Who’s Behind the 8Base Ransomware Website?
The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.
The 8Base ransomware group’s victim shaming website on the darknet.
8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.
The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).
However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:
The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.
That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.
But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.
For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).
This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”
“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”
The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)
The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”
The login page on the 8Base ransomware group’s darknet website.
Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.
It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.
The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.
Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.
“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”
Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:
A screenshot of Mr. Kolev’s current projects that he quickly deleted.
Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:
Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.
Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.
The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.
“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.
A recent blog post from VMware called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.
“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” VMware researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”
According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.
“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”
The inaugural MITRE evaluation in 2018 cast its spotlight on APT3, also known as Gothic Panda, a China-based threat group.
In 2019, the MITRE evaluations took a significant leap by examining APT29, a threat group attributed to the Russian government. APT29 gained notoriety for its intrusion into the Democratic National Committee in 2015. This evaluation brought to light APT29’s unwavering commitment to stealth and the use of sophisticated techniques. These included custom malware and alternate execution methods like 
The 2020 evaluation thrust into the spotlight two prominent threat groups, Carbanak and FIN7, both known for targeting the financial sector, particularly in the U.S. This evaluation meticulously dissected the modus operandi of these groups, revealing their reliance on 
The 2022 evaluation constituted a deep dive into the strategies employed by two distinct groups: Wizard Spider, a financially motivated criminal group, and Sandworm, a Russian threat group known for its destructive attacks. This evaluation zoomed in on how these groups leveraged 
As we gear up for the 2023 MITRE ATT&CK® Evaluation, the spotlight shifts to Turla, a sophisticated Russian-based 
![Ransomware message on Hawaii[.]gov website](https://phxtechsol.com/wp-content/uploads/2023/09/crimeware_sep23_9.jpg)
The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem. While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.
During the last couple of years, I have reported on several large-scale digital espionage and sabotage campaigns, from hacking groups that were later called out by the Department of Justice to companies targeting critical infrastructure in Germany and across Western Europe. In both cases, mistakes in how the attackers set up their infrastructure enabled our team to follow their tracks, in some cases right back to their employers. The resulting stories revealed the intersection where covert cyberoperations and overt organizational structures meet. 
Influence operations are often thought of as clandestine meddling in other countries’ affairs. But what if it’s were insidious than that? What if, right in front of our eyes, a NATO ally and EU Member Staate had developed a system to consistently peddle Russian talking points at a large scale within its own borders and beyond? This is what our research uncovered in the case of Hungary.
Tunnels have been utilized in armed conclicts since antiquity. Underground passages, dug beneath the surface, are still utilized to undermine fortifications and slip right into enemy territory. Today, however, underground tunnels are not the only tunnels used in armed conflicts, as new hidden pathways have proved to be quite effective. 
IoT devices flood our lives. There are multi-billion pieces of IoT devices around, and the number grows constantly. Malware problems are not something that can be avoided for these devices. However, anti-virus techniques, especially standalone ones (not cloud based) are currently basically unavailable for these, e.g., for routers, cameras, and Linux-based Raspberry PI devices. A user typically installs a device and does not intend to maintain it, and generally has no ways to find out if the device behaves in a bad way.
Managed file transfer (MFT) tools are a popular, user-friendly evolution of FTP, facilitating data sharing between and within organizations. In 2021, Businesswire reported projected growth of the MFT market to $2.4 billion by 2027, further emphasizing how organizations have come to rely on these tools. While companies of all sizes may have a need for user-friendly file sharing, MFT tools tend to be geared toward enterprise organizations in highly regulated industries (e.g., finance, healthcare). 
Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity’s research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020. 
You have gained access to an AWS account and don’t want to go to prison. The all-seeing eyes of the Blue Team and SOC analysts attempt to monitor your every move via AWS CloudTrail. How can we tamper the defenders’ capabilities to complete our objectives and remain free?
Infrastructure as a service/code has taken root. With a few API calls and some minor orchestration, almost anyone is able to have a horde of servers at their disposal in seconds. This however doesn’t generally help bypass proxy filters and those looking for new infrastructure. 
While many state-aligned threats have dipped their toes into macOS Malware, North Korea has invested serious time and effort into compromising that operating system. Their operations in macOS environments include both espionage and financial gain. macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich headers, to find additional samples without much effort. 
Activity in cyberspace has gone through a massive transformation over the last few decades, with cyber threat intelligence emerging, and then evolving alongside with it. Despite maturing as an industry, it is harder than ever before to consistently detect, track, and cluster known intrusion sets and identify new activity. 
The Middle East has been known for years to be a fertile land for APTs. During our routine monitoring of suspicious activities in government entities of the region, we stumbled upon a very sophisticated and unknown backdoor that we have named Deadglyph.
As the popularity of Large Language Models (LLMs) continues to grow, there’s a clear divide in perception: some believe LLMs are the solution to everything – a ruthlessly efficient automaton that will take your job and steal your dance partner. Others remain deeply skeptical of their potential – and have strictly forbidden their use in corporate environments. 
One day in 2021, a self-professed “hacktivist” popped into my direct messages, told me his “group” had noticed I’d done the most work on Mado, and dumped videos and documents allegedly hacked from the company’s network and CEO.
Allegations of oligarch elections meddling and influence is old news as we head into 2024. While prosecutors focus on the money trail in building threat intelligence based cases for indictment, don’t overlook oligarch-funded lawyers with creative delay and distract defense tactics. From twisting data privacy laws to using funds for Slapp libel cases to leaking legal discovery, we’ll dissect a series of US and UK cases where oligarchs are throwing lawyers and money as curveballs to thwart influence and cybercrime prosecutions. We’ll also look at ways to further leverage these cases as opportunities for closing policy gaps and for open source intelligence data gathering.
eBPF (extended Berkeley Packet Filter) is a rapidly growing technology that’s revolutionizing the Linux ecosystem. It allows developers to write code that can safely run in the kernel while handling much of the processing and analysis in userspace. As with most new and useful tech, adversaries will inevitably begin to leverage eBPF to implement common malware tradecraft.
Mercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.
OilRig is a well-known Iran-aligned cyberespionage group, allegedly under the MOIS (Ministry of Intelligence and Security), that has been targeting Middle Eastern governments and a variety of business verticals since at least 2014. In this presentation, we study the group’s persistent attacks on Israeli healthcare and local governments, often with the same organizations targeted multiple times over the course of several years, suggesting that OilRig considers them to be of high espionage value.