Who’s Behind the 8Base Ransomware Website?

The unfortunate shaming website operated by the cybercriminals down 8Base — presently 1 of the overmuch progressive ransomware groups — was until earlier contiguous leaking alternatively a spot of accusation that the transgression extremist astir apt did not mean to beryllium made public. The leaked accusation suggests that astatine slightest immoderate of website’s codification was written by a 36-year-old programmer residing palmy the superior metropolis of Moldova.

8Base maintains a darknet website that is lone reachable via Tor, a freely disposable planetary anonymity network. The tract lists hundreds of unfortunate organizations and companies — each allegedly hacking victims that refused to wage a ransom to enactment their stolen accusation from being published.

The 8Base darknet tract too has a built-in chat feature, presumably truthful that 8Base victims tin walk and negociate with their extortionists. This chat feature, which runs connected the Laravel web exertion framework, works bully arsenic agelong arsenic you are *sending* accusation to the tract (i.e., by making a “POST” request).

However, if 1 were to effort to fetch accusation from the aforesaid chat enactment (i.e., by making a “GET” request), the website until alternatively precocious generated an highly verbose mistake message:

That mistake leafage revealed the existent Internet codification of the Tor hidden enactment that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is simply a server palmy Finland that is tied to the Germany-based hosting elephantine Hetzner.

But that’s not the absorbing part: Scrolling down the lengthy mistake message, we tin spot a nexus to a backstage Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we tin find immoderate comic accusation points disposable palmy the JCube Group’s nationalist codification repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository astir 1 play ago, includes codification that makes respective mentions of the connection “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).

This is comic owed to the information that a FAQ connected the 8Base darknet tract includes a conception connected “special offers for journalists and reporters,” which says the transgression extremist is unfastened to interviews but that journalists volition petition to beryllium their individuality earlier immoderate interrogation tin instrumentality place. The 8base FAQ refers to this vetting process arsenic “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the enactment of journalists and spot accusation to beryllium our priority,” the 8Base FAQ reads. “We idiosyncratic a peculiar programme for journalists which includes sharing accusation a less hours oregon adjacent days earlier it is officially published connected our prime website and Telegram channel: you would petition to spell done a KYC process to apply. Journalists and reporters tin enactment america via our PR Telegram transmission with immoderate questions.”

The 8Base darknet tract too has a publically accessible “admin” login page, which features an practice of a commercialized rider level parked astatine what appears to beryllium an airport. Next to the airplane photograph is simply a transportation that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

Right-clicking connected the 8Base admin leafage and selecting “View Source” produces the page’s HTML code. That codification is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository astir 3 weeks ago.

It appears the idiosyncratic liable for the JCube Group’s codification is simply a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer astatine JCube Group, and that he’s presently looking for work. The homepage for Jcubegroup[.]com lists an codification and telephone fig that Moldovan interest records confirm is tied to Mr. Kolev.

The posts connected the Twitter narration for Mr. Kolev (@andrewkolev) are each written palmy Russian, and notation respective now-defunct online businesses, including pluginspro[.]ru.

Reached for remark via LinkedIn, Mr. Kolev said helium had nary thought wherefore the 8Base darknet tract was pulling codification from the “clients” directory of his backstage JCube Group Gitlab repository, oregon nevertheless the 8Base authorisation was adjacent included.

“I [don’t have] a clue, I don’t idiosyncratic that task palmy my repo,” Kolev explained. “They [aren’t] my clients. Actually we presently idiosyncratic conscionable our ain projects.”

Mr. Kolev shared a screenshot of his existent projects, but precise rapidly aft that deleted the practice he’d shared. However, KrebsOnSecurity captured a transcript of it earlier it was removed:

Within minutes of explaining wherefore I was reaching retired to Mr. Kolev and walking him done the process of uncovering this connection, the 8Base website was changed, and the mistake transportation that linked to the JCube Group backstage Gitlab repository nary longer appeared. Instead, trying the aforesaid “GET” method described supra caused the 8Base website to instrumentality a “405 Method Not Allowed” mistake page:

Mr. Kolev claimed helium didn’t cognize happening astir the now-removed mistake leafage connected 8Base’s tract that referenced his backstage Gitlab repo, and said helium deleted the screenshot from our LinkedIn chat owed to the information that it contained backstage information.

Ransomware groups are known to remotely prosecute developers for circumstantial projects without disclosing precisely who they are oregon nevertheless the caller hire’s codification is intended to beryllium used, and it is imaginable that 1 of Mr. Kolev’s clients is simply a beforehand for 8Base. But contempt 8Base’s transportation that they are blessed to correspond with journalists, KrebsOnSecurity is inactive waiting for a reply from the extremist via their Telegram channel.

The extremity astir the leaky 8Base website was provided by a student who asked to enactment anonymous. That reader, who we’ll telephone Steve (not his existent name), said it is apt that whoever developed the 8Base website inadvertently adjacent it palmy “development mode,” which is what caused the tract to beryllium truthful verbose with its mistake messages.

“If 8Base was moving the app palmy accumulation mode alternatively of betterment mode, this Tor de-anonymization would idiosyncratic ne'er been possible,” Steve said.

A caller blog presumption from VMware called the 8Base ransomware extremist “a dense hitter” that has remained comparatively chartless contempt the monolithic spike palmy enactment palmy Summer of 2023.

“8Base is simply a Ransomware extremist that has been progressive since March 2022 with a important spike palmy enactment palmy June of 2023,” VMware researchers wrote. “Describing themselves arsenic ‘simple pen testers,’ their leak tract provided unfortunate details done Frequently Asked Questions and Rules sections arsenic bully arsenic aggregate ways to enactment them. ”

According to VMware, what’s peculiarly absorbing astir 8Base’s transportation benignant is the usage of verbiage that is strikingly acquainted to antithetic known cybercriminal group: RansomHouse.

“The extremist utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to wage their ransoms,” VMware researchers wrote. “8Base has an opportunistic signifier of compromise with caller victims spanning crossed varied industries. Despite the precocious magnitude of compromises, the accusation regarding identities, methodology, and underlying accusation down these incidents inactive remains a mystery.”