🌐 How we destroyed a turkish card operation, a thread:
🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"...
🔎Out of curiosity, I grabbed the file and sent it through triage (https://t.co/W2bGZpix7X | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm.
📞I pinged my guy @Swezy_1337 — time to have some fun.
➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2)
💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63).
💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀
💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3):
1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github)
2️⃣and of course, XWorm V5.6, cracked...
📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440).
👍 We wiped everything (and have a bit of fun with it). (📸Screen 4)
➡All the stolen victim data? Gone (womp womp).
➡RAT C2? Deleted.
➡Logs? Burned.
➡We even left a nice little note (you will see in screenshot below ahah).
➡And of course, we completely nuked the server — RIP the boot sector 😿
⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle...
💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far:
- 🏨Black Lotus Hotel İzmir
- 🏨Luxus Grand Hotel
💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe.
➡You play dirty, you get reversed, pwned, and humiliated.😭
🔥It was fun.😀
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337
⚠️This is a WARNING for EU residents (not an advertisement of non-compliant services!).
🔸Do NOT use @bisq_network, @RetoSwap, @BasicSwapDEX, @eigenwallet - these are tools used by non-compliant people to voluntarily exchange crypto.
🔸Do NOT go to https://t.co/NhniwA3Iy8 website - it's a list of services that refused to comply with KYC.
🔸Do NOT use Monero - it never complied with anything.
🔸Do NOT read this post too - just in case it's non-compliant "advice on crypto".
Stay SAFE & COMPLIANT, citizens 🇪🇺🫵
🔷An investigations on @Dyjix, the shadiest french host:
➡️On the surface, it’s just another “serious” hosting provider. Clean branding, professional image, standard corporate talk.
But once you start connecting the dots, the picture changes fast.
🔎For context, Axel Hauguel, the person behind @Dyjix, is not new to this space. He previously operated infrastructure like AS Constant Moulin (AS203168) that @banthisguy9349 reported for month. This AS was repeatedly associated with abusive hosting (malware, botnets, DDoS tooling, etc).
That alone already raises questions.
But the current situation goes further.
📊Over the past months, France has been hit by a wave of cyberattacks, leading to massive leaks of personal data from various services (telecoms, administrative platforms, etc).
From this ecosystem, a new type of tool emerged: “searchers”.
💻A searcher is basically a database aggregation system built on stolen data dumps.
You input something as simple as:
– full name
– phone number
– email address
And it returns highly sensitive personal information:
– home addresses
– identity-related data
– linked accounts
– sometimes family or behavioral traces depending on the leaks
🎯In practice, it’s industrialized doxxing.
And it’s not theoretical use.
➡️These tools are widely used to target real people: teachers, journalists, public figures, streamers, and sometimes completely unrelated private individuals. Harassment, intimidation, and privacy violations are a direct consequence, In some cases, these types of tools lead to burglaries like with the @tir_ff databreach.
⚠One of the most known examples is AstralSearcher.
After losing its original domain due to takedown actions by the @Interieur_Gouv / @CNIL, it didn’t disappear.
It moved.
➡️And according to multiple infrastructure traces and historical data (including @censysio observations), parts of its operation appear to have resurfaced under infrastructure linked to @Dyjix.
*To be honest, ive kinda wasted time with this investigations since the owner leak it on the /legal/ page*
🔁At that point, the “we don’t know what’s hosted on our servers” narrative becomes hard to defend.
Especially when the same ecosystem keeps appearing around malware infrastructure, abusive tooling, and now services built directly on stolen personal data.
🧩This is where the pattern becomes hard to ignore.
Same names. Same infrastructure circles. Same type of services.
At some point, it stops looking like coincidence and starts looking like a business model.
🧠Dyjix may present itself as a neutral hosting provider.
But the reality, based on repeated associations, looks a lot closer to a facade enabling high-abuse infrastructure.
📌In that tweet, I mentioned only 25% of what I know about this host, and believe me, that's just the tip of the iceberg. If there were a police investigation, I would be happy to share what I've been able to gather.
💬If @Dyjix, @Hexicans, or @Landry__J want to respond, please do so :)
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337@CNIL
🚨 Instagram had an exploit that allowed you to use Meta AI to reset passwords to accounts with no MFA on them. The exploit was patched a short time ago.
👀Most people blindly approve transactions they can't read
💰That's how you get drained.
🕶️Clear Signing with @Ledger shows you EXACTLY what you're signing and even in human-readable form before it hits the blockchain.
No more "trust me bro" contracts.
Your Keys, your Coins. Get @Ledger now🔐