The sufferer shaming web site operated by the cybercriminals behind 8Base — at present one of many extra energetic ransomware teams — was till earlier immediately leaking fairly a bit of knowledge that the crime group most likely didn’t intend to be made public. The leaked knowledge means that a minimum of a few of web site’s code was written by a 36-year-old programmer residing within the capital metropolis of Moldova.
The 8Base ransomware group’s sufferer shaming web site on the darknet.
8Base maintains a darknet web site that’s solely reachable through Tor, a freely obtainable world anonymity community. The web site lists tons of of sufferer organizations and corporations — all allegedly hacking victims that refused to pay a ransom to maintain their stolen knowledge from being revealed.
The 8Base darknet web site additionally has a built-in chat characteristic, presumably in order that 8Base victims can talk and negotiate with their extortionists. This chat characteristic, which runs on the Laravel net software framework, works high-quality so long as you’re *sending* info to the location (i.e., by making a “POST” request).
However, if one have been to attempt to fetch knowledge from the identical chat service (i.e., by making a “GET” request), the web site till fairly not too long ago generated an especially verbose error message:
The verbose error message when one tries to tug knowledge from 8Base’s darknet web site. Notice the hyperlink on the backside of this picture, which is generated when one hovers over the “View commit” message beneath the “Git” heading.
That error web page revealed the true Internet deal with of the Tor hidden service that homes the 8Base web site: 95.216.51[.]74, which in response to DomainTools.com is a server in Finland that’s tied to the Germany-based internet hosting large Hetzner.
But that’s not the attention-grabbing half: Scrolling down the prolonged error message, we are able to see a hyperlink to a non-public Gitlab server referred to as Jcube-group: gitlab[.]com/jcube-group/purchasers/apex/8base-v2. Digging additional into this Gitlab account, we are able to discover some curious knowledge factors obtainable within the JCube Group’s public code repository.
For instance, this “status.php” web page, which was dedicated to JCube Group’s Gitlab repository roughly one month in the past, contains code that makes a number of mentions of the time period “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).
This is curious as a result of a FAQ on the 8Base darknet web site features a part on “special offers for journalists and reporters,” which says the crime group is open to interviews however that journalists might want to show their identification earlier than any interview can happen. The 8base FAQ refers to this vetting course of as “KYC,” which generally stands for “Know Your Customer.”
“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”
The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (proper)
The 8Base darknet web site additionally has a publicly accessible “admin” login web page, which options a picture of a business passenger aircraft parked at what seems to be an airport. Next to the airplane photograph is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”
The login web page on the 8Base ransomware group’s darknet web site.
Right-clicking on the 8Base admin web page and choosing “View Source” produces the web page’s HTML code. That code is just about equivalent to a “login.blade.php” web page that was authored and dedicated to JCube Group’s Gitlab repository roughly three weeks in the past.
It seems the particular person liable for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn web page says he’s a full-stack developer at JCube Group, and that he’s at present in search of work. The homepage for Jcubegroup[.]com lists an deal with and telephone quantity that Moldovan enterprise information affirm is tied to Mr. Kolev.
The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference a number of now-defunct on-line companies, together with pluginspro[.]ru.
Reached for remark through LinkedIn, Mr. Kolev mentioned he had no concept why the 8Base darknet web site was pulling code from the “clients” listing of his personal JCube Group Gitlab repository, or how the 8Base title was even included.
“I [don’t have] a clue, I don’t have that project in my repo,” Kolev defined. “They [aren’t] my clients. Actually we currently have just our own projects.”
Mr. Kolev shared a screenshot of his present tasks, however in a short time after that deleted it. However, KrebsOnSecurity captured a duplicate of the picture earlier than it was eliminated:
A screenshot of Mr. Kolev’s present tasks that he shortly deleted.
Within minutes of explaining why I used to be reaching out to Mr. Kolev and strolling him by the method of discovering this connection, the 8Base web site was modified, and the error message that linked to the JCube Group personal Gitlab repository not appeared. Instead, making an attempt the identical “GET” methodology described above brought on the 8Base web site to return a “405 Method Not Allowed” error web page:
Mr. Kolev claimed he didn’t know something in regards to the now-removed error web page on 8Base’s web site that referenced his personal Gitlab repo, and mentioned he deleted the screenshot from our LinkedIn chat as a result of it contained personal info.
Ransomware teams are identified to remotely rent builders for particular tasks with out disclosing precisely who they’re or how the brand new rent’s code is meant for use, and it’s attainable that one in all Mr. Kolev’s purchasers is merely a entrance for 8Base. But regardless of 8Base’s assertion that they’re completely satisfied to correspond with journalists, KrebsOnSecurity remains to be ready for a reply from the group through their Telegram channel.
The tip in regards to the leaky 8Base web site was offered by a reader who requested to stay nameless. That reader, a respectable safety skilled and researcher who goes by the deal with @htmalgae on Twitter, mentioned it’s probably that whoever developed the 8Base web site inadvertently left it in “development mode,” which is what brought on the location to be so verbose with its error messages.
“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae mentioned.
A latest weblog put up from VMware/Carbon Black referred to as the 8Base ransomware group “a heavy hitter” that has remained comparatively unknown regardless of the huge spike in exercise in Summer of 2023.
“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”
According to VMware, what’s notably attention-grabbing about 8Base’s communication fashion is using verbiage that’s strikingly acquainted to a different identified cybercriminal group: RansomHouse.
“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”