Inside the HellCat Access Ecosystem: Mapping Miyako’s Multi-Identity Operations

HellCat ecosystem has emerged as a structured ransomware operation where different roles appear to be distributed across multiple actors rather than concentrated within a single identity. Public leaks, underground discussions, and platform activity suggest a model that depends not only on encryption and extortion, but also on a steady supply of compromised network access. This reliance introduces a supporting layer of actors whose role is to source, advertise, and transfer access into target environments.

During the course of investigating HellCat-linked activity, one name began to surface repeatedly in connection with this access layer: Miyako.

The actor was first observed within Telegram channels associated with access sales, where listings referenced high-value targets and sector-specific environments. What initially appeared to be a single account gradually expanded into a set of overlapping identities, each operating within the same channels or their successive versions. Across these instances, the messaging style, offerings, and timing remained consistent, suggesting continuity behind the changing profiles.

What makes Miyako particularly relevant is the apparent positioning within this broader structure. Rather than engaging in ransomware deployment or public leak announcements, the activity observed centers around the earlier stage of the intrusion chain, where access is introduced into the ecosystem. At the same time, the persistence of the identity across channel migrations, bans, and rebranding efforts indicates a deeper level of involvement than a one-off seller.

This report focuses on mapping Miyako as an operational persona within the HellCat landscape, tracing how the identity shifts, where it appears, and how its activity aligns with the ecosystem’s dependency on initial access.

Incident Trigger and Initial Investigation

This investigation began as a continuation of the broader HellCat ecosystem analysis.

While mapping infrastructure, actors, and supporting activity around HellCat, one name appeared repeatedly in the background: Miyako. Unlike more visible personas associated with leaks or coordination, this name surfaced in a different context, often tied to access-related discussions and listings. That recurring presence made it difficult to ignore.

Rather than treating it as another peripheral alias, the decision was made to follow the lead independently.

The first step was straightforward. The keyword “Miyako” was queried in StealthMole’s Leaked Monitoring tool to establish whether the actor had a measurable footprint across indexed breach activity. The results immediately stood out. A total of 71 victim entries were identified between January 2023 and September 2025, indicating sustained activity over an extended period rather than isolated posts.

More importantly, these entries were not confined to a single platform. Two primary sources appeared consistently:

• https://breachforums.st
• https://breachsta.rs

This distribution suggested that Miyako was operating across multiple forums rather than relying on a single identity or marketplace.

To move beyond aggregated listings, individual threads were examined. One of the earliest meaningful pivots came from the following post:

• https://breachsta.rs/topic/access-online-casino-database-15000-users-q767ka1xzssz

The thread itself advertised access to a database containing approximately 15,000 users, aligning with the type of activity already observed in the monitoring results. However, the focus quickly shifted away from the dataset and toward the actor behind it.

Running the thread through StealthMole’s Dark Web Tracker revealed additional artifacts, including:

• BreachStars profile: https://breachsta.rs/profile/miyako
• Session ID: 058************************************e918

The session identifier was particularly important. This same ID had already surfaced during the earlier HellCat ecosystem investigation, linking Miyako to previously observed activity. Unlike usernames, which can be changed or abandoned, session identifiers tend to persist, making them a more reliable tracking point.

Thread-Level Analysis: Access Listings and Service Positioning

With the initial foothold established through BreachStars, the investigation moved toward examining Miyako’s activity across BreachForums to better understand how the actor operated beyond isolated listings.

One of the most relevant threads identified was:

• https://breachforums.st/Thread-The-only-real-hacker-for-hire-service-on-breachforums

Unlike the earlier BreachStars post, which focused on a specific dataset, this thread presented a different model. Instead of advertising a single access point, Miyako positioned the offering as an ongoing service. The post invited users to submit target domains, with the promise of delivering access on request and payment expected after successful compromise.

This distinction was important.

Rather than acting purely as a reseller of already obtained data, the actor appeared to be offering on-demand access acquisition, indicating a more active role within the intrusion process.

Further examination of the thread revealed the same session identifier:

• 0583*******************************************e918

The recurrence of this identifier across both BreachStars and BreachForums confirmed that the activity was tied to the same underlying operator, despite differences in platform and post format.

In addition to the session ID, the thread also introduced an external communication channel:

• https://t.me/FreshAccess

This Telegram link marked a transition point. While the forum posts served as entry points for visibility, the inclusion of a direct channel suggested that further interaction, negotiation, delivery, and coordination, was likely taking place off-platform.

The associated BreachForums profile provided additional context:

• https://breachforums.st/User-miyako

The profile explicitly identified the role as Initial Access Broker, aligning with the behavior observed across both threads. The bio also referenced a HellCat-linked onion domain, reinforcing the connection to the broader ecosystem already established in earlier analysis.

Taken together, these elements begin to define Miyako’s operational position more clearly. The activity is not limited to isolated leaks or one-time sales. Instead, it reflects a structured approach centered around:

• acquiring or sourcing access
• advertising capability through forums
• moving engagement to Telegram
• fulfilling requests based on demand

At this point in the investigation, Miyako is no longer just a recurring name in monitoring results, but an actor operating with a defined role within the access layer that supports the wider HellCat ecosystem.

Session-Based Expansion: Multi-Platform Presence and Alias Evolution

With the session ID established as a reliable anchor, the next step was to expand the investigation beyond individual threads and map where else this identifier appeared.

The same session ID was queried across StealthMole’s Dark Web Tracker, which revealed a much broader footprint than initially expected.

Rather than being limited to a single forum or account, the identifier was associated with multiple profiles across different BreachForums domains, including:

• https://breachforums.bf/User-miyako
• https://breachforums.jp/User-miyako
• https://breachforums.as/User-miyako
• https://breachforums.st/User-miyako

At first glance, this could appear as separate instances of the same username across different platforms. However, these domains represent mirrored or parallel instances of the same forum ecosystem. The consistency of the session ID across these environments indicates persistence of the same actor rather than duplication by unrelated users.

Beyond exact username matches, variations of the identity also began to surface. These included:

• https://breachforums.st/User-miyak0
• https://breachforums.st/User-MIYAK000
• https://breachforums.st/User-nastya-miyako

Despite differences in naming, these profiles shared common characteristics, including similar bio structure, role designation, and references to external communication channels. The variations suggest controlled modification of the alias rather than random impersonation.

A particularly important pivot emerged from the following thread:

• https://breachforums.bf/Thread-miyako-s-Staff-Application

This thread introduced another related profile:

• https://breachforums.bf/User-miya

Unlike the more visible “miyako” accounts, this identity appeared to represent an earlier stage in the actor’s presence. The profile retained the same underlying identifiers and role classification, but also included additional context through the staff application itself.

Within this post, the actor explicitly described their role as an Initial Access Broker, along with references to prior experience and intent to operate within the forum. This is significant because it moves beyond inferred behavior, here, the role is directly stated by the actor.

At the same time, the account was marked as banned on the platform, with the reason listed as suspected scamming. While this label originates from forum moderation rather than independent verification, it provides insight into how the actor’s activity was perceived within the community.

The same session ID also led to activity beyond BreachForums, including presence on DarkForums domains such as:

• https://darkforums.me/User-miyako
• https://darkforums.io/User-miyako
• https://darkforums.hn/User-miyako
• https://darkforums.st/User-miyako

Associated threads included access sale listings such as:

• https://darkforums.me/Thread-Selling-Access-U-S-Department-of-the-Treasury
• https://darkforums.st/Thread-Selling-Honduras-Microfinance-RCE-Admin-CLI

These posts followed a consistent pattern, advertising access to organizational environments with varying levels of privilege, including references to RCE, administrative access, and firewall exposure.

In one instance, the same session-linked activity appeared under a different username:

• https://breachforums.st/Thread-Chinese-Web-Development-Initial-Access
• Username: mommy

While the username differs, the shared session identifier suggests that this activity is connected at the account level, even if the visible alias changes.

What emerges instead is a pattern of controlled alias variation, cross-platform persistence, and consistent role alignment, all tied together through a stable session identifier. This reinforces the view of Miyako not as a single static profile, but as an evolving operational presence maintaining continuity across platforms, usernames, and environments.

Telegram Infrastructure and Channel Evolution

While forum activity provided visibility into how Miyako advertised access, the investigation began to shift more heavily toward Telegram, where much of the operational activity appeared to take place.

The first clear pivot came from the BreachForums thread, which referenced the channel:

• https://t.me/FreshAccess

At the time of investigation, the channel was no longer accessible. However, historical indexing revealed that this was not a standalone entity, but part of a continuously evolving Telegram infrastructure.

Further analysis showed that the same channel had previously operated under a different URL:

• https://t.me/BFDWC

More importantly, both URLs resolved to the same Telegram channel ID, confirming that this was not a new channel but a renamed and rebranded version of the original.

Tracking historical snapshots allowed the channel’s evolution to be reconstructed:

• November 2024 → BF DWC
• January 2025 → HELLCAT Access Team
• February 2025 → Fresh Access

Despite these changes in name and presentation, the underlying activity remained consistent: access listings, short transactional posts, and instructions to move conversations into private messages.

This continuity is important.

Rather than creating entirely new channels, the operator appears to have retained the same infrastructure while modifying its outward identity, allowing the operation to persist while adapting to platform pressure, bans, or shifting branding strategies.

The channel’s connection to BreachForums was further reinforced through the profile:

• https://breachforums.st/User-mommy

This account explicitly referenced the Telegram link associated with the earlier BFDWC version of the channel. The shared channel reference creates a clear overlap between forum activity and Telegram-based operations.

In addition to the primary channel, a secondary channel was also identified:

• https://t.me/FreshAccess2

The presence of a secondary channel suggests redundancy, either as a backup in case of disruption or as part of a broader migration strategy. This aligns with patterns commonly observed in Telegram-based operations, where channels are frequently rotated or duplicated to maintain continuity.

Telegram Actor Cluster: Account Mapping and Behavioral Patterns

With the Telegram channels established as a central part of the operation, the next step was to identify the individual accounts operating within and around this infrastructure.

Historical message data from the Fresh Access channel and its earlier iterations revealed multiple user accounts associated with Miyako-linked activity. These included:

• miyak0 — ID: 70******40
• miya — ID: 7651702330
• miyako (@miyuhko) — ID: 6108518793
  • Previous names: Kiro, ikia
  • Previous usernames: @LKIEJHDJ, @kuuonline
• miya — ID: 7075206687

At first glance, these appear to be separate users. However, several patterns suggest they are either controlled by the same operator or operate in very close coordination.

The most immediate indicator is naming consistency. Variations of “miyako” and “miya” appear across all identified accounts, with minor alterations rather than completely unrelated aliases. This aligns with patterns already observed on forum platforms, where the actor modified usernames without abandoning the core identity.

Beyond naming, behavioral overlap becomes more apparent when examining message activity.

Across different accounts, the communication style remains consistent:

• short, transactional messages
• minimal description of access
• emphasis on urgency or exclusivity
• repeated instruction to move discussions into direct messages

This pattern is particularly characteristic of access brokerage, where speed and discretion are prioritized over detailed listings.

Another key observation is account instability.

Several of these accounts were observed as:

• deleted
• renamed
• or replaced over time

This aligns with earlier findings around channel evolution and suggests an environment where accounts are frequently rotated, either due to bans, operational security practices, or deliberate identity cycling.

Despite this instability, continuity is preserved through:

• repeated naming patterns
• presence within the same channels
• consistent message structure
• shared operational role

At this stage, the investigation does not rely on a single account to define the actor. Instead, it reveals a cluster of identities that collectively represent Miyako’s presence on Telegram.

This cluster-based view is important.

Rather than treating Miyako as a fixed username, the activity suggests a more fluid identity, one that shifts across accounts while maintaining recognizable patterns in behavior and function. This allows the operation to persist even as individual accounts are lost or replaced.

These findings reinforce the idea that Miyako’s presence on Telegram is not tied to a single account, but to a repeatable operational pattern carried across multiple identities within the same infrastructure.

Access Offerings and Targeting Patterns

With the Telegram infrastructure and associated accounts mapped, the next step was to examine the nature of the access being advertised and what it reveals about Miyako’s operational focus.

Messages recovered from the Fresh Access channel and its earlier iterations show a consistent pattern in how access is presented. The listings are brief, often limited to a few lines, but they follow a recognizable structure:

• geographic or sector-based identifier
• type of access available
• occasional reference to revenue or scale
• price indication
• instruction to continue via direct message

Examples of these listings include references to:

• U.S. government aerospace and defense environments
• Chinese crypto insurance infrastructure
• Spanish ISP networks with multi-billion revenue indicators

Across these posts, one detail stands out, the actor explicitly states: “I sell access not data”

This distinction is important.

Unlike data leak actors who focus on selling or distributing stolen information, Miyako’s activity is centered on entry points into systems. The value lies not in what has already been extracted, but in what can be accessed next.

The types of access advertised further reinforce this positioning. Across forum threads and Telegram messages, listings reference:

• RCE (Remote Code Execution)
• administrative or CLI-level control
• firewall access (including FortiOS environments)
• VPN-based entry points into corporate networks

These are not superficial compromises. They represent footholds that can be expanded into deeper system control, making them valuable to actors involved in later stages of intrusion, such as ransomware deployment or data exfiltration.

Another notable aspect is the pricing model.

Access listings are typically priced within a mid-range bracket, with observed examples including:

• Approximately $400–$1000 depending on target and privilege level

This pricing suggests a balance between accessibility and perceived value, low enough to attract buyers, but high enough to reflect the effort or rarity of the access.

The targeting itself does not appear random. Listings span:

• government-related environments
• financial and insurance sectors
• telecommunications infrastructure
• regional enterprise networks

This spread indicates opportunistic targeting rather than a single vertical focus, which is consistent with access brokers who acquire entry points from multiple sources and sell them based on availability.

At this stage, Miyako’s role becomes more clearly defined.

The actor is not presenting completed attacks or large-scale leaks. Instead, the activity sits earlier in the intrusion lifecycle, providing the initial foothold that enables subsequent operations. This aligns directly with the role already identified on forum profiles: Initial Access Broker.

Conclusion

What began as a simple pivot on a recurring name developed into a clear view of Miyako as a consistent presence within the access layer of the HellCat ecosystem.

Across forums and Telegram, the investigation traced a pattern of activity that remains stable despite shifting usernames, accounts, and channels. The linkage between these elements is not based on a single artifact, but on the combination of session identifiers, platform transitions, and repeated behavioral patterns that persist over time.

Rather than operating as a visible front-facing actor, Miyako’s activity sits earlier in the intrusion chain: focused on sourcing and advertising access that can be leveraged by others. This positioning, combined with cross-platform continuity, highlights a role that is both specialized and persistent within the broader environment.

At its core, this case illustrates how access brokerage operates in practice: not through static identities, but through adaptable structures that maintain function even as individual components change.

Editorial Note

As with most dark web investigations, the findings in this report are based on observable activity and verifiable linkages rather than definitive attribution. Identities in these environments are fluid, often shaped by reuse, overlap, and deliberate obfuscation. This case reflects how StealthMole enables analysts to navigate that uncertainty: connecting fragments across platforms to build a coherent, evidence-based understanding of actor behavior without relying on assumptions.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Rey: Mapping a HellCat-Linked Persona Across the Dark Web

Among the various personas that surfaced during the HellCat investigation, one name appeared with unusual consistency: Rey.

Initially encountered through forum threads linked to HellCat-related data leaks, the actor’s presence extended far beyond a single username. References to the alias emerged across BreachForums, Telegram, encrypted messaging platforms, paste services, and public-facing contact pages, gradually revealing a broader and more deliberate online footprint.

What makes Rey particularly significant is not just the frequency with which the name appears, but the role it appears to occupy within the HellCat ecosystem. Across multiple threads and communications, the actor is directly or indirectly positioned alongside other known HellCat-linked profiles, with repeated indications of administrative or coordinating involvement.

At the same time, public reporting and underground discussions have introduced conflicting narratives around Rey’s identity and affiliations. External attribution attempts have linked the actor to other aliases, while the actor has publicly disputed these claims. This tension between observed evidence and external reporting adds another layer of complexity to the investigation.

This report focuses on profiling Rey as an operational persona: tracing how the identity evolved, how it moved across platforms, and how its presence intersects with HellCat-linked activity. Rather than attempting to force definitive attribution, the objective is to examine the observable infrastructure, artifacts, and behavioral patterns that define the actor’s footprint.

Incident Trigger and Initial Investigation

This report began as a natural continuation of the earlier HellCat ecosystem investigation.

While tracing HellCat’s infrastructure, associated forum accounts, and communication channels, one name kept surfacing in the background: Rey. At first, it appeared only as a supporting alias in forum threads and actor references. But the more the investigation progressed, the harder it became to ignore how frequently the name was showing up alongside HellCat-linked activity.

That recurring presence was what prompted a deeper look.

Rather than treating Rey as just another username within the broader ecosystem, the decision was made to follow the trail independently and determine whether this was simply a peripheral actor or someone playing a more central role.

What made the case even more interesting was that, during the early stages of this process, it became clear that KELA Cyber and KrebsOnSecurity had already published attribution research on the same persona. Instead of making the investigation redundant, this made it more compelling. It presented an opportunity to see how far the same conclusions could be reached through StealthMole’s own cross-platform visibility and whether the observed evidence would support, complicate, or challenge the existing narrative.

The practical investigation began with a simpler lead.

Rather than starting from external reporting, the decision was made to begin with Rey’s observable footprint inside the HellCat environment itself. The alias had already appeared in actor references, forum discussions, and related communication artifacts during the previous report, making it the most natural point of entry.

The objective at this stage was not attribution, but identity validation: to establish whether Rey represented a standalone actor, an administrative role within HellCat, or an alias that had evolved from earlier personas.

From that point onward, the investigation shifted from tracking HellCat as an ecosystem to tracking Rey as an actor profile.

Backward Persona Mapping: Rey to Hikki-Chan

The first concrete pivot was Rey’s BreachForums profile. A Dark Web Tracker search on the alias returned the profile:

• https://breachforums.st/User-Rey

This became the first strong identity artifact in the case.

What immediately stood out was that the profile did not treat Rey as a standalone persona. Instead, the account information explicitly listed:

• a.k.a Hikki-Chan & Rey

This was the first point where the investigation began moving backward through older personas.

Rather than discovering Hikki-Chan first, the trail led there through Rey’s more recent footprint.

The profile preserved several historical details that helped strengthen continuity:

• Joined: 20 February 2024
• User Identifier: 130559
• Username Changes: 1

Most importantly, the user identifier 130559 became a recurring technical artifact across later threads, allowing multiple forum activities to be tied back to the same account.

That linkage became clearer in another thread discovered during the same pivot:

• https://breachforums.st/Thread-SELLING-Femboy-Thigh-Paradise-3

Although the thread itself was clearly performative in tone, the author block contained an important operational detail.

The same account was explicitly labeled as:

• HELLCAT Administrator
• user_130559

This was one of the clearest forum-based indicators placing Rey in an administrative role within the HellCat environment.

The significance here was not the content of the thread itself, but the continuity of identifiers.

The repeated appearance of user_130559, combined with the explicit HellCat administrator label, strengthened the case that Rey was not simply adjacent to the ecosystem but likely held an active role within it.

From there, the investigation moved further backward in time.

A later historical thread provided the strongest bridge between the two personas:

• https://breachforums.bf/Thread-Staff-Application-Rey-Hikki-Chan

This artifact was especially important because it removed much of the ambiguity around alias mapping.

In the staff application, the actor explicitly stated:

• “I’m Rey, also known as Hikki-Chan.”

This self-identification was one of the strongest attribution artifacts found during the investigation.

Rather than relying on inferred overlaps in writing style, profile images, or external reporting, the actor directly linked the two names.

Chronologically, this also helped establish the direction of persona evolution.

At this stage of the investigation, Rey appears to represent the more recent and operationally active identity, while Hikki-Chan emerges as an earlier alias preserved in historical forum records and leak posts.

This backward progression became critical to understanding how the actor’s presence evolved over time.

With that alias relationship established through Rey’s own forum footprint, the investigation could then move into older leak-related activity where Hikki-Chan appeared as the public-facing persona.

Rey’s Active Communication and Financial Footprint

Before tracing the persona further backward into older aliases, the investigation next focused on Rey’s more recent operational footprint.

This step was important because it helped establish the latest observable state of the actor before moving into earlier identities.

One of the most significant artifacts at this stage was the Telegram handle:

• @wristller

Unlike the older identifiers that would later emerge through historical leak activity, @wristller appeared as one of the more recent communication points associated with Rey.

A StealthMole pivot through Telegram Tracker showed that the account was no longer active at the time of analysis.

However, historical indexing preserved multiple earlier states of the profile.

Archived snapshots from January 2025 showed that the same account had previously operated with the usernames:

• @wristller
• @leaking

This was particularly useful because it connected the persona directly to leak-oriented activity rather than a purely personal handle.

The profile bio also contained the reference:

• not sure | nohello.net

This suggests an additional external web reference tied to the same persona and reinforces Rey’s tendency to maintain a distributed cross-platform presence.

Another important artifact linked to this Telegram footprint was a Bitcoin wallet identified through activity in the Jacuzzi channel:

• bc1************************************9x

This wallet was directly associated with Rey-linked discussions and content redistribution.

Observed transaction activity was limited and consisted of relatively small-value transfers.

This is analytically significant.

The low transaction volume does not align with the financial behavior typically seen in mature ransomware or extortion actors.

Instead, it suggests either smaller-scale monetization or that revenue generation may be occurring through data sales and forum activity rather than structured ransom payments.

Additional artifacts further strengthened the Rey footprint.

A previously observed Florida office leak-related screenshot associated with the forum identity was later found redistributed in the Jacuzzi channel, providing a useful cross-platform continuity marker.

The investigation also revisited the email artifact:

• rey@c****k.lu

A Dark Web Tracker pivot on this email led to the paste page:

• https://pst.in*****i.net/paste/zt8*************wb

This page explicitly linked:

• Rey
• Hikki-Chan
• Telegram references
• forum-related contact details

This became one of the strongest direct identity bridges in the case. Unlike behavioral or stylistic overlap, this artifact explicitly connected multiple platforms through the actor’s own published contact details.

A further expansion point emerged through leak monitoring. An XSS thread linked to the Orange database leak was identified under the alias:

• ReyXS

This introduces a possible later variation of the Rey persona. At this stage, the relationship remains unresolved.

Two possibilities remain open:

• Rey operating under a slightly modified alias on XSS
• independent impersonation using an already established name

Given the timing and thematic overlap, the connection remains relevant, but should be treated as unconfirmed rather than asserted.

With the more recent operational footprint mapped, the investigation then moved backward into older historical traces, where earlier aliases and communication handles began to surface.

Historical Activity Under the Hikki-Chan Alias

With the relationship between Rey and Hikki-Chan now established through forum records, the next step was to move further back and examine how the older alias had been operating before the Rey persona became more prominent.

The investigation began by pivoting on Hikki-Chan in StealthMole’s Leaked Monitoring.

This search returned 23 victims indexed between March 2024 and November 2024, with the majority of the results traced back to BreachForums leak posts and related underground discussions.

At this point, the case still looked like a forum-based leak actor.

The alias was surfacing repeatedly across multiple threads, but there was not yet enough evidence to determine whether this represented a temporary leak persona, a seller identity, or an actor with a broader operational role.

That changed when one of the earliest indexed threads stood out as a likely starting point for deeper profiling:

• https://breachforums.cx/Thread-DATABASE-New-York-Education-Leaked-Download

This thread quickly became the real turning point in the investigation.

While the post itself was attributed to Hikki-Chan, what made it significant was not simply the leak content.

What stood out was the fact that this thread appeared early in the timeline and was supported by a visible forum presence that showed sustained activity, thread history, and growing reputation.

This suggested that the alias was not being used as a disposable one-off identity.

Instead, it appeared to be part of a more persistent actor footprint.

From that point onward, the focus moved beyond the leak post itself and into the surrounding identity environment.

What initially looked like a single forum alias began to suggest something broader: a persona extending beyond BreachForums into external communication channels and associated profiles.

This was the point where the investigation shifted from tracking posts to tracking the actor behind them.

Cross-Platform Identity Mapping: From Hikki-Chan to Wristmug

Once the New York Education leak thread was established as the earliest meaningful activity under the Hikki-Chan alias, the investigation moved beyond the forum post itself and into the actor’s surrounding identity footprint.

The thread was the starting point, not the conclusion.

Rather than continuing to focus on the leaked dataset, the next step was to pivot on the actor profile and outbound references attached to the post.

At first, Hikki-Chan still appeared to be a fairly standard BreachForums persona: an active username, multiple leak-related posts, and a steadily growing reputation within the forum environment.

However, a closer review of the thread revealed the first major expansion point.

At the end of the post, the actor explicitly referenced the Telegram handle:

• @wristmug

This was the first strong pivot beyond BreachForums and the point where the investigation began expanding into cross-platform identity mapping.

Using StealthMole’s Telegram Tracker, historical indexing of the handle revealed that although the account has since been deleted, multiple earlier snapshots had been preserved.

These historical snapshots became one of the strongest continuity artifacts in the case.

Archived records showed that the same Telegram account had previously operated under:

• Rey
• @wristmug

This was especially significant because the name Rey had already surfaced repeatedly during the earlier HellCat ecosystem investigation and had now been independently linked through forum-based artifacts.

At this point, the investigation was no longer looking at isolated aliases.

Instead, the evidence was beginning to show a continuous identity progression across platforms.

Several preserved profile snapshots further strengthened this line of inquiry.

Earlier versions of the Telegram profile showed:

• repeated anime-style avatars
• persistent use of @wristmug
• evolving bios over time

These snapshots suggested continuity of the same operator rather than recycled access or account transfer.

More importantly, the profile bios revealed recurring linguistic patterns that aligned closely with earlier Rey-linked artifacts.

One earlier indexed bio contained the Russian-language text:

• “время иллюзия, жизнь не реальна, смерть неизбежна :3 @J****sX”

This roughly translates to a nihilistic statement about time, life, and death, followed by another tagged handle.

A later bio contained another phrase that had already appeared elsewhere in the investigation:

• “slightly down, femboy thighs cover it”

This became a particularly useful behavioral marker.

On its own, this kind of phrase might appear informal or irrelevant.

However, when viewed alongside the earlier Rey-linked BreachForums thread that used the same recurring “femboy thigh” motif, it became a valuable continuity indicator.

This is where the analysis shifted from technical overlap to behavioral overlap.

The strength of these artifacts was not the content itself, but the repeated tone, phrasing style, and self-branding patterns across platforms and over time.

Further Telegram channel activity added another layer of context.

The same account was observed participating in underground channels including:

• Baphchat
• Jacuzzi 2.0

Archived messages included statements such as:

• “i actually want to ban India ips range”
• “I GOT EXPOSED”

These messages are particularly noteworthy because they suggest an awareness of active scrutiny, exposure, or ongoing discussion around the actor during that period.

One archived exchange also included a posted address:

• 172121 Dublin, Ireland

This artifact should be handled cautiously.

Based on the surrounding conversation context, it appears more consistent with mocking, trolling, or deliberate misdirection than a reliable geolocation indicator.

As such, it is best documented as an observed artifact rather than actionable location intelligence.

This distinction is important because actor-led deception is common in underground communication spaces.

By this stage, the investigation had moved well beyond a single forum-based leak persona.

The emerging profile suggested an actor moving fluidly between:

• BreachForums leak activity
• Telegram identity persistence
• underground channel conversations
• HellCat-adjacent ecosystem references

This was the point where Hikki-Chan increasingly began converging toward Rey as a persistent, cross-platform identity.

What first appeared to be an older leak alias was now clearly feeding into the more recent Rey persona already observed in the HellCat investigation.

Leaked BreachForums Dataset Analysis: Expanding Rey’s Artifact Footprint

After establishing the connection between Hikki-Chan, @wristmug, @wristller, @leaking and Rey, the investigation moved toward identifying additional artifacts that could further expand the actor’s footprint.

This phase was triggered by the discovery of a leaked BreachForums dataset, which contained user-related records, messaging logs, and associated identifiers. Rather than treating it as a standalone source, the dataset was used as a pivot to explore whether any new infrastructure or accounts could be linked back to the same actor.

A review of the dataset surfaced several new identifiers associated with Rey, including:

• Telegram handle: @meow31337
• Signal: mk*****n.*1
• Email: h*****n@proton.me
• User ID: 13****9

The Telegram handle provided the most immediate lead.

Using StealthMole’s Telegram Tracker, the handle @meow31337 was resolved to the user ID: 8042142303. This was the first time this specific Telegram user ID appeared in the investigation, making it a new data point rather than a confirmed continuation of previously tracked accounts.

To understand whether this was a separate actor or part of the same identity cluster, historical indexing of the account was reviewed. Earlier snapshots showed that the account had previously used the username: @wristting.

This detail became important. While the user ID itself had not been seen before, the naming pattern closely aligned with earlier aliases such as @wristmug, suggesting a possible continuation rather than a coincidence.

At this stage, the linkage is best understood as behavioral and contextual, rather than technically confirmed.

Additional profile details supported this direction.

The account bio included a reference to:

• nohello.net

This same reference had already appeared in earlier Rey-linked profiles. While not unique on its own, its repeated use across different accounts adds weight when combined with the username pattern.

The dataset also provided visibility into the account’s Telegram activity.

The user was active across several channels, including:

• https://t.me/rrcc******n
• https://t.me/Po*******ion
• https://t.me/breac*****irc
• https://t.me/Si*****at
• https://t.me/b*******at

Unlike earlier stages of the investigation, this data included message-level interactions.

The account was actively engaging with other users, including individuals claiming affiliation with BreachForums operations.

One exchange in particular stood out: a conversation with a user identified as HasanBroker.

Within this discussion, HasanBroker presented himself as connected to BreachForums staff and referenced IntelBroker-related activity, pointing toward ongoing impersonation attempts and internal disputes.

The interaction between the two showed clear friction, suggesting prior awareness of each other rather than a one-off exchange.

The conversation escalated when HasanBroker shared an Ethereum wallet address:

• 0x7af*****************************e33

The wallet was introduced as being linked to Rey, with the suggestion that transaction patterns could reveal meaningful insights.

A review of the wallet showed no remaining balance, with previous activity consisting of small-value transfers. At this stage, the wallet attribution remains unverified, as it is based on claims made within the conversation.

However, Rey’s response adds useful context:

“are you legit trying to dox me by one of my addresses”

This indicates that the wallet is not entirely unrelated to the actor.

Further messages provide additional insight into how the actor approaches cryptocurrency usage:

• “a address out of 12 address wont lead to anything :)”
• “thats already cleaned”
• “do you think i’d depo you with my main?”

HasanBroker even went on to describe it as:

“money laundering at its finest”

The dataset also surfaced an additional external account:

• https://x.com/ReyXBF/

The account is now suspended, but the naming pattern aligns with BreachForums-related identity signaling, suggesting intentional association with that ecosystem.

Finally, the repeated use of nohello.net was reviewed in context. The site itself is benign and commonly used as a cultural reference encouraging direct communication. Its significance here lies in its consistency across multiple profiles, reinforcing behavioral continuity.

Conclusion

What began as a continuation of the broader HellCat ecosystem investigation gradually evolved into a focused actor profile centered on Rey.

Over the course of the investigation, the persona was traced through a layered progression of identities and artifacts, from Rey’s presence across BreachForums and Telegram to earlier aliases such as Hikki-Chan, @wristmug, and @wristller. Rather than relying on a single indicator, the linkage between these identities was supported by a consistent pattern of cross-platform references, historical profile transitions, recurring linguistic markers, forum self-identification, communication handles, and associated financial artifacts.

The addition of data from the leaked BreachForums dataset further strengthened this profile, introducing new identifiers while reinforcing previously observed behavioral and structural continuity. This allowed the investigation to move beyond surface-level alias tracking and toward a more complete understanding of how the persona operates across platforms.

Overall, these findings position Rey not as a disposable forum alias, but as a persistent and evolving presence within the HellCat-linked ecosystem, one that maintains continuity while adapting identifiers over time.

Editorial Note

Attribution in cyber and dark web investigations is rarely absolute. Personas evolve, aliases change, and actors often move across platforms in ways that deliberately blur identity boundaries. This case is a good example of why disciplined analysis matters: not every public attribution can or should be accepted without independently observable overlap.

By following the evidence trail from current artifacts into historical personas and parallel identity clusters, this investigation highlights how StealthMole can help navigate uncertainty while preserving analytical rigor and avoiding unsupported conclusions.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com