From BlackVortex1 to ShadowByt3$: Tracing a Multi-Platform RaaS Infrastructure and Leak Operations

Ransomware-as-a-Service (RaaS) operations have increasingly shifted from tightly controlled groups to more accessible, affiliate-driven ecosystems. What once required technical expertise and closed networks is now being repackaged into models that lower the barrier to entry, allowing individuals with varying levels of capability to participate in data extortion activities.

Amid this broader shift, a relatively new name, ShadowByt3$, began surfacing across multiple platforms. The activity did not originate from a single identifiable breach or announcement, but rather through scattered indicators: forum posts, leak promotions, and fragments of infrastructure appearing across both clear web and dark web environments.

At first glance, these elements appeared disconnected. However, as the investigation progressed through StealthMole, a pattern began to emerge: one that suggested coordination rather than coincidence. What initially looked like isolated activity gradually revealed the outline of an operation attempting to position itself within the RaaS landscape.

This report traces how those fragments connect, following the path from a low-profile forum identity to a broader ecosystem built around data leaks, recruitment, and multi-platform visibility.

Incident Trigger and Initial Investigation

The investigation was initiated through StealthMole’s ransomware monitoring, which flagged a data leak associated with the University of Georgia in early April 2026. The listing was attributed to a group named ShadowByt3$, with the data published on a dedicated onion-based leak page:

• mfbbt****************************************2qad.onion

Accessing the page provided the first clear indication that this was not an isolated incident. The site displayed multiple organizations, each accompanied by timestamps and downloadable data samples, suggesting an ongoing operation rather than a single breach disclosure.

Before expanding the investigation further, the focus remained on understanding the nature of this onion site. Using StealthMole’s historical indexing, earlier versions of the same onion page were reviewed. This revealed a noticeable shift in presentation within a short period:

• On 8 April 2026, the interface appeared in a purple theme, accompanied by a more aggressive, campaign-style message.
• By 9 April 2026, the same site had shifted to a blue-themed interface, presenting itself as a private platform for vetted users, with emphasis on controlled access and onboarding.

This rapid change suggested active maintenance rather than a static deployment, indicating that the operator was actively refining how the platform was presented, balancing visibility with restricted access.

Leak Site Analysis and Infrastructure Discovery

With the leak page established as the central point of activity, the next step was to examine what sat behind it. Rather than treating it as a simple listing page, the investigation focused on the embedded elements that enable interaction: communication, payments, and access.

Running the onion domain through StealthMole’s Darkweb Tracker surfaced a consistent set of identifiers tied directly to the platform. These were not hidden or obfuscated; instead, they were deliberately exposed, indicating that the site was designed not just to display leaks, but to facilitate engagement.

The page provided multiple contact channels:

• ProtonMail: Sha*****S@proton.me
• TOX ID: A96D*******************************43F
• Telegram:
  • https://t.me/Shad******2
  • https://t.me/Shad******S

Alongside communication methods, the site listed cryptocurrency payment options:

• Bitcoin: bc1qh********************************rgl
• Ethereum: 0xd9*******************************f61
• Monero: 47NH****************************************A9a

The combination of multiple communication channels and payment methods reflects an infrastructure built for accessibility rather than exclusivity. Instead of forcing interaction through a single controlled channel, the operator offers several entry points, allowing victims or potential affiliates to engage using whichever method is most convenient.

A further pivot revealed the presence of an additional onion domain:

• sdwb******************************************cad.onion

The structure and content of this secondary domain closely mirrored the primary leak site, suggesting it functions as a parallel or fallback instance. This kind of duplication is typically used to maintain continuity in case of disruption, indicating that the operator has considered basic resilience, even if the overall setup remains relatively lightweight.

The infrastructure presents a clear pattern: a central leak site supported by multiple communication channels and mirrored access points. The focus is not on concealment, but on ensuring that the operation remains reachable, adaptable, and easy to engage with, characteristics that become more significant as the investigation moves beyond infrastructure into how the operation is promoted and sustained.

Leak Distribution and Operational Use of Telegram

While the onion site provided the structural backbone of the operation, it did not fully capture how ShadowByt3$ interacted with its audience. That layer became visible through Telegram, where activity was more dynamic and operational in nature.

Pivoting the previously identified links within StealthMole led to the channel:

• https://t.me/ShadowByt3S

Unlike the static presentation of the leak site, this channel reflected ongoing activity. Posts were used to announce leaks, share partial datasets, and direct users toward external download links. The content was not uniform: some entries focused on specific organizations, while others emphasized dataset size or type, suggesting an attempt to appeal to both victims and potential buyers.

A consistent pattern emerged in how leaks were presented. Instead of immediately releasing full datasets, the actor shared limited samples alongside brief descriptions of the compromised data. These previews often highlighted sensitive elements: operational logs, internal documentation, or identifiable information, enough to demonstrate access without fully exposing the dataset.

This approach serves two purposes. First, it reinforces credibility by providing tangible proof of compromise. Second, it creates controlled exposure, allowing the actor to retain leverage while increasing pressure on the affected organization.

Another recurring element in the channel was the use of time-bound messaging. Certain posts referenced deadlines or implied consequences if no response was received, aligning with extortion-driven workflows rather than simple data dumping. In some cases, the messaging extended beyond disclosure, indicating that data could be sold or redistributed if demands were not met.

In addition to leak announcements, the channel also contained messages aimed at recruitment. Rather than positioning itself solely as a distribution platform, it was used to attract individuals with potential access to corporate environments, offering a share of proceeds in exchange for collaboration. This shifts the role of Telegram from a passive broadcast channel to an active operational tool: one that supports both monetization and expansion.

A secondary channel was also identified:

• https://t.me/ShadowBytsleaks

Its presence suggests an effort to maintain continuity, either as a backup or as an additional outlet for distributing content. This redundancy aligns with the broader pattern observed in the infrastructure: prioritizing availability and reach across multiple platforms.

Attribution Pivot: Linking ShadowByt3$ to BlackVortex1

Up to this point, the investigation had established how the operation functioned: its infrastructure, communication channels, and leak distribution methods. The next step was to understand who was behind it, or at least how the activity could be tied to a consistent identity.

This pivot emerged through a DarkForums thread:

• https://darkforums.***/Thread-ShadowB********************School

The post, published by a user operating under the name BlackVortex1, directly referenced ShadowByt3$ and pointed toward the same ecosystem already observed. The connection was not implied, it was stated, providing the first explicit bridge between a forum identity and the broader operation.

Rather than treating this as a standalone claim, the investigation expanded by running the username through StealthMole’s Darkweb Tracker. This revealed that BlackVortex1 was not limited to a single platform. The same handle appeared across multiple forums, including:

• https://darkforums.***/User-BlackVortex1
• https://darkforums.***/User-BlackVortex1
• https://breachsta*****/profile/BlackVortex1
• https://cracked***/BlackVortex1
• https://breachsta****/profile/BlackVortex1

At a surface level, these profiles offered limited activity. Reputation scores were low, and engagement was minimal. However, the consistency of the username across platforms, combined with the timing of account creation, concentrated between late 2025 and early 2026, suggested something more deliberate than casual reuse.

This pattern points toward a coordinated effort to establish a presence across multiple forums within a short timeframe. Rather than building reputation gradually, the actor appears to prioritize visibility and reach, ensuring that the same identity can be discovered in different environments.

The significance of this becomes clearer when viewed alongside the earlier findings. The infrastructure, Telegram activity, and forum presence are not operating independently, they are interconnected through a consistent set of identifiers. The BlackVortex1 profile acts as an entry point into that network, linking promotional activity on forums to the operational ecosystem observed elsewhere.

RaaS Model and Operational Structure

The investigation reached a turning point when activity linked to the BlackVortex1 profile led to a thread on Cracked.sh:

• https://cracked.sh/Thread-HADOWBYT3-RAAS

Unlike earlier touchpoints, which focused on leaks and promotion, this thread provided a more direct look into how the operation is structured. Rather than presenting isolated incidents, it outlined a model, one that aligns with ransomware-as-a-service frameworks but reflects characteristics of an operation still in its early stages.

One of the most immediate observations is the emphasis on participation rather than exclusivity. The model does not restrict access to a closed group of trusted affiliates. Instead, it introduces a dual-entry system:

• Individuals with existing corporate access are encouraged to join without upfront cost
• Others can gain entry by paying a relatively low fee (USD 250 in cryptocurrency)

This approach lowers the barrier to entry significantly. Instead of relying solely on skilled operators, the model appears designed to attract a broader range of participants, including those who may not have technical capabilities but possess access or the potential to obtain it.

The revenue structure further reinforces this design. A 70/30 split is offered in favor of affiliates, allowing participants to retain the majority of any ransom payments. From an operational perspective, this suggests that the core actor is prioritizing scale over control, incentivizing others to bring in targets while maintaining a smaller share of the proceeds.

Another notable element is the way responsibilities are distributed. The thread indicates that affiliates can rely on the operator for certain functions, including aspects of negotiation. This reduces the operational burden on participants and makes the model more accessible to less experienced actors. At the same time, it allows the operator to maintain a degree of involvement in the extortion process without directly carrying out every stage.

The technical details presented, including references to custom builds and encryption methods, are framed more as features than as deeply explained capabilities. This distinction is important. The thread reads less like a technical disclosure and more like a service offering, where functionality is highlighted to attract interest rather than to demonstrate depth.

Together, the structure reflects an operation focused on expansion. Instead of tightly controlling access or emphasizing advanced tooling, the model is built around accessibility, recruitment, and distribution of effort. This aligns with earlier observations from Telegram, where insider access and collaboration were actively encouraged.

Conclusion

The investigation into ShadowByt3$ reveals an operation that is still in the process of defining itself, but already exhibits the core components of a functioning ransomware ecosystem. Rather than emerging from a position of technical maturity or established reputation, the actor appears to be building outward: assembling infrastructure, expanding visibility, and attracting participation across multiple platforms simultaneously.

What stands out is not the sophistication of any single component, but the way these components are combined. Forum presence, Telegram activity, onion-based infrastructure, and a structured RaaS offering are all aligned toward a common objective: growth. The operation prioritizes accessibility, both in how it communicates and how it recruits, lowering barriers for participation while maintaining enough structure to appear credible.

The linkage to the BlackVortex1 identity reinforces this positioning. Instead of operating through long-established personas, the actor relies on a recently created but consistently reused identity, suggesting a deliberate attempt to seed presence across different ecosystems rather than build depth within a single one.

At its current stage, ShadowByt3$ reflects an operation in transition: moving from initial setup toward broader adoption. While its long-term trajectory remains uncertain, the foundation it has established demonstrates how quickly a coordinated presence can be built using readily available platforms and tools. The risk, therefore, lies not only in what the operation is today, but in how easily this model can scale if it succeeds in attracting sustained participation.

Editorial Note

Investigations into ransomware and dark web activity rarely offer complete visibility, and this case is no exception. Much of what is observed is derived from actor-controlled spaces, where claims, capabilities, and intent cannot always be independently verified. This inherent uncertainty makes careful correlation essential.

In this case, StealthMole enabled the investigation to move beyond isolated findings, connecting identities, infrastructure, and activity across multiple platforms to form a coherent narrative, not of certainty, but of informed understanding.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com