🌐 How we destroyed a turkish card operation, a thread:
🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"...
🔎Out of curiosity, I grabbed the file and sent it through triage (https://t.co/W2bGZpix7X | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm.
📞I pinged my guy @Swezy_1337 — time to have some fun.
➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2)
💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63).
💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀
💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3):
1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github)
2️⃣and of course, XWorm V5.6, cracked...
📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440).
👍 We wiped everything (and have a bit of fun with it). (📸Screen 4)
➡All the stolen victim data? Gone (womp womp).
➡RAT C2? Deleted.
➡Logs? Burned.
➡We even left a nice little note (you will see in screenshot below ahah).
➡And of course, we completely nuked the server — RIP the boot sector 😿
⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle...
💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far:
- 🏨Black Lotus Hotel İzmir
- 🏨Luxus Grand Hotel
💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe.
➡You play dirty, you get reversed, pwned, and humiliated.😭
🔥It was fun.😀
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337
@hexicans We know this, and we've already identified the infrastructure behind it, but the fact remains that you were hosting and hiding them. So if you can stop crying, would be appreciated ^^.
To do a small update on this case: @Dyjix / @hexicans Was in cooperation with Lighttt, the guy that made the searcher, @Dyjix was in active cooperation trying to hide the website & secure it. when the ultimate proof was issues, the website was taken down (since Dyjix cant deny the proof), website is now taken down like this screen show (sorry it's in fr*nch), now we just need to wait untils @namesilo do something about the domains https://t.co/GxHiQcE4M7.
🔷An investigations on @Dyjix, the shadiest french host:
➡️On the surface, it’s just another “serious” hosting provider. Clean branding, professional image, standard corporate talk.
But once you start connecting the dots, the picture changes fast.
🔎For context, Axel Hauguel, the person behind @Dyjix, is not new to this space. He previously operated infrastructure like AS Constant Moulin (AS203168) that @banthisguy9349 reported for month. This AS was repeatedly associated with abusive hosting (malware, botnets, DDoS tooling, etc).
That alone already raises questions.
But the current situation goes further.
📊Over the past months, France has been hit by a wave of cyberattacks, leading to massive leaks of personal data from various services (telecoms, administrative platforms, etc).
From this ecosystem, a new type of tool emerged: “searchers”.
💻A searcher is basically a database aggregation system built on stolen data dumps.
You input something as simple as:
– full name
– phone number
– email address
And it returns highly sensitive personal information:
– home addresses
– identity-related data
– linked accounts
– sometimes family or behavioral traces depending on the leaks
🎯In practice, it’s industrialized doxxing.
And it’s not theoretical use.
➡️These tools are widely used to target real people: teachers, journalists, public figures, streamers, and sometimes completely unrelated private individuals. Harassment, intimidation, and privacy violations are a direct consequence, In some cases, these types of tools lead to burglaries like with the @tir_ff databreach.
⚠One of the most known examples is AstralSearcher.
After losing its original domain due to takedown actions by the @Interieur_Gouv / @CNIL, it didn’t disappear.
It moved.
➡️And according to multiple infrastructure traces and historical data (including @censysio observations), parts of its operation appear to have resurfaced under infrastructure linked to @Dyjix.
*To be honest, ive kinda wasted time with this investigations since the owner leak it on the /legal/ page*
🔁At that point, the “we don’t know what’s hosted on our servers” narrative becomes hard to defend.
Especially when the same ecosystem keeps appearing around malware infrastructure, abusive tooling, and now services built directly on stolen personal data.
🧩This is where the pattern becomes hard to ignore.
Same names. Same infrastructure circles. Same type of services.
At some point, it stops looking like coincidence and starts looking like a business model.
🧠Dyjix may present itself as a neutral hosting provider.
But the reality, based on repeated associations, looks a lot closer to a facade enabling high-abuse infrastructure.
📌In that tweet, I mentioned only 25% of what I know about this host, and believe me, that's just the tip of the iceberg. If there were a police investigation, I would be happy to share what I've been able to gather.
💬If @Dyjix, @Hexicans, or @Landry__J want to respond, please do so :)
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337@CNIL
probably https://t.co/X5bRH04xVC magic i guess, because everything is magic on your ASN: Censys & Shodan detect thing that doesnt exist for you, https://t.co/X5bRH04xVC can traceroute but not you, everything magical, pretty weird for someone who did network study but who i am to judge
🔷An investigations on @Dyjix, the shadiest french host:
➡️On the surface, it’s just another “serious” hosting provider. Clean branding, professional image, standard corporate talk.
But once you start connecting the dots, the picture changes fast.
🔎For context, Axel Hauguel, the person behind @Dyjix, is not new to this space. He previously operated infrastructure like AS Constant Moulin (AS203168) that @banthisguy9349 reported for month. This AS was repeatedly associated with abusive hosting (malware, botnets, DDoS tooling, etc).
That alone already raises questions.
But the current situation goes further.
📊Over the past months, France has been hit by a wave of cyberattacks, leading to massive leaks of personal data from various services (telecoms, administrative platforms, etc).
From this ecosystem, a new type of tool emerged: “searchers”.
💻A searcher is basically a database aggregation system built on stolen data dumps.
You input something as simple as:
– full name
– phone number
– email address
And it returns highly sensitive personal information:
– home addresses
– identity-related data
– linked accounts
– sometimes family or behavioral traces depending on the leaks
🎯In practice, it’s industrialized doxxing.
And it’s not theoretical use.
➡️These tools are widely used to target real people: teachers, journalists, public figures, streamers, and sometimes completely unrelated private individuals. Harassment, intimidation, and privacy violations are a direct consequence, In some cases, these types of tools lead to burglaries like with the @tir_ff databreach.
⚠One of the most known examples is AstralSearcher.
After losing its original domain due to takedown actions by the @Interieur_Gouv / @CNIL, it didn’t disappear.
It moved.
➡️And according to multiple infrastructure traces and historical data (including @censysio observations), parts of its operation appear to have resurfaced under infrastructure linked to @Dyjix.
*To be honest, ive kinda wasted time with this investigations since the owner leak it on the /legal/ page*
🔁At that point, the “we don’t know what’s hosted on our servers” narrative becomes hard to defend.
Especially when the same ecosystem keeps appearing around malware infrastructure, abusive tooling, and now services built directly on stolen personal data.
🧩This is where the pattern becomes hard to ignore.
Same names. Same infrastructure circles. Same type of services.
At some point, it stops looking like coincidence and starts looking like a business model.
🧠Dyjix may present itself as a neutral hosting provider.
But the reality, based on repeated associations, looks a lot closer to a facade enabling high-abuse infrastructure.
📌In that tweet, I mentioned only 25% of what I know about this host, and believe me, that's just the tip of the iceberg. If there were a police investigation, I would be happy to share what I've been able to gather.
💬If @Dyjix, @Hexicans, or @Landry__J want to respond, please do so :)
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337@CNIL
Ohhhhh, Interesting coincidence.
The site was working perfectly fine 3 hours ago, and suddenly, right after being publicly exposed, the IPv4 get blackholed and everything goes offline.
What timing.
As usual, you’ll probably never admit your role in all this.
But at least this garbage is finally down, so I’ll give credit where it’s due.
Thanks for the minimal cooperation Axel, it's kinda sad that we Always need to go public whenever you do a thing but eh, at lease Astral is now taken down. Next time you try to hide a service like this, do it correctly !
Here’s an interesting technical observation regarding @Dyjix and @Hexicans’ claims about AstralSearcher.
From a standard IP, you can’t traceroute or reach the server anymore. At first glance, it looks offline or gone.
But here’s the funny part.
When the same checks are performed through a Cloudflare Worker — meaning from infrastructure inside Cloudflare’s AS — the IP suddenly responds.
Yes, it pings.
Don’t believe me? Check for yourself: https://t.co/K5oZ1eqsSt
The only probes getting a response are the ones originating from Cloudflare.
That strongly suggests the server was not actually taken down, but rather hidden behind routing restrictions allowing access only through Cloudflare-linked infrastructure.
In other words:
Publicly invisible.
Still reachable.
Still serving traffic.
This raises serious questions about whether the service was truly removed, or simply concealed.
I’m sure authorities like @CNIL and @Interieur_Gouv may find these infrastructure observations worth looking into.
This is a direct proof that, you, @hexicans, helped cybercriminal, like always.
"Not routed publicly" and "suspended" are not the same thing.
A suspended IP means:
→ Prefix withdrawn from BGP ✅
→ 0/872 peers ✅
→ ROA removed or invalidated ✅
What we actually see on AS212815 right now
→ Prefix still announced ❌
→ 12/872 peers still propagating it ❌
→ ROA Signed and Invalid (meaning you signn) ❌
Try again.
😂 You're asking me for the details?
You linked https://t.co/sPNGAeU5gg yourself. Open it. Look at your own prefix table.
45.13.119.185/32 — AS212815 — Dyjix SAS
That's your ASN. That's your IP. It's been sitting in your own BGP announcements the whole time.
An ISP that doesn't know what IPs are in its own Autonomous System is either incompetent or performing. You went from "we already suspended it 48h ago" to "can you tell us what to suspend?" in a single reply, stop playing dumb Axel.
Which one is it?
The IP is 45.13.119.185. The prefix is /32. The ASN is 212815. It's your infrastructure. It's been public since day one. https://t.co/juhirYoi5h, https://t.co/X5bRH04xVC, RIPE, Censys, pick one.
I'm not your abuse team. You are, now stop playing the dumb man. You host "Searcher" website targetting teacher and help for burglaries and now you play the dumb. You are pathetic.
Funny how it’s *never* you, right?
According to your response, the IP was supposedly dropped. But the data suggests something else: not removed, deliberately hidden.
How do I know? I’ve been working on this investigation for over 2 weeks. Initially, I was planning to expose another hosting provider, but sadly, unlike Dyjix, they actually took action.
Because this investigation took time, multiple tools were involved: infrastructure monitoring, website snapshots, route analysis, and more.
And here’s the interesting part: no downtime was ever detected after the migration to @Dyjix.
None.
Which is funny, because if the IP had actually been dropped and Lighttt had to migrate elsewhere, we should have observed downtime during the transition.
But we didn’t.
So your 99.99% uptime marketing is incredibly accurate… and the service never actually left your infrastructure.
The IP no longer appears in the global routing table, yet the service remains reachable through infrastructure consistent with Dyjix, routed exclusively behind Cloudflare.
The site is still online.
Traffic still flows.
Nothing appears suspended.
And the cherry on top?
AstralSearcher’s /legal page still references Dyjix.
Nice advertisement.
So to summarize:
Dyjix is still being referenced.
The service never appears to have gone down.
Yet somehow, it’s always “someone else.”
Interesting.
The evidence is already public.
Moving this to email just feels like an attempt to bury the discussion and save your public branding.
If you need a proper abuse report to suspend the service, I’ll gladly write one, send the email and i will send a screenshot here, so the CNIL can have a follow-up too ^^
But let’s not pretend I don’t recognize the strategy here.
It’s the exact same playbook we saw with Constant Moulin: stall, redirect to private channels, and hope the heat dies down.
hi. does your cybersecurity company need someone extremely well educated on infostealer related threat detection at the bleeding edge? im looking for a job.
if youre interested, reach out to admin@\keysco\.re (or my signal @\vamp.01). preferably pl/eu/remote. my previous work speaks for itself, so id say that the max time from hire to deployment (if everything goes well) is around 1-2 weeks :-).
Explaining the method would serve no purpose other than causing harm and creating security risks. If we reveal our method, we expose it to potential cybercriminals, which could make things more dangerous than helpful. Our method is therefore private. You're free to think the tweet is "useless"... :)
🌐 How we destroyed a turkish card operation, a thread:
🔷This morning I was casually scrolling through Telegram when I stumbled across a link dropping a "suspicious file"...
🔎Out of curiosity, I grabbed the file and sent it through triage (https://t.co/W2bGZpix7X | 📸 Screen 1) for analysis. A few minutes later, the verdict came back: #XWorm.
📞I pinged my guy @Swezy_1337 — time to have some fun.
➡ For some context, Swezy developped a tool to RCE the malwares C2, so we can access the RDP pretty easily... (📸 Screen 2)
💣So we started reversing the binary and quickly noticed a shitty implementation in the C2 communication (146[.]103[.]25[.]63).
💢With this, we could easily use the tool from Swezy, and of course, get access to the RDP, thanks to some black magic👀
💻Once inside the VPS, we discovered what this "hacker" was up to. The dude was targeting hotel management systems, using the RAT to steal credit card details, booking records, and personal info from customers, for this, he use 2 tool (📸 Screen 3):
1️⃣ "#Nullpoint", a free Opensource #infostealer (available on github)
2️⃣and of course, XWorm V5.6, cracked...
📜Logs were full of stolen data (from stealers), some screenshots, clipboard dumps and databases dump. All routed back to a little CNC hosted on a Windows RDP in 🇱🇹 Lithuania by Space Hosting (AS15440).
👍 We wiped everything (and have a bit of fun with it). (📸Screen 4)
➡All the stolen victim data? Gone (womp womp).
➡RAT C2? Deleted.
➡Logs? Burned.
➡We even left a nice little note (you will see in screenshot below ahah).
➡And of course, we completely nuked the server — RIP the boot sector 😿
⏲ An hours later, the "hacker" — a underage Turkish skid — started DMing us on Telegram, panicking. He had no clue what happened. We had his full name, email, server IPs, Telegram handle...
💤This idiot, in a way to appear strong and powerful, talked a little too much, and told us more about his rat method. In fact, he's having fun sending PDFs containing the malware via WhatsApp to quickly and easily infect hotels, of which we've only detected 2 so far:
- 🏨Black Lotus Hotel İzmir
- 🏨Luxus Grand Hotel
💥You don’t get to rat hotels and harvest cards while hiding behind your little obfuscated stub and think you’re safe.
➡You play dirty, you get reversed, pwned, and humiliated.😭
🔥It was fun.😀
👋cc/@abuse_ch@banthisguy9349@redrabytes@swezy_1337
So, to begin with, we believe the stealer was empty because it was only meant for "testing" purposes. The VDS we infiltrated appeared to be relatively "new" within their infrastructure (which, according to the cybercriminal, contains 22 Windows VDS, 📸 Screen 1).
This server was hosting a RAT through XWorm, but that’s not their primary attack method. Their typical procedure involves sending a malicious PDF, which is used to infiltrate hotel networks. It’s quite hard to measure the actual impact of our attack, but we know the "hacker" was seriously pissed off — haha.
To summarize: Nullpoint isn’t their main stealer, which explains the low number of logs (and the fact that they’re quite old). However, XWorm was rather active on the server.