Behind the Mask: Profiling Qilin's Global Ransomware Infrastructure

July 05, 2025

This profiling report investigates QilinRansom, a ransomware-as-a-service (RaaS) group that recently made headlines for its involvement in the June 2024 Synnovis Ransomware Attack in the UK, which directly contributed to the death of a patient. This case exemplifies how ransomware incidents can transcend digital disruption and cause real-world harm.

Using StealthMole’s integrated investigative tools, including the Darkweb Tracker, Telegram Tracker, ULP Binder, and Compromised Data Set, this operation successfully mapped Qilin's infrastructure, uncovered data leaks, tracked down possible administrators, and established linkages to overlapping RaaS ecosystems.

The significance of this profiling lies not just in attribution but in exposing how ransomware groups leverage a network of aliases, infrastructure, and marketplaces across different languages, regions, and platforms to sustain their criminal activity.

Incident Trigger and Initial Investigation

The catalyst for this investigation was re-newed attention around the Synnovis ransomware attack, which occurred in June 2024, but made headlines again in June 2025 after authorities confirmed that the attack had contributed to a patient's death in the UK. Synnovis is a pathology service provider for the NHS, and the ransomware event caused critical delays in diagnostic and surgical workflows.

The group claiming responsibility was identified as Qilin. However, initial keyword searches for “Qilin” yielded limited dark web presence. A pivotal breakthrough came when the query was modified to “QilinRansom,” which led to the discovery of:

  • Dark Web Onion Site: http://ij**************************************************qd.onion/
  • Contact Channels: Jabber ID: q****@e*****t.im TOX: 7C***084...B6***15**68 FTP: ftp://datashare:C}^S**"***?vX#*4**^}:h**@***.***.**.52

Additionally, QR codes displayed on Qilin’s leak site led to WikiLeaksV2 and D***-F*** Forum despite having DemonForums logo on the second QR, suggesting branding or distribution partnerships with known cybercrime discussion spaces. These initial breadcrumbs launched a multi-layered exploration of Qilin’s wider footprint.

Infrastructure Discovery via StealthMole

Using StealthMole’s Darkweb Tracker, the onion site was scanned and revealed:

  • Known Associated IPs:
IP AddressCountry
8*.2**.**.*9Russia
1**.1**.**.**9Russia
1**.1**.**5.**9Russia
1**.**.**.*5Russia
**6.**3.**5.*7Russia
1**.**6.*0.*2USA

  • 116 unique hashes along with 43 malware hashes, corresponding to ransomware payloads, stealer logs, and droppers associated with Qilin’s operations.

This showed that Qilin did not exist in isolation, but rather operated from within an interconnected cluster of cybercriminal infrastructure.

Affiliated Groups and Cross-Infrastructure Mapping

The broader criminal infrastructure supporting Qilin includes multiple RaaS players and ecosystem enablers:

WikileaksV2 Propaganda and Leak Channels

The Qilin infrastructure referenced wikileaks2.site, which is associated with both historical leak propaganda and active coordination for ransomware groups. Key findings include:

  • Telegram Handles and Descriptions:
    • @wikileaksv2: The original Telegram channel claiming to be a continuation of Julian Assange’s movement. Channel now deleted.
    • @wikileaks_v2: Still active; bio reads: “WikiLeaks2 — we are the followers of Julian Assange’s case, which has lived, lives and will live despite all the difficulties faced by the international organization WikiLeaks.”
    • @b**r***37: Telegram user and channel titled “B**r Servers,” linked to server hosting and possibly RaaS logistics.
    • @cu**l**re***37: Channel name: “Cu** L***e,” possibly tied to operational aliases or nationalist cyber messaging.

  • Social Media Presence:
    • Twitter (X): https://x.com/wikileaksv2 - Promotes leaked content, ransomware announcements, and messages of solidarity with international whistleblowers.
    • Facebook: https://facebook.com/wikilea******2 - Mirrors content from Telegram/X and used as an ideological reinforcement channel.

BlackHat Russia (BHG), BHF, and BlankHack Forums

Dark web forums such as BHG and BlankHack emerged as Qilin’s primary collaboration and resale platforms. These forums serve as digital marketplaces for malware development, RaaS advertisement, data resale, and illicit service exchange.

  • Domains: bhg.gg, bhg.io, bhg.im, bhf.im, blankhack.com
  • Onion Forum: bhf*****2kxpaoyqz7*********5n2re****xzyhl******de4zqd.onion

StealthMole revealed:

  • 255 leaked user credentials from bhg.gg, likely of registrants on the platform
  • Contact emails:
    • j**@*****.im (with 2017 PGP)
    • m****n@*****mail.cc (2021 PGP)
    • ooo.*****@protonmail.com (2018 PGP)
  • Cryptocurrency artifacts:
    • Monero wallet: 43b5Ro7*******YgtaaD6K*******YChC*******9NEfX4******T3anyZ22j7******VcQFy*****cur9fp
    • BTC wallets discovered in broader scan
  • Additional connections:
    • Two GPS coordinates linked to user sessions
    • Session IDs and login logs for registered members
    • Discord and Jabber IDs like 2*****jpgp@protonmail.com, darkd*****@jabber.click, BigB***-xxx@jabber.ru

Linked Sites and Brand Association:

  • blackhatrussia.com: Public-facing brand likely tied to recruitment and propaganda
  • blankhack.com: Hosting tutorials, cracked tools, and resale of initial access
  • forum.antichat.com: Shared infrastructure, actors like a******i and b*********com*k
  • shanghaiblackgoons.com: Referenced in shared Telegram/Darkweb data, potentially a misdirection or affiliate group

These platforms are interconnected, not only through IP overlap and user aliases, but also via cross-posted campaigns and forum-based RaaS advertisements. Their function goes beyond discussion—they serve as underground operational backbones where tools, identities, and access are constantly brokered. to Russian-speaking malware testing labs, identity log markets, and exploit-sharing rings.

Actor Attribution and Profiling

A**** i / A** S*****

Multiple aliases tied to the Telegram handle @a******i revealed a compelling and uniquely traceable actor profile:

  • Claims cyber experience since 1999, a detail supported by password reuse behavior and public statements on his Telegram bio.
  • Identified via StealthMole’s ULP Binder as reusing the same passwords across multiple platforms:
    • Discord: b*******r******of*****#***4 with password a******i
    • BlankHack login: username a******i, password P@*****1
    • Facebook credentials: k****k**ir*@live.fr with password 1***19e
  • Found registered on an Algerian education portal under ID: 2*2***02**2_**2
  • IP address association: 4*.9*.**0.**8 (A*****a), matched with multiple credential leaks.

Further exploration via StealthMole’s Telegram Tracker and Darkweb Tracker uncovered connections to:

  • BlankHack.com and Shanghaiblackgoons.com
  • DemonForums.net, DrDark.ru, and BlackHat Russia-branded pages
  • Alias reuse between leaked credentials, Discord profiles, and Telegram presence

All indicators strongly support that A*** (likely real name A**** S*****) is not only central to the Qilin ecosystem but also operates as a core administrator behind the BlackHat Russia (BHG) group, managing or facilitating infrastructure for a wide range of criminal actors. His operational behavior, visible via multi-platform handle reuse and long-term dark web involvement, points to a veteran actor embedded deep within the ransomware-as-a-service world.

His use of ideologically themed platforms, cross-lingual identities, and behavioral patterns indicates professional-level experience, technical fluency, and a trusted role in forum-based cybercrime markets. These attributes make him one of the most high-confidence identifiers uncovered in this case.

B**** K*** (Secondary Actor)

Email: b****k***icom**@jabber.ru

Mentioned in several underground communities including:

  • sinister.ly, hackyou.org, darknetforum.su, bpcforum.su
  • Referenced in the Treadstone71 Mossad breach dump

Although not directly linked to A****, B**** shares many infrastructure overlaps and may serve as an affiliate, access broker, or RaaS service reseller.

Historical Campaigns and Shared Operations

QilinRansom has been active since at least 2022, participating in high-profile ransomware campaigns—often in coordination with other known groups in the RaaS ecosystem. Historical patterns suggest a modular, affiliate-driven operational model. Notable campaigns include:

  • FeelFour.com Ransomware Attack (2024):
    • Conducted jointly with Devman and Babuk Locker 2, indicating early-stage cooperation with other RaaS actors.
    • Data exfiltrated and auctioned through affiliated forums and marketplaces.

  • Subsurfco LLC Data Leak (March 2025):
    • Initially attributed to Qilin under their “QilinRansom” tag on underground forums.
    • This campaign was instrumental in revealing their rebranding pattern and operational tools, including FTP servers and unique malware signatures.

  • Synnovis NHS Attack (June 2025):
    • Qilin claimed responsibility for a ransomware attack on the UK’s Synnovis pathology labs.
    • This incident disrupted over 800 medical appointments and allegedly caused a fatal delay in patient surgery.
    • The attack marks one of the few ransomware events with confirmed fatal real-world consequences, drawing global media attention and heightening law enforcement scrutiny.

These campaigns collectively reflect a well-coordinated, mature threat group operating under a fluid alias and syndicate structure—leveraging both independent and collaborative attacks depending on the target region or sector.

StealthMole Platform Usage and Outcome

StealthMole’s modules uncovered a much larger and richer set of indicators than can be listed exhaustively.

FeatureIntelligence Extracted
Darkweb TrackerIdentified Qilin infrastructure, affiliated forums, QR links, malware hashes
Telegram TrackerDiscovered deleted/active channels, linkages to social personas, propaganda arms
ULP BinderRevealed password reuse, education records, forum and credential ties
Compromised DatasetConnected stolen credentials with forum identities and ransomware platforms

Total Findings:

  • 30+ IPs
  • 255+ leaked credentials
  • 116 ransomware payload hashes
  • Dozens of domains, Telegram handles, and stealer-based insights

Conclusion

Qilin is not a standalone threat actor but a highly collaborative RaaS ecosystem, built on partnerships with well-established Russian forums, Telegram propaganda clusters, and brokered infrastructure across the Middle East and Asia.

The strongest signal uncovered links A***k**i to the operation as a potential admin or forum leader operating from A****a with Russian-language fluency and P*******i password cues. B**** K**n is profiled as a supporting actor or affiliate.

This case study exemplifies how sophisticated ransomware networks hide behind layers of aliases and forum culture, requiring investigative tools that span dark web, messaging platforms, and stealer datasets.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report