Username as Weapon: The Curious Case of 1ucif3r and the DarkForums Illusion

This report presents an in-depth profile of an underground cyber actor operating under the alias 1ucif3r, also known as Lucifer. Leveraging the investigative capabilities of the StealthMole platform, this profile consolidates information derived from historical breach datasets, forum activity, dark web infrastructure, and open-source intelligence (OSINT). 1ucif3r has maintained an active digital footprint since at least 2021 and is believed to be based in ******, based on recurring indicators such as domain registration, language use, school-linked credentials, and Telegram group memberships.

1ucif3r is not only known for operating in breach and exploit communities but also attempts to cultivate an identity through branded assets such as "DARKARMY", GitHub repositories, and personalized onion sites. While there is speculation around his ties to the ransomware group "D4RK 4RMY," this report maintains separation between the two identities due to the lack of direct technical links. The analysis focuses solely on 1ucif3r’s independent operational identity.

Incident Timeline: Historical Breach Activity

1ucif3r’s emergence can be traced back to high-profile breach incidents that surfaced throughout 2023 and 2024, which were detected and catalogued via StealthMole’s ransomware and leak monitoring tools. These events illustrate a pattern of attacking state-linked or military-grade targets, likely to maximize geopolitical impact and underground recognition.

1. UAE Abu Dhabi & Dubai Police Leak (2023)

• Leaked internal documentation, credentials, and identity cards.
• Exposed personnel data and backend systems tied to UAE law enforcement.

2. South Korea Military Database Breach (2023)

• Infiltrated access logs, internal networks, and military login credentials.
• Claimed on forums by actors using stylizations resembling 1ucif3r’s aliases.

3. Vietnam Government Webmail Leak (2024)

• Sensitive government webmail login credentials were exfiltrated and leaked.
• The data was hosted on multiple dark web paste sites where 1ucif3r’s email or usernames appeared in associated metadata.

4. Iraq National Security Database (2023)

• Leaked on both Omertà and exposed.vc platforms.
• Tied to government-level surveillance records.

Miscellaneous High-Volume or Corporate Leaks:

• PwC.com Leaked Downloads (2023)
  • Multiple instances posted on leakbase.io, attributed to 1ucif3r.
• UberHub MDM Internal Leak (2023)
  • 20M mobile device management logs associated with uberhub.uberinternal.com.
• 480 SQL Dumps (2023)
  • 9GB SQL dump set released twice on separate dates.
• Russian Crypto Documents Leak (2023)
  • Documents related to Russian crypto entities and platforms.
• Twitter DB/Scrape Leak (2023)
  • Over 200 million lines of scraped Twitter data. Shared on Nulled.to and other platforms.
• Web Site Open Source Leaked Databases
  • Aggregation of various exposed data assets from open-source platforms.

These incidents collectively reflect an actor with targeted interest in government infrastructure, advanced reconnaissance skills, and consistent identity reuse.

Digital Infrastructure and Online Presence

1ucif3r blends his underground presence with pseudo-developer branding. His GitHub portfolio lists languages like HTML, JavaScript, and Golang, and references a current project titled DARKARMY. A now-defunct personal site (1******.*e) and the .onion site also display his affiliation with DARKARMY. Notably, one screenshot of his GitHub reveals:

"I'm currently working on DARKARMY"

He also attempted to run his own dark forum, inspired by the real DarkForums (DF). He was heavily criticized by known DF actors in the R******* H*** Telegram channel, who branded him a scammer.

Beyond websites and source code, 1ucif3r maintained a series of communication identities across different services. These include:

• Emails: 1ucif3r@****.**, ****1ucif3@*****.**, d4rk4rmy**@******.com, a**********@gmail.com
• Telegram: @O*****F, @Y***********r, @A*********r, @t*******r, @O******r
• Discord: 1*******2

Several of these emails appeared in underground leak databases and login credential dumps. In particular, the Gmail account a**********@gmail.com was identified with password reuse and multiple hash entries. This recurring presence of similar identifiers strengthens attribution confidence when matching other usernames or aliases.

Username/Alias	Email	Platform or Context
1ucif3r	a********r@******.**	GitHub, personal portfolio
1ucif3r	admin@d****4****.**	O******.la profile
1ucif3r	d********@****mail.***	Document leak
1ucif3r	1ucif3r@****.**	Dumped creds list
A****1ucif3r	Telegram & DF reference	DF Owner Message
Lu*****	1ucif3r@****.**	Cracked DB file (username)
1ucif3r	l**************@gmail.com	Twitter dump dataset
**1ucif3r	Or@.**	Possibly related email

This ecosystem of aliases, contact points, and developer content forms the basis for attributing later activity to the original operator.

Telegram Attribution and Identity Hijack

In particular, the Telegram handle @A********r, along with aliases such as Lucifer and K***, appears to have been adopted by 1ucif3r in an opportunistic move following the disappearance of the original administrator of the real DarkForums. While there is no direct evidence that the original DarkForums admin ever used this exact handle, 1ucif3r’s adoption of the Lucifer alias and positioning himself as an authority figure strongly suggests an intentional impersonation.

Archived messages from the official DarkForums Telegram channel (dated 1 May 2024) indicate that access to both the official channel and the administrator’s former Telegram account had been lost. The remaining moderators directed future communications to the new handle @O***** and the domains associated with lucifer.**. However, both @O***** and lucifer.** have also been tied to the 1ucif3r persona, based on cross-referenced platform activity and associated credentials. This strongly suggests that these identifiers were repurposed by 1ucif3r after the original Lucifer's exit in September 2024. Nevertheless, it is not confirmed if the news about losing access to Dark Forums Telegram channel was posted by real Lucifer or not.

By mid-2025, underground groups began to call out the impersonation. A message from the R******* H*** Telegram channel, dated 11 June 2025, explicitly labeled @A********r as a scammer:

“Someone using our name and Lucifer’s username to scam people… Scammer’s account: @A********r. Lucifer is gone.”

This aligns with data from credential leaks and contact listings linking the handle to 1ucif3r, indicating that he assumed the identity to enhance his underground standing.

Additional derivative aliases and Telegram channels have since emerged to reinforce this persona, including @Y************r, @t********r, and @O******r, as well as active participation in chat groups such as @***********t and I****** *******s. These either serve as impersonation attempts, clone identities, or remnants of legacy network activity aimed at sustaining the brand’s visibility.

Brand Building: DARKARMY Vs D4RK 4RMY

1ucif3r’s use of the DARKARMY label appears to be part of his branding strategy. On his O****** profile, he listed the email address admin@d***4***.**, which mimics the well-known ransomware group D4RK 4RMY and likely aims to create perceived affiliation. His GitHub profile also references the email ****1ucif3r@p******.**, accompanied by a PGP key registered under the name "Lucifer (dark forums)".

When this email was further investigated through StealthMole’s dark web tracker, it was found listed on two distinct DarkForums instances: darkforums.st (archived 2024) and darkforums.pro (archived 2023), both crediting "Lucifer" as the creator of the platform. These discoveries further blur the line between impersonation and ownership, hinting that 1ucif3r may have appropriated old assets of the original DarkForums team to boost his legitimacy.

Although the naming and stylistic overlap with D4RK 4RMY is apparent, there is no evidence of shared wallet addresses, signed payloads, or infrastructure reuse. As a result, StealthMole maintains that these identities are distinct, with the similarities best explained as impersonation or brand appropriation rather than operational partnership.

Skillset and Operations

According to GitHub, forum logs, and Telegram metadata, 1ucif3r is well-versed in the following:

• Languages: HTML, CSS, JavaScript, and Golang
• Skills: Phishing panels, malware payloads, and Monero laundering tutorials
• OPSEC: Relies on ProtonMail, Tox, layered aliases, and private chats
• Community: Active on O*****à, N******.to, breached, and self-made dark forums

StealthMole tracking shows 1ucif3r-related credentials in datasets like brainshell.txt, twitter_200M_Dec2021.csv, and others across its ULP Binder and Credential Lookout modules.

Real-World Attribution

StealthMole platform results from Credential Lookout and ULP Binder revealed repeated instances of the password 2********a being used in association with multiple emails tied to 1ucif3r’s identity, such as d*********@gmail.com and a********@gmail.com. One of the most telling discoveries was the use of a********e@c******.**.**, a school-associated email address. The inclusion of the full name “A***** ******” and the presence of a school domain strongly suggest that 1ucif3r may be operating under this real identity.

The domain c******.**.** belongs to *** National Public School, located in **********, *****. This implies that the actor is likely a student or recent graduate of this institution. When combined with the password string *********a,which points to a possible birth year of ****, it strengthens the assessment that the operator is likely a young actor, currently in school or recently graduated.

Additional data from dark web breaches reinforce the association with reused credentials, ****** Telegram groups, and personalized handles such as “O******.” In ********-focused Telegram groups such as ****** H*****s aka B****** H******s, the actor was observed communicating in ***** on several occasions, which further supports our assessment of ****** origin. While not conclusive on its own, the combination of this school email, consistent password usage, language indicators, and ******* group participation form a strong circumstantial link tying the actor to A***** ******.

Conclusion

1ucif3r (alias: Lucifer) presents a compelling case of an emerging cybercriminal actor whose digital identity merges opportunism, impersonation, and genuine technical capability. Although he has no confirmed links to major ransomware outfits like D4RK 4RMY, his use of branding such as DARKARMY, attempted dark forum ownership, and impersonation of established underground figures reveals a pattern of influence-building that prioritizes visibility and recognition.

While his operational capacity, covering government leaks, credential theft, and underground scam attempts, suggests technical maturity, the attribution to A***** ***** introduces an unexpected layer: that of a likely teenage actor navigating highly visible underground spaces. This raises concerns about his long-term trajectory and potential escalation in threat behavior as his skills and affiliations mature.

1ucif3r should be classified as a Moderate to High Threat. His active credential exposure campaigns, impersonation of senior figures, and involvement in multi-national database leaks demonstrate strategic intent. Although not (yet) linked to sophisticated APT groups or ransomware cartels, his behavior, reach, and resourcefulness make him a notable actor within underground ecosystems.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but also to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com