The Bjorka Illusion: How One Hacker Became a Hundred

For years, the name Bjorka has echoed across Southeast Asia’s digital underground, a symbol of defiance, disruption, and defaced state systems. But behind the loud persona and scattered Telegram channels lies a far more complex reality.

What began as a hacktivist spectacle tied to Indonesian politics soon drifted beyond its local origins. Across deep web forums, obscure data markets, and shifting domain names, traces of the Bjorka identity began to appear in unexpected places, far from the noise of Jakarta’s cyber stage.

As the brand grew, so did its contradictions. Multiple accounts, domains, and wallets emerged under the same name, each claiming to be the original voice behind the leaks. Some shouted for attention; others worked quietly, trading data in corners of the web that rarely surface to the public.

This report follows that trail, uncovering how one name splintered into many, and how those fragments now point to something much larger than a single hacker. The truth, as our investigation reveals, isn’t only about who Bjorka is but how the name itself became a weapon, a mask, and a marketplace.

Incident Trigger & Initial Investigation

The story didn’t begin with Telegram.

Long before the name Bjorka trended across Indonesia’s social media feeds, it existed quietly in the archives of hacking forums. As early as 2020, a user under the same name appeared on RaidForums, selling Indonesian databases and using the contact handle @bj*******a with the email bj*****@**.me. Months later, that same identity resurfaced under a new domain, leaks.sh, a platform dedicated to hosting breach data and leak indexes, complete with cryptocurrency donation wallets and a Telegram presence.

The platform vanished in 2021, but its fingerprints lingered: the same contact details, the same writing tone, and the same technical footprint. By mid-2022, those traces re-emerged, this time under a louder banner. On 31 August 2022, a forum post on Breached.to titled “INDONESIA SIM CARD (PHONE NUMBER) REGISTRATION 1.3 BILLION” reignited the name Bjorka across the region. Within hours, a wave of new Telegram channels appeared, claiming to be the hacker behind the breach.

To most observers, this was the birth of Bjorka. But the metadata told another story. The Breached.to account that posted the Kominfo leak was created weeks earlier, on 9 August 2022, and linked to the same ecosystem of domains and identifiers once tied to leaks.sh.

From that point, the name took on a life of its own. Dozens of Telegram channels emerged, each echoing the voice of the original, each diverging in style and intent. Some vanished within weeks. Others evolved into networks of their own, connected through bj****.ai, N******.**t, and a web of mirrors, wallets, and impersonators.

What began as a resurfaced identity from the deep web quickly became a decentralized myth, one that blurred the lines between the real Bjorka and the many who tried to wear the mask.

Channel Discovery & Evolution

Every alias leaves a trail, some intentional, others accidental. In Bjorka’s case, the problem was never a lack of evidence; it was the surplus of it. Between 2020 and 2025, the name surfaced across three major ecosystems: dark-web leak markets, surface-web domains, and Telegram networks that often contradicted one another.

Earlier investigations suggested Bjorka began on Telegram in 2022, but new archival data traces its roots further back, to a small leak-hosting platform called leaks.sh (2020–2021) and a series of forum posts on RaidForums and Breached.to. From those early footprints, the identity evolved through bj******.ai and later N******.**t, each phase spawning new Telegram channels and mirror accounts that fought to claim authenticity.

Using StealthMole, we reconstructed this digital lineage, from Bjorka’s earliest leak infrastructures to the most recent Telegram channels tied to this ecosystem.

1. Early Footprints: leaks.sh and the Beginning (2020–2021)

The earliest verifiable traces of Bjorka date back to late 2020 on RaidForums, where a user under the alias @bj*******a advertised Indonesian databases for sale using the contact email bj******@**.me. Around the same period, the same handle launched a standalone leak-hosting platform, leaks.sh, a minimalist website that indexed breached datasets and accepted cryptocurrency donations through the following wallets:

• BTC: 1L*************************b
• ETH: 0x********************************9
• DOGE: DN*******************************8

Archived Telegram messages from March 2021 show users thanking @bj*******a for developing leaks.sh, to which the operator responded:

“Just to let you know, leaks.sh maybe will shut down soon. After I find another technology, leaks.sh will be back online then.”

The site eventually went offline, but its digital fingerprints, especially the recurring contact bj*****@**.me, reappeared across multiple platforms and forum posts in the years that followed. This persistent use of identical contact points and wallet addresses suggests continuity of control rather than coincidence.

With hindsight, leaks.sh stands as the earliest confirmed center of the Bjorka ecosystem, the first tangible manifestation of what would later evolve into a network of leak domains, Telegram channels, and dark-web operations.

2. Re-Emergence and Amplification: Breached.to and the Kominfo Leak (2022)

After nearly a year of silence, Bjorka resurfaced on Breached.to on 9 August 2022 under user ID 61844. Only weeks later, on 31 August 2022, the account published one of the most consequential posts in recent Southeast Asian cyber history: “INDONESIA SIM CARD (PHONE NUMBER) REGISTRATION — 1.3 BILLION.”

The breach, containing national subscriber registration data, sparked immediate public outrage and extensive media coverage, turning Bjorka into a household name across Indonesia. For the first time, the alias stepped out of dark-web obscurity and into a politically charged spotlight.

Within days, new communication nodes began to appear. By November 2022, subsequent Breached.to threads referenced a fresh contact domain, bj****.ai, and a Telegram handle @bj*****a, both displaying the same operational language, tone, and structure previously seen on leaks.sh. The bj*****.ai/contact page listed a Warsaw address: K******e P******** 48/50, 00-071 W*********a, the email g***@bj****.ai, and the Twitter handle @bj*********e, linking the newly surfaced infrastructure to a European base of operation.

This marked a clear transformation: from a dark-web data seller into a self-styled “data transparency” activist with branding, social media, and dedicated leak portals. The shift brought visibility but also imitation. Within days of the Kominfo post, at least a dozen Telegram channels appeared, each adopting the Bjorka name, each claiming to be the original source of the leaks.

What began as a singular actor resurfacing through Breached.to rapidly evolved into a digital phenomenon: a brand, a banner, and, for many, a mystery that blurred the line between activism and commerce.

3. The Telegram Web: Echoes, Imitators, and Shifting Voices (2022–2025)

Core Channels: Suspected Authentic Infrastructure

Several Telegram channels displayed operational consistency with Bjorka’s verified domains, communication handles, and stylistic patterns, forming what appears to be the authentic core of the network.

• @bj****a / t.me/bj******a (Created in late 2022)

This channel’s bio listed bj******.ai and the contact god@bj******.ai, matching the Breached.to profile used during the Kominfo breach. Its tone, phrasing, and timestamps aligned closely with posts made on bj******.ai and leaks.sh, suggesting the same operator.

• @bj*****a / t.me/bj*****a (Created 18 September 2022)

This channel, operating under the name Bjorkanism, appeared shortly after the Kominfo breach and quickly aligned itself with the verified infrastructure. Its profile linked directly to the Twitter account @bj*******e and referenced N******.**t, both core elements of the Polish-led ecosystem. Posts were primarily in English, occasionally in Polish, and reflected the same structured style seen across bj******.ai and @bj****a.

While smaller in scale, @bj****a functioned as an auxiliary outlet for updates and mirrored communications, reinforcing continuity between Bjorka’s dark-web persona and his expanding public presence. Its creation date and consistent linkage to @bj*******e position it within the authentic operational lineage rather than the later wave of imitator accounts.

• @bj*********al / t.me/bj****************al (Created on 19 November 2022)

This account served as the main public broadcast channel. It frequently cross-linked with the Twitter account @bj*******e, used identical formatting as bj******.ai updates, and acted as the primary announcement hub during late 2022.

• @bj*********n / t.me/bj***************n (Created on 19 November 2022)

This channel initially mirrored @bj*********al but gradually became the central platform from 2024 onward, promoting N******.**t and continuing to post through 12 October 2025. The consistent reuse of verified domains, matching phrasing, and shared crypto references link @bj*********n directly to the same Polish-led infrastructure that originated with bj******.ai.

Taken together, these three channels represent the continuous thread of the Bjorka identity, from its public re-emergence in 2022 to its latest known activity in 2025, forming a coherent operational lineage across platforms and time.

Indonesian Amplifiers and Imitators

As Bjorka’s fame reached new heights in late 2022, the alias became a rallying cry within Indonesia’s digital underground. Dozens of Telegram channels emerged in the wake of the Kominfo breach, many adopting the Bjorka name but diverging sharply in tone, content, and purpose. What had started as a global data-leak identity evolved, in this localized context, into a mix of hacktivist symbolism, political expression, and opportunistic impersonation.

Using StealthMole’s Telegram Tracker, several of these channels were mapped by creation date, linked accounts, and behavioral patterns. The findings reveal a clear split between the original leak infrastructure and regionally focused imitators. While their content often recycled authentic leaks, their digital signatures: email domains, IP footprints, and cryptocurrency addresses, showed no overlap with the verified bj******.ai or N******.**t infrastructure.

• @bj**************1 / t.me/bj**************1 (Created 4 May 2022)

This is the earliest known Telegram channel using the Bjorka name, appearing months before the Kominfo breach brought the alias into mainstream attention. The channel contained minimal content, mostly brief status updates and links to the now-defunct Twitter account @bj********n, which circulated anti-government commentary.

While no technical links tie this channel to the verified Bjorka infrastructure, its early creation date suggests it may have been an initial test or placeholder rather than a later imitation. The lack of leaks, cross-platform promotion, or domain references differentiates it from the organized ecosystem that emerged after August 2022.

• @bj************a / t.me/bj****************a (Created 14 September 2022)

Operated under the banner Bjorka Indonesia, this channel became one of the most active hubs in the local cyber community. It cross-linked to multiple social platforms:

• Twitter: @bj*********a (created January 2011, active through 2025)
• Facebook: facebook.com/bj************a (created December 2012)
• Instagram: @bj*********a (created September 2022)
• YouTube: youtube.com/in***************r (created September 2010)
• Blogs: bj***********a.blogspot.com and in**********r.blogspot.com (linked to in************@gmail.com)

Following the Indonesian government’s announcement on 4 October 2025 that a 22-year-old man (initials WFT) had been arrested as Bjorka, these channels coordinated a near-simultaneous response, posting the same message across platforms: “I’m still here.”

The statement, echoed across Facebook, Twitter, and Instagram, was widely seen as a direct denial of state claims, and it reinforced public confusion over Bjorka’s true identity. Even Indonesian officials later conceded that the detained suspect was “likely an impersonator.”

• @bj********m / t.me/bj*******m (Created 3 February 2023)

This channel framed itself as Bjorka’s “official” Indonesian continuation. Posts from March 2023 included statements that the operator was “taking a break” under pressure from authorities. The channel was found linked to g****@bj****.pro email address.

Cross-Linked and Hybrid Channels: Shared Infrastructure, Divergent Messaging

As Bjorka’s digital footprint expanded beyond bj******.ai, a subset of Telegram channels, began to blur the line between authentic and imitation. These accounts reused infrastructure belonging to the verified Polish operator including domains, Monero wallets, and TOX IDs but localized their tone, often posting in Bahasa Indonesia or English. This overlap suggests a diffusion of technical assets across networks, either through deliberate collaboration or credential replication by secondary actors.

• @bj**************t / t.me/bj*******************it (Created 26 May 2023)

This channel operated under the Bjorkanism label and prominently referenced both bj******.ai and N******.**t, domains directly tied to the Polish-led infrastructure. Its metadata revealed a TOX ID and a Monero wallet, the same address later associated with the Brain Cipher ransomware operation.

• TOX ID: BB**************************************************3
• Monero: 42m************************************************H

However, despite the overlap in identifiers, the channel’s behavior suggested imitation rather than direct operator control. Its posts alternated between professional leak announcements and recycled messages from other impersonator groups. The combination of authentic digital artifacts and inconsistent messaging indicates that @bj************t likely represented an unauthorized copycat effort attempting to mirror legitimate infrastructure for credibility.

• @bj********e / t.me/bj****************e (Created 24 March 2024)

Operating under the name Bjorka Spirit, this channel provided one of the clearest examples of infrastructure reuse across ecosystems. Its metadata is linked to the same N******.**t domain and the same @bj*******e Twitter account used by the Polish Bjorka.

The channel also displayed multiple cryptocurrency wallets associated with ransomware ecosystems overlapping Babuk and Brain Cipher, including:

• Monero: 84a*********************************************V
• Bitcoin: 19******************************************Y
• Ethereum: 0x****************************************7
• Email: bab***********l@onionmail.org, bj*****@**.me, l**************t@onionmail.org

These overlaps indicate that by 2024, Bjorka’s infrastructure had become entangled with broader ransomware activity whether through shared backend access, copied wallets, or coordinated partnerships remains unclear.

The “Doxx Hacker Bjorka” Operation

In August 2025, a coordinated campaign surfaced across several impersonator groups including Babuk Locker V2, Data World All, Scattered Lapsuss Hunters and others, circulating a message titled “Doxx Hacker Bjorka.” The message claimed that Bjorka was an Indonesian man named R***i R******i, exposing his home address, personal email addresses and contact numbers.

• re**************@gmail.com
• re*************1@gmail.com
• ha*************1@yahoo.com
• bj*****@**.me

StealthMole’s Compromised Data Set and ULP Binder tools revealed that these email accounts appeared in over 130 stealer-log records between 2023 and 2025, containing common user credentials and device identifiers, consistent with a compromised personal system. None of the data connected these accounts to Bjorka’s known infrastructure, communication handles, or cryptocurrency wallets.

The absence of overlap suggests that the individual named in the “doxx” was a victim of unrelated data compromises rather than Bjorka himself. The campaign’s timing, coinciding with renewed activity on N******.**t, points to a coordinated misinformation attempt by impersonator groups, likely intended to mislead attribution efforts and sow confusion around Bjorka’s identity.

4. The N*******s Era: Consolidation and Control (2024–2025)

By mid-2024, Bjorka’s once-scattered digital presence had begun to converge around a single domain, N******.**t. What started as a self-branded transparency project through bj******.ai evolved into a professionalized leak infrastructure built for persistence and monetization.

StealthMole traces show multiple points of overlap between N******.**t and bj******.ai, including recurring contact handles and shared references in forum and Telegram posts. The site’s public-facing contact details reinforced that continuity:

• Email: bj*****@**.me
• Address: Kr**********e Pr**********e 48/50, 00-071 W*********a, P******d
• Twitter: @bj*******e
• Telegram: @b******a

Activity on N******.**t mirrored that on the Telegram channels @bj*********n and @bj****a, with leaks posted to the domain often appearing on Telegram within minutes, an operational tempo consistent with centralized management.

Assessment

The evidence collected through StealthMole outlines a complex but traceable evolution: an alias that began as a single actor in Poland and fractured into dozens of imitations across Southeast Asia. Over five years of digital artifacts, from Leaks.sh to N******.**t, the continuity is too consistent to be coincidental.

The authentic Bjorka infrastructure resides within the Polish cluster. Domains, handles, and operational assets registered between 2020 and 2025 reveal persistent identifiers: bj*****@**.me, g**@bj******.ai, a Warsaw address, and the same recurring cryptocurrency wallets. These elements create a verifiable lineage linking the early Leaks.sh actor to the mature N*******s operator. Linguistic patterns reinforce that connection: precise English phrasing and intermittent Polish syntax across Telegram and forum posts.

The Indonesian network, in contrast, represents an independent amplification sphere: a mix of imitators, supporters, and opportunists who adopted Bjorka’s image as a symbol of protest and online defiance. Among them, channels such as @bj*********a and its affiliated Facebook and Instagram pages became particularly active in replicating the brand’s tone and persona without any verified infrastructure linkage.

The October 2025 arrest of WFT, a 22-year-old Indonesian man accused of being Bjorka, epitomized this confusion. Indonesian authorities claimed that WFT had operated the Twitter accounts @bj*******a and @bj********a, which had been central to earlier online campaigns. However, discrepancies quickly surfaced. On 7 October 2025, the @bj******a account posted a new message, “I’m here,” days after the arrest. This cast immediate doubt on the attribution.

Investigators later confirmed that WFT had been active under the alias “Bjorka” since 2020 but were unable to link him to the large-scale breaches that defined the real actor’s reputation including the Kominfo breach and subsequent N********s operations. On the same day of the arrest, the @bj*********n Telegram channel, associated with the verified Polish infrastructure, released a leak containing Indonesian police data, a deliberate signal disproving the arrest narrative.

The sequence of events underscores a recurring dynamic: the Bjorka brand now operates simultaneously as a real actor, a public myth, and a propaganda tool. Imitators such as @bj**********a mimic the language of resistance; the real operator communicates through verifiable technical action. The overlap between genuine and fabricated personas has created an environment where attribution itself becomes a weapon, used to shape public perception as much as to obscure operational truth.

Taken together, the technical and behavioral indicators support a high-confidence assessment: the Polish cluster constitutes the original Bjorka operation. The repeated infrastructure reuse, domain continuity, and linguistic consistency outweigh any surface-level mimicry from Southeast Asian channels.

Conclusion

The name Bjorka began as a digital signature, a single alias linked to the underground forums of the early 2020s. Five years later, it has become something larger: a decentralized mythology shaped by imitation, media, and the politics of exposure.

The investigation through StealthMole shows that while the original actor remains operational within a defined infrastructure, the identity itself has escaped containment. Each imitation, denial, or arrest only amplifies its reach. The result is a persona that thrives on uncertainty, one that governments attempt to silence, imitators seek to embody, and investigators struggle to define.

Whether out of defiance or design, Bjorka has achieved what most threat actors never do: persistence beyond verification. The myth no longer depends on the operator’s presence; it sustains itself through replication, contradiction, and belief. In a landscape where data leaks and digital theater now coexist, Bjorka stands as a reminder that in cyberspace, exposure and illusion often share the same address.

Editorial Note

While every effort has been made to ensure the accuracy of this report, attribution in cases like Bjorka remains inherently complex. Much of the evidence analyzed reflects a constantly shifting digital environment where multiple actors may reuse the same identities, tools, and branding for unrelated purposes. The findings presented here are based on data collected and verified through StealthMole’s intelligence platform, yet the true identity of the original Bjorka remains unconfirmed.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com