That search shows the user bo3dom registered at with the email address and from an Internet address in Vilnius, was used to register multiple domains, including Gmail’s password recovery function says the backup email address for is Gmail accepts the address as the recovery email for that devrian27 account.Īccording to Constella, the address was exposed in multiple data breaches over the years, and in each case it used one of two passwords: “ lebeda1” and “ a123456“.
The original registration records for the iPhone, Sagepay and Gold domains share an email address: A search on the username “bo3dom” using Constella’s service reveals an account at, a now-defunct forum concerned with IT products, such as mobile devices, computers and online gaming.
All of these domains date back to between 20. Searching DomainTools for the phone number in the WHOIS records for - leads to a handful of similar typosquatting domains, including A different UK phone number in a more recent record for the - is tied to two more domains – howtounlockiphonefreecom, and portalsagepaycom.
Ī reverse search at DomainTools on “24 Brondeg St.” reveals one other domain: The use of domains that begin with “A banner from the homepage of the Russian language cybercrime forum Verified. It’s unclear whether these domains ever were online, but the street address on both records was “ 24 Brondeg St.” in the United Kingdom. The username associated with that account was “ bo3dom.”Ī reverse WHOIS search via says was used to register two domain names: bonnjoedercom back in 2011, and sanjulianhotelscom (2017).
This is common among cybercriminal actors for whom Russian is not their native tongue.Ĭyber intelligence platform Constella Intelligence told KrebsOnSecurity that the address was used in 2016 to register an account at filmai.in, which is a movie streaming service catering to Lithuanian speakers. In virtually all of his forum posts and private messages, Babam can be seen communicating in transliterated Russian rather than by using the Cyrillic alphabet. In early 2017, Babam confided to another Verified user via private message that he is from Lithuania. That information shows that Babam joined Verified using the email address “ The latest Verified leak also exposed private messages exchanged by forum members, including more than 800 private messages that Babam sent or received on the forum over the years. Verified was hacked at least twice in the past five years, and its user database posted online. However, none of Babam’s posts on Exploit include any personal information or clues about his identity.īut in February 2016, Babam joined Verified, another Russian-language crime forum. Babam has authored more than 270 posts since joining Exploit in 2015, including dozens of sales threads. Since the beginning of 2020, Babam has set up numerous auctions on the Russian-language cybercrime forum Exploit, mainly selling virtual private networking (VPN) credentials stolen from various companies. In this post we’ll look at the clues left behind by “ Babam,” the handle chosen by a cybercriminal who has sold such access to ransomware groups on many occasions over the past few years. More commonly, that access is purchased from a cybercriminal broker who specializes in acquiring remote access credentials - such as usernames and passwords needed to remotely connect to the target’s network. Rarely do cybercriminal gangs that deploy ransomware gain the initial access to the target themselves.