Dancho Danchev

Based on the recently released Bybit Investigation documents I was able to obtain the malicious javascript in question and I decided to dig a little bit deeper into its inner workings and try to provide actionable intelligence on the topic and who the malicious attackers might be. Javascript MD5: be9397a0b6f01d21e15c70c4b37487fe What I did was theRead More

UPDATED: Exposing the Black Basta Ransomware Group Exposing the Black Basta Ransomware Group – Part Two Exposing the Black Basta Ransomware Group – Part Three Dear blog readers, The following are all of Black Basta’s BitCoin addresses and BitCoin transaction IDs based on their recently leaked internal and publicly accessible communication. Sample BitCoin addresses andRead More

UPDATED: Exposing the Black Basta Ransomware Group Exposing the Black Basta Ransomware Group – Part Three Dear blog readers, I just picked up the Black Basta Ransomware group’s internal leaked communication which is now publicly accessible and available for everyone to download and I decided to post this update in terms of my data miningRead More

UPDATED: Exposing the Black Basta Ransomware Group Exposing the Black Basta Ransomware Group – Part Two Dear blog readers, I’ve decided to post yet another post elaboration on the recently leaked Black Basta ransomware group’s internal leaked communication.  Sample domains referenced in the originally leaked Black Basta internal leaked communication: hxxp://databasebb.tophxxp://downloaddotaviablog.suhxxp://greenmotors.tophxxp://greenmotors2.tophxxp://megatron3.tophxxp://stuffstevenpeters2.tophxxp://thesiliconroad.tophxxp://megatron3.tophxxp://onlylegalstuff.tophxxp://stuffstevenpeters.tophxxp://stuffstevenpeters2.tophxxp://thesiliconroad.top Sample personally identifiable emailRead More

UPDATED: Exposing the Black Basta Ransomware Group – Part Two Exposing the Black Basta Ransomware Group – Part Three An image is worth a thousand words. Sample photos:

Dear blog readers, In this post I decided to take a look at the hxxp://ispoof.cc cybercrime enterprise in terms of providing actionable intelligence on its Internet connected infrastructure. Sample known responding IPs: 116.203.61.96104.26.14.153172.67.75.247104.26.15.153 104.21.60.205172.67.201.73172.67.150.241104.21.0.121104.21.23.23 172.67.208.110172.64.205.7172.64.204.7 Related domains known to have been parked at the same IP (116.203.61.96): hxxp://ivshare4.xyzhxxp://spoofsystem.co.ukhxxp://civi-bi.comhxxp://ispoof.cc Sample screenshots:   Stay tuned.

Dear blog readers, In this post I’ll provide some actionable intelligence on the current state of active BitCoin Mixers landscape with the idea to assist everyone on their way to properly attribute a fraudulent or malicious transaction or to dig a little bit deeper inside the infrastructure and financial infrastructure behind these BitCoin Mixers. SampleRead More

Dear blog readers, In this post I’ll provide some actionable intelligence on the current state of active BitCoin Exchanges landscape with the idea to assist everyone on their way to properly attribute a fraudulent or malicious transaction or to dig a little bit deeper inside the infrastructure and financial infrastructure behind these BitCoin Exchanges. SampleRead More

What’s the most inspirational thing that drives me as an independent researcher? It’s those rare emails and letters and invitations. I just came across to this. Thank you so much for the invitation in the context of keeping up the spirit and driving growth into my research. Happy 2025. Yours sincerely, Dancho Danchev

Dear blog readers, An image is worth a thousand words. I’ve recently started working on a new domain take down project where I’m busy sourcing 419 scam domains and trying to figure out their WHOIS registrar in bulk and then feeding back all the information in a local MySQL database. The best part? I didRead More