panel screenshot, listed under the username “Chen”:

• 34557257@qq.com

A StealthMole search returned eight leaked files referencing this address. These records consistently associated the email with:

• Phone number: 13911118349
• QQ number: 34557257
• Timestamped Tencent-derived records (May 2023)

Two additional datasets linked this same email as a corporate contact address for two Beijing-based entities:

• Beijing Hong Dake Wang Science and Technology Co., Ltd.
  • Website: meisvip.net

• Beijing Heng Chuang Shixun Yidong Chuanmei Technology Co., Ltd.
  • Website: motuw.cn

The same email address also appeared in several credential-style data dumps, including entries with plaintext email–password pairings. In addition, one dump contained a combined username and email string that included “d****c,” matching the name referenced in the Krebs report. Notably, a specific password string recurred across multiple records:

• Password: cdh761111
• d*****c~|^34557257@qq.com~|^...:j****b~|^1*.*.*.**2

Credential Reuse and Alias Correlation

The password cdh761111 was pivoted through StealthMole’s combo binder and was found reused across multiple accounts, including:

• cathead@gmail.com
• daihaic@gmail.com
• d******@gmail.com

The Gmail address cathead@gmail.com appeared in 28 leaked datasets. One JD.com consumer dataset listed:

• Username: cathead
• Name: Chen Daihai (陈代海)
• Phone: 13**********9

A separate Twitter dataset linked the same email to the handle Ky*********d, created in January 2014 and later suspended. Additional casing variants of the Gmail address were also found associated with the same Twitter account.

• https://twitter.com/Ky*******d

Further searching of 陈代海 returned over 500 leaked records, reflecting aggregation across multiple datasets rather than a single source. Among these, one document labeled “China ID_8” stood out due to the nature and structure of the information it contained. The record listed a full residential entry, including a granular village-level address:

• Name: Chen Daihai (陈代海)
• Phone: 15**********5
• Address: Sa*****g Village, Group 3, D*****u Town, B*****n County (璧**********组)

The format of this address is consistent with how personal household registrations and rural residential records are commonly represented in Chinese administrative and civic datasets. The inclusion of village name, group number, town, and county, rather than a commercial building or street-level office address, suggests that this entry is more likely to reflect a private residence than a workplace or service location.

Unlike previously observed Beijing-based records tied to corporate or work-unit contexts, this entry points to a locality outside major urban business districts, reinforcing its characterization as a personal address.

Corporate and Work-Related Exposure

An additional email address surfaced when searching Chen Daihai’s Chinese name:

• cathead@astrolink.cn

This address appeared in a dataset describing a work/unit address in Beijing:

• Address: Room 801, Luban Building, No. 1 Yard, Dingfuzhuang Beili, Chaoyang District, Beijing
• Phone numbers: 13*********9, 13***********5

This finding is analytically notable because it aligns with earlier reporting by KrebsOnSecurity, which referenced Chen Daihai in the context of a Beijing-based workplace during its examination of BadBox 2.0 related entities.

While this investigation does not introduce new claims about organizational involvement, the convergence of a work-domain email, a physical office address in Chaoyang District, and previously observed phone numbers reinforces the consistency of the identity cluster across both consumer and professional contexts.

Conclusion

This investigation began with identifiers already publicly tied to BadBox 2.0 through reporting by KrebsOnSecurity, specifically email addresses visible within a BadBox control panel screenshot. Rather than attempting to expand attribution or revisit the botnet’s technical operation, the primary objective was to evaluate how effectively StealthMole could track, correlate, and contextualize those same identifiers across leaked and underground datasets. By constraining the investigation to artifacts already established in public reporting, the analysis deliberately focused on validation, expansion, and visibility rather than discovery.

In practice, much of the identity-related data surfaced through StealthMole aligned closely with what had already been referenced in prior reporting, including repeated email usage, credential reuse, and associations with corporate contact records. The principal additions introduced by this investigation were the identification of a personal residential address tied to Chen Daihai through leaked administrative datasets, and the discovery of a previously undocumented Twitter account linked to the same identity cluster.

While these findings do not alter the underlying BadBox narrative, they demonstrate how StealthMole enables deeper tracking of identity exposure once operational artifacts become public, highlighting both the breadth of available context and the value of disciplined correlation when following high-profile cybercrime-linked identifiers.

Editorial Note

Investigations involving the dark web and leaked data rarely offer absolute certainty. Records may be incomplete, outdated, or partially inaccurate, and attribution must always be approached with caution. This case illustrates how StealthMole helps analysts navigate that uncertainty by correlating fragmented data across sources, allowing patterns to emerge while preserving analytical restraint.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

From Yab Yum to Daulatdia: Tracing the Infrastructure of a Dark Web Prostitution Platform

The investigation began with the discovery of an onion service presenting itself as Daulatdia Brothel, discovered incidentally during analysis of unrelated dark web activity. The site claimed to offer on-demand sexual services and positioned itself as an established operation rather than a newly created platform. At the time of discovery, there was no clear indication of who operated the service, how long it had been active, or whether it existed beyond a single domain.

Initial investigation raised subtle but important questions. The platform appeared more structured than many transient dark web listings, yet its presentation and claims did not fully align with its visible footprint. Certain elements suggested the service might not be confined to a single domain, prompting a broader examination of its digital presence rather than its advertised offerings.

As the investigation expanded, attention shifted away from the content of the site itself and toward the traces surrounding it, where the service appeared, how it was referenced elsewhere, and what technical artifacts persisted beyond the main page. These early indicators suggested that the Daulatdia-branded site might represent only one stage in a longer operational history.

This report follows that trail. By examining the infrastructure, external references, and financial touchpoints associated with the platform, the investigation seeks to reconstruct how the service emerged, evolved, and maintained continuity within the dark web environment, based solely on verifiable evidence.

Incident Trigger and Initial Investigation

The investigation was triggered when an onion URL surfaced during a separate dark web inquiry. The link appeared under the label “SlaveBay,” a third-party reference rather than a name used by the service itself.

• b33y***************************************************eid.onion

When analyzed using StealthMole’s dark web tracker, the onion service was found to identify itself directly as “Welcome to Daulatdia Brothel.” The site claimed association with Daulatdia, Bangladesh, and advertised sexual services through a structured interface rather than a single static page. At this stage, the platform’s legitimacy, scope, and longevity were unknown.

Further contextual checks revealed that the same onion URL was mentioned in a Telegram channel, where it was described as a probable scam. This conflicting external characterization introduced early ambiguity, reinforcing the need to rely on infrastructure-level evidence rather than surface claims.

Given the discrepancy between the site’s apparent structure and its disputed reputation, the investigation shifted toward determining whether the platform existed elsewhere, had historical continuity, or shared infrastructure with other services.

Platform Structure and Internal Functionality

With the initial Daulatdia-branded onion service identified, the next step was to understand whether the platform functioned as a simple advertisement or as an operational service. So, we decided to run the first identified domain through StealthMole’s darkweb tracker. Consequently, another related domain appeared with the same interface.

• yabyum***********************************************gpqd.onion

Beyond the landing page, the platform also exposed a login interface, a publicly accessible forum, and individual user profile pages, including a visible account under the username Nameless1. These elements suggested that the service was designed to support user accounts and repeat engagement rather than one-off contact. An FAQ section and a page discussing short-term accommodation, including Airbnb rentals, further reinforced the impression of a platform attempting to present itself as organized and service-oriented.

The forum was explicitly described as unmoderated. Threads visible at the time of investigation showed users openly requesting sexual services by geography and preference. Whether these requests resulted in real-world interactions could not be verified, but the design choice itself was telling. By hosting requests internally rather than pushing users immediately to external messaging platforms, the service positioned itself as a central coordination point rather than a passive directory.

Marketplace Presentation and Media Artifacts

As the investigation moved deeper, StealthMole’s media indexing capabilities revealed additional details about how the platform presented its offerings. Multiple image assets were discovered under user-associated directories, consistent with listing or profile imagery rather than generic decoration.

Several of these images carried embedded labels such as MACDADDYPIMP, Lonely_cuties, Lupin, and SupplyForKids. The repetition and formatting of these labels suggested deliberate categorization, likely intended to segment listings or personas within the marketplace. While the indexed images themselves did not contain explicit sexual content, their structured presentation aligned with how illicit service marketplaces commonly organize offerings for browsing and selection.

At this stage, the focus remained on what could be observed directly: the platform behaved like a marketplace, with persistent listings, categorized personas, and infrastructure built to support discovery and comparison, regardless of how effective or legitimate those offerings ultimately were.

Historical Footprint and Rebranding Indicators

Questions about the platform’s longevity were addressed through historical indexing. This process revealed that the Daulatdia-branded service had not emerged in isolation. The same infrastructure had previously operated under the name Yab Yum, using identical layouts, content structure, and service descriptions.

Several onion domains were associated with this earlier phase, including:

• B33yiqlhpysykamkyzeerxz4yishmelo5fruityj543jlnn6silna2ad.onion
• 4ogv76w42wjhv5zloluegzcpte7trrzxkbugqy7vvtismws4zm5zzmid.onion
• 4ogv76w4nm5egekasxxudinby3uhowv6mt2pjtp2zcbrdsrdb65fp4id.onion

All three were offline at the time of investigation, but historical snapshots showed them hosting the same platform that later appeared under the Daulatdia identity. Rather than indicating unrelated copycat sites, the consistency across these domains pointed to deliberate mirror deployment and domain rotation.

During its Yab Yum phase, the platform also promoted a USD 2,000 weekend trip to Daulatdia, Bangladesh. The offer was framed as a bundled experience rather than casual travel advice, implying a level of coordination beyond simple online introductions. While there was no evidence that such trips were ever executed, their promotion provided insight into how the platform sought to position itself: as an organized service with international reach.

Operator Signals and Infrastructure Continuity

As the investigation expanded beyond domains, attention turned to identifying stable operator-linked artifacts. Two email addresses were recovered from the platform’s content across different iterations:

• h******@notmail.com
• hp****@mail2tor.com

One of these, h*****@notmail.com, was associated with the PGP fingerprint:

• 3DC*************************************FE

This cryptographic identifier became a key pivot point. Unlike onion domains, which are frequently discarded, PGP keys often persist across infrastructure changes. Pivoting on this fingerprint led to the identification of another related onion domain, which was also offline at the time of analysis.

• b33******************************************rad.onion

The reuse of the same PGP key across multiple domains and branding phases provided a strong continuity signal. It suggested that the Daulatdia and Yab Yum platforms were not separate efforts but successive iterations managed under the same operational control.

Financial Infrastructure and Payment Readiness

Financial artifacts added another layer to this continuity. Analysis ofb33yiqlkdqa3scyxzvn6vbz5qsw7e7dzp3mizrknqeuv35bauuj6wrad.onionsurfaced a large number of Bitcoin wallet addresses linked to the platform. Among these were addresses such as

• Bc1q8x*******************************px43
• bc1qax*******************************3lnl
• bc1q2g*******************************qvfy
• bc1qut******************************va5ju
• bc1qry******************************s4py6
• bc1qzk******************************pnhhs
• bc1q4*********************************rnv7
• bc1qm*********************************md7h
• bc1qj*********************************rvrg
• bc1qa*********************************tu78

Most of the identified wallets showed no observable transaction history, suggesting either low usage or preparatory provisioning rather than active throughput. One address, however, displayed confirmed activity, distinguishing it from the broader set.

• bc1q4*******************************rnv7

A separate, Yab Yum–linked domain,4ogv76wvasufotajocqxlobk3bwsqi2loqd7znu4bkxqovov6pgr6oyd.onion,exposed an additional wallet:

• bc1q8****************************g8w

Taken together, the wallet infrastructure suggested deliberate readiness to accept cryptocurrency payments, even if actual usage appeared uneven.

External References and Promotion

The platform’s presence was not limited to its own onion infrastructure. One of the Yab Yum–associated domains was identified in a Telegram channel named Silent Cyber Force. In that context, the link was promoted explicitly as an online prostitution platform.

• 4ogv76w4nm5egekasxxudinby3uhowv6mt2pjtp2zcbrdsrdb65fp4id.onion

This reference was external and third-party in nature, but it demonstrated that the service circulated beyond passive dark web discovery. Whether promoted intentionally by the operator or shared organically, the appearance of the link in Telegram indicated that the platform was perceived as operational and worth advertising within adjacent communities.

Conclusion

Following the Daulatdia Brothel onion service back through its infrastructure revealed a platform that evolved rather than appeared suddenly. Through rebranding, mirror rotation, and reuse of core technical elements, the service transitioned from its earlier Yab Yum identity while maintaining operational continuity.

Stable artifacts, particularly a reused PGP fingerprint, recurring contact details, and shared backend structure, tied these iterations together more convincingly than any single domain could. Financial infrastructure and external promotion further suggested a platform built with persistence and scalability in mind, even if its real-world impact remains difficult to measure.

By focusing on infrastructure, identifiers, and contextual traces rather than the platform’s own claims, this investigation reconstructs how the service emerged, adapted, and sustained itself within the dark web environment.

Editorial Note

Dark web investigations rarely provide complete certainty. Services fragment their infrastructure, rotate identities, and allow components to lapse and resurface over time. This case demonstrates how methodical correlation of domains, cryptographic identifiers, financial artifacts, and external references can reveal continuity where none is immediately apparent, and how StealthMole enables such analysis without relying on speculation or assumption.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Old Data, New Actor: Investigating Solonik’s Alleged Instagram 17 M Leak

In early January 2026, a threat actor operating under the name Solonik began gaining attention across dark web forums and Telegram channels after advertising a large-scale Instagram data leak allegedly tied to a “2024 API breach.” The dataset was marketed as containing 17 million Instagram user records, including usernames, emails, phone numbers, and internal IDs. Given Instagram’s global footprint and the scale claimed, the leak quickly drew interest from buyers and researchers alike.

At first glance, Solonik appeared to be a rapidly emerging actor. StealthMole monitoring showed a sharp spike in activity associated with his handle, with dozens of leaks posted in a short time frame and multiple distribution channels emerging almost simultaneously. The pace, volume, and confidence of Solonik’s claims suggested either privileged access to new data sources or a coordinated effort to appear established.

However, as the investigation progressed, inconsistencies began to surface. While the dataset was promoted as new and tied to a 2024–2026 breach window, early indicators suggested that identical data samples had circulated years earlier. This raised the possibility that the “new” Instagram leak was not a fresh compromise but a recycled dataset being reintroduced under a different narrative.

This report documents how StealthMole was used to trace the origins, movement, and rebranding of this dataset across forums, Telegram channels, and domains, ultimately challenging Solonik’s claims and highlighting the growing trend of breach recirculation under false timelines.

Incident Trigger and Initial Investigation

The investigation began when Solonik published a thread titled “INSTAGRAM.COM 17M USERS — 2024 API LEAK (USERNAMES, EMAILS, PHONES, IDS)” on Dark Forums.

• https://darkforums.****/Thread-INSTAGRAM-COM-17M****Solonik-****

To assess the actor’s credibility and scale, the identifier Solonik was queried through StealthMole’s Leaked Monitoring module. This revealed that between 7 January 2026 and 20 January 2026, Solonik had been associated with leaks affecting approximately 105 distinct victims, ranging from social media datasets to regional institutional records. This level of activity suggested either a highly active reseller or a coordinated operation.

One of the earliest corroborating signals came from Solonik’s Telegram presence. Using StealthMole’s Telegram Tracker, the channel https://t.me/solonik_*****s was identified as a public-facing vouch and transaction channel. From there, StealthMole uncovered an additional invite-only Telegram group at https://t.me/+iS5*******k, where screenshots showed buyers negotiating prices, confirming cryptocurrency transactions, and receiving CSV database files.

Notably, this Telegram infrastructure had already been indexed by StealthMole under CVE-2025-14847 and CVE-2026-21858 linking Solonik’s ecosystem to previously flagged malicious distribution activity. This connection established that the actor was not operating in isolation and had already intersected with known high-risk Telegram clusters.

Expansion of Infrastructure and the “BAPHOMET” Reference

Further investigation into Solonik’s online footprint revealed the domain solonik.***, which was queried through StealthMole’s Darkweb Tracker. The results were significant: StealthMole indexed 999+ leaked files associated with this domain, many labeled with Instagram-related filenames such as Instagram@Solonik_BF.json.

Among these results, a second Instagram-related leak surfaced on 14 January 2026, tied to a BreachForums thread advertising 45K Korean Hospital Patient & System Records. In Solonik’s forum bio on this thread, he included the phrase “blessed by BAPHOMET.”

This phrase prompted a deeper investigation. Through Telegram tracking, StealthMole identified a video circulating in one of Solonik’s channels in which he screen-recorded a BreachForums interaction. In the video, a user identified as BAPHOMET thanked Solonik for previously disclosing information about an SQL vulnerability in the forum’s structure, specifically referencing the my tabs column.

The video also displayed BAPHOMET’s BreachForums profile, showing the account as permanently banned, but historically influential. The message claimed that Solonik had “saved” the forum from a breach years earlier and framed their interaction as proof of legitimacy and insider status. While the claim itself could not be independently verified, its inclusion served as a credibility signal aimed at potential buyers.

This was a critical turning point. The narrative was no longer just about a dataset, but about lineage, reputation, and implied authority within the breach ecosystem.

Data Lineage Analysis: Tracing the Instagram Dataset Backward

To validate Solonik’s claim that the Instagram data originated from a 2024 API breach, the dataset itself was examined. Using StealthMole’s Telegram Tracker, the keyword “Instagram Leak 17M Lines ⭐ ️” was queried across historical Telegram messages. This surfaced a forwarded message dated 2023-11-28, originating from the channel The Jacuzzi.

That forwarded message led directly to a LeakBase thread posted in March 2023 by a user named Chucky. The LeakBase snapshot showed the thread title “Json No Pass Cloud Instagram Leak 17M Lines”, with sample JSON entries containing usernames, emails, phone numbers, and IDs, structurally identical to the samples advertised by Solonik in 2026.

• https://leakbase.la/threads/instagram-leak-17*************/

Further comparison confirmed that the raw data fields, ordering, and sample values matched across the 2023 LeakBase post and Solonik’s 2026 offering. No new columns, timestamps, or indicators suggested that the dataset had been refreshed or expanded.

This same dataset appeared again in 2024 on Hydra Forums, posted by administrator Pavlov under the title “Instagram Leak 17M Lines ⭐️”:

• https://hydraforums.io/Threads-*****************************8F

The Hydra Forums snapshot showed the same JSON samples, confirming that the data had circulated unchanged for at least three years.

These findings directly contradicted Solonik’s framing of the leak as a “2024 API breach” and strongly indicated dataset recycling rather than a new compromise.

Chucky, Chucky_lucky, and Identity Overlap

Solonik later claimed in Telegram messages that his previous BreachForums account, “Chucky_lucky,” had been taken down by a moderator named L****i. To assess this claim, Chucky_lucky was queried in StealthMole’s Leaked Monitoring module. The results showed five victims, including a global jewellery brand breach from 2023.

This activity aligned temporally with the original LeakBase Instagram post by Chucky, strengthening the hypothesis that Chucky, Chucky_lucky, and Solonik may be connected. Additional Telegram channels reinforced this pattern, including https://t.me/chucky***f and https://t.me/chucky_*******a, where screenshots showed Chucky listed among the “richest users” on a forum consistent with BreachForums.

These overlaps do not conclusively prove shared ownership, but they demonstrate continuity in datasets, platforms, and monetization strategies. The repeated appearance of the same Instagram data under different aliases across years suggests deliberate rebranding rather than independent rediscovery.

Telegram Attribution and Iranian Infrastructure

The investigation expanded further when the Telegram channel https://t.me/solonik***t was analyzed. StealthMole identified a user Solonik BF. From this channel, a phone number was extracted: +98 9*********8. While usernames on Telegram are easily changed, user IDs are persistent, making this identifier particularly valuable for further analysis.

The country code +98 indicates Iran. When this number was queried through StealthMole’s Darkweb Tracker, it appeared in a file labeled Iran_Telegram.json, part of previously leaked Iranian Telegram datasets. This does not confirm Solonik’s physical location, but it provides a rare infrastructural linkage between his Telegram presence and known leaked data repositories.

This file is part of a broader collection of leaked Iranian Telegram user data and contains structured records linking phone numbers to Telegram usernames and internal user IDs. Within this dataset, the number is explicitly associated with the username Sa*****n, once again tied to user ID 46******7, conclusively linking the Iranian Telegram leak data to the same account now operating as @Solonik*****F.

Historical analysis of this Telegram user ID provided additional context. When user ID 4********7 was pivoted through StealthMole’s Telegram Tracker, earlier activity associated with the same identifier was identified. Records dating back to October 2022 show the account operating under the username @Sa*****n, with display names recorded as S**** / T***t. This confirms that the identity linked to Solonik predates the 2026 Instagram leak claims by several years, suggesting a long-standing Telegram presence rather than a newly created persona.

Further examination of historical Telegram data showed that this account had been active as early as October 2020, based on StealthMole’s historical indexing. This timeline places the operator well before the emergence of the Instagram dataset later circulated in 2023, 2024, and 2026. The persistence of the same user ID across multiple usernames reinforces the continuity of control over the account, even as outward-facing identities evolved over time.

Additional contextual signals emerged when this Telegram identity was traced across group interactions. The same user ID was referenced within a Persian-speaking Telegram group titled Tavern Club, accessible at https://t.me/g*******b. While participation in such groups does not independently confirm attribution, it further situated the account within an Iranian-language Telegram ecosystem.

Taken together, these findings strengthen the infrastructural linkage between Solonik’s Telegram presence and Iranian-linked Telegram data exposure. The reuse of the same Telegram user ID across multiple usernames, its appearance in leaked Iranian Telegram datasets, and its interaction within regionally aligned Telegram groups suggest operational continuity rather than coincidence. This infrastructure-level overlap does not definitively attribute Solonik to a specific individual or location, but it provides a consistent and traceable framework that aligns with other elements observed throughout the investigation.

Conclusion

The investigation demonstrates that the Instagram “17M users” dataset advertised by Solonik in January 2026 is not new. Through StealthMole’s historical indexing and cross-platform tracking, the data can be traced back to at least March 2023, with confirmed appearances in 2023 (LeakBase) and 2024 (Hydra Forums) before resurfacing in 2026.

Instagram has publicly denied any 2026 breach, further undermining Solonik’s claims. While Solonik has successfully leveraged volume, presentation, and reputation signaling to attract buyers, the underlying data tells a different story, one of recirculation rather than compromise.

Whether Solonik is the same individual as Chucky or Chucky_lucky cannot be stated with certainty. However, the continuity of datasets, platforms, Telegram infrastructure, and monetization patterns strongly suggests either direct identity overlap or close operational alignment.

Editorial Note

Attribution in dark web investigations is rarely absolute. Actors reuse data, identities fragments, and narratives are intentionally blurred. This case underscores how easily old breaches can be reframed as new incidents and how critical longitudinal visibility is in cutting through those claims. By correlating historical leaks, Telegram activity, and infrastructure signals, StealthMole enabled a clearer understanding of what was genuinely new, what was recycled, and where uncertainty still remains.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com