A victim shaming website operated by the cybercriminal group 8Base has been found to be leaking sensitive information, revealing potential ties to a programmer in Moldova. The darknet website, which is only accessible via Tor, lists numerous organizations and companies that allegedly refused to pay a ransom to prevent their stolen data from being published. It also includes a chat feature for victims to communicate and negotiate with their extortionists. However, a recent discovery revealed that the website was generating a verbose error message when trying to fetch data from the chat service.
This error message disclosed the true Internet address of the Tor hidden service housing the 8Base website. Further investigation uncovered a link to a private Gitlab server, called Jcube-group, in the error page. The Gitlab account contained some interesting data points, including references to the term “KYC” (Know Your Customer). This is significant because the 8Base FAQ mentions a vetting process for journalists who wish to access special offers and interviews with the group, which is labeled as “KYC” as well. The connection between the Gitlab account and the 8Base website raises questions about the involvement of a 36-year-old developer named Andrei Kolev from Moldova.
Andrei Kolev, who works as a full-stack developer at JCube Group, denied any knowledge of the 8Base darknet site pulling code from his private Gitlab repository. He claimed that the 8Base project was not in his repository and that he only had his own projects there. Mr. Kolev quickly deleted a screenshot of his current projects that he shared during the conversation. Minutes after discussing the connection with Mr. Kolev, the 8Base website was changed, and the error message linking to the JCube Group’s Gitlab repository disappeared.
Ransomware groups often hire developers remotely for specific projects without revealing their true identity or the intended use of their code. It is possible that one of Mr. Kolev’s clients is a front for 8Base, and he may have unknowingly contributed to the development of the victim shaming website. However, the 8Base group has not responded to inquiries from KrebsOnSecurity, despite claiming to be open to correspondence with journalists.
The leaky 8Base website was discovered by a security professional and researcher who goes by the handle @htmalgae on Twitter. They believe that the website was left in “development mode,” which caused the verbose error messages and ultimately led to the de-anonymization of the Tor hidden service. If the website had been running in production mode, this vulnerability would not have been possible.
8Base has gained attention as a ransomware group that specializes in encryption and “name-and-shame” techniques to pressure victims into paying ransoms. They describe themselves as “simple pen testers” and have targeted various industries. Despite their high number of compromises, little is known about their identities and motivations.
The discovery of the leaky 8Base website and its potential connection to a Moldovan programmer highlights the complex and secretive nature of cybercriminal operations. As law enforcement and security professionals continue to investigate and combat ransomware groups, it remains essential to uncover and expose their tactics and infrastructure to protect potential victims.