Tracing Devil120: A Dark Web Actor's Footprint Across Borders
This report profiles a threat actor operating under the alias Devil120, identified through a multi-layered investigation leveraging StealthMole's platform. Devil120 has been linked to numerous data leaks targeting sectors such as government, banking, telecommunications, and healthcare across the US, India, the UAE, and Southeast Asia.
Incident Trigger and Initial Investigation
The investigation began on 1 July 2025, following a high-impact leak posted on 30 June 2025, when Devil120 published a dump of the USA Police Database on a dark web forum. The sensitivity of the data and the breadth of personally identifiable information (PII) prompted an urgent attribution effort.
Using StealthMole platform, I quickly discovered that Devil120 had a presence on both DemonForums and BreachForums. Monitoring this alias revealed frequent associations with database leaks. The Telegram username @Big_Boss2149 as consistently mentioned alongside these posts, prompting a deeper dive into connected identities.
Attribution Summary
By pivoting on Telegram handles and usernames mentioned in forum threads, I uncovered additional aliases tied to the same infrastructure, including @info_usa, @mr_jack311, and @jack_back. This led to the hypothesis of a multi-profile single actor or a tightly coordinated group.
StealthMole's Compromised Data Set (CDS) tool was used to search for emails tied to these aliases, which surfaced devil****.**@gmail.com, linked to over 125 compromised records. Running this email through ULP Binder revealed associated social media accounts as well. Collectively, the indicators identified a real-world identity: K***l P******i, including a matching IP address geolocated in P****d and social behavior consistent with forum activity.
Supporting Evidence from StealthMole Platform:
- CDS Tool: Uncovered the core email and IP address tied to breaches.
- ULP Binder: Mapped social media accounts, validating real-world attribution.
- Dark Web & Telegram Tracker: Correlated multiple Telegram handles and aliases through leak metadata.
Known Aliases and Telegram Handles
The actor uses or is affiliated with several aliases and Telegram handles across forums:
| Alias | Telegram Handle | Leak Region/Focus |
| Devil120 | @Big_Boss2149 | Mixed (US, UAE, Asia) |
| info_usa | @f_scoity, @DataLeak21, @Black_Shark2024 | US social and banking data |
| mr_jack311 | (TG linked to @Big_Boss2149) | India, ASEAN (ICICI, SBI, AirAsia) |
| jack_back | Possibly same as above | Unknown (linked by contact reuse) |
These identities were cross-verified through StealthMole's Dark Web Tracker, which highlighted reused Telegram handles in multiple data breach announcements.
Leak Activity Timeline
Notable leaks associated with Devil120 and affiliated aliases:
- US Police Database (Initial trigger event)
- T-Mobile US, Vodafone Egypt
- Axis Bank India, SBI, ICICI
- AirAsia passenger data
- UAE finance/government data
- Bank of America, CitiBank leaks
- LinkedIn profile data, high-income US PII
These datasets were often accompanied by Telegram contact points and hashes, some of which were tested via StealthMole’s hash intelligence capability. While some hashes remain unlinked, their structured inclusion across forum posts suggests a consistent operation pattern.
Operational Behavior and OPSEC Assessment
Devil120 exhibits moderate OPSEC hygiene:
- Reuses alias fragments ("Devil120") across forums and email.
- Uses Russian-based email (mail.ru) for dark web activities and gmail for broader identity-linked services.
- Displays inconsistent password practices (e.g., p******a as a known password), hinting at reused credentials.
When running @Big_Boss2149 through the Dark Web Tracker, I uncovered its appearance across leaks posted by multiple aliases, suggesting either a multi-profile single actor or a small, coordinated group using shared communication infrastructure.
Conclusion and Assessment Confidence
The combined evidence from StealthMole’s tools presents a high-confidence attribution linking the alias Devil120 to the real-world identity Kamil Paszewski of Poland. The actor is likely either operating solo with multiple aliases or leading a closely coordinated cluster using structured role separation (e.g., region-specific handles).
This case exemplifies how independent investigators can use StealthMole’s platform to correlate aliases, identify digital breadcrumbs, and expose infrastructure patterns, enabling faster, more accurate threat profiling.
Editorial Note
While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn between the alias "Devil120" and the identity of Kamil Paszewski are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.
The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.
To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com
Labels: Malicious Actor
.svg)
.svg)
.svg)