August 8, 2022 at 10:46 AM
Disclaimer: This is a repost from an old RF thread with updated links. Source: https://web.archive.org/web/20220222022720/https://raidforums.com/Thread-The-Troia-never-ends
Wake the fuck up Samurai, we’ve got a rat to burn.
For those just joining in, feel free to read Part 1 of this madness where I read over the report of the Dataviper incident report provided by Vinny Troia (VT) and poke holes in the ridiculous report:
TL;DR version of thie DataViper Incident
Astoria Breach + Seller13
After posting my original review on March 23, multiple people actually reached out and directed me to an article that had been published the day before VT released his “incident report”. Before we get into the details of the article, I did want to already don my tinfoil hat and point out how this article which has quite the eye-grabbing headline was posted a day before the incident report and how the only reference by VT was a retweet of another Twitter security researcher posting about his incident report ..
The article can be read here: https://archive.is/Z6MBO
Astoria is some lead generation company with a bunch of websites that collect information and got hacked, same story each year really. There is a lot I won’t cover because I want to keep most of these things simple, but in the article, the “nightlionsec” team (who we will just refer to as VT) talks about discovering shiny hunters selling the Astoria company db on Dark0de v2 .. which is a pretty new forum and anyone can make an account on it. Apparently, the same data is then sold a week later on Exploit but then would also end up on Raidforums by @seller13. Before we jump into that, let’s take a small glimpse at the company report he links to.
+ Darkowl Sponsorship Incoming +
https://www.darkowl.com/blog-content/shiny-leaks-and-criminalssolarwinds-seller13-andshinyhunters
DO finds some user named seller13 on some dark web shithole trying to sell the Solarwinds data leak. They give a questionable analysis of the user, implying that the typo’s by the vendor proves that they are not native English speakers even though those typos look like someone trying to appear non-native english speaker.
They track this group back to 2011 through some emails and username tracking, which is possible but it’s pretty rare for anyone to last 10 years in this shit. It smells a little bit more of someone snatching an old identity and using it to start selling shit to throw others off while having some credibility.
Seller13 Rebranding as ShinyHunters Affiliate
DO shows some changes in advertisements from seller13 to “S# Hunters” with it now showing “@Omn1p0t3nt”. Apparently, they even post on Telegram as “@Omn1p0t3nt” selling the SolarWinds shit. DO believes alleges this group to likely be scammers and unlikely to be Shiny but merely attempting to capitalize on shinys success. What I think is more fucked up, is this group seems to have a bone to pick with our lovely RF admin @Omnipotent. So DO makes a point that the seller13 is probably a scammer and trying to use petty tactics to throw others under the bus. What is interesting is that they first want to pretend to be shinyhunters, and then impersonate omnipotent? Seems like we all know a very specific person who would value from those people getting scrutinized. Now let’s look at the Raidforums account: https://web.archive.org/web/20211218235103/https://raidforums.com/User-seller13
Lists referred to by “shinyhunters” and their only thread is selling the same company data that VT is writing about with them thanking shinyhunters for the data. To be candid an RF user did come forward and tell me that they had actually sold the data to Troia and that they confirmed he is seller13. However when the user has failed to respond to my follow-up messages so I can’t actually confirm the validity based on this person's word alone. I will say that while I do think Troia is a criminal, this is one that also could be some 4D chess by one of the billion people who do hate Troia to set him up since this almost screams a little too much in his direction. So as I’m conflicted I’m not sure what to believe just from that, as it is convincing if you had to play bingo for Troia accounts that user would come up. I’ll let the forum and whoever else decide on that matter.
+ End Sponsorship +
..back to the report.
The flawed part of this report would be the company VT references saying they don’t believe it is shinyhunters and that the seller isn’t credible. VT conveniently ignores that and latches onto the theory it is shinyhunters and then almost too well-rehearsed shows exactly how he believes the breach happened. While he references multiple tools there was one that cracked me up because it just sounds weird for a professional cybersecurity company to do this. “We then leveraged an OSINT telegram bot to ping each of the URLs and return a list of any that were valid.” Why an OSINT telegram bot ping the urls?
At the end of it though he shows some URLs associated with the company, finds outdated adminer and some shells showing pwned. He then breaks down all the data and blah blah. He has had the data for three weeks it seems so he spent all the time looking up how it happened and parsing it out? It’s actually funny if you look at his Twitter how he apologies for not making it possible for people to check if their identity is in his shit even though he’s had it for weeks. To wrap all this up for this part, it’s kind of hard to ignore the obvious Troia “traits” with seller13 but with the types of users reaching out to me, I don’t want to play into some 4d chess bullshit if it is in fact a way to setup VT. However, there is a simple way to figure this out, @ShinyHunters can poke their head in here and clarify who is wrong/right.
Valentin0
Let’s have a bit of a laugh, shall we? Given the speculation of if VT could be behind the Astoria breach, we need to know the rat a little better and go through some history. The first name you might recognize, as it was in his incident report:
Source: Incident Report
In the report, Vinny appears to claim that @valentin0 is a rival of shinyhunters, and as such VT apparently leaks data to @valentin0 to get to megadimarus. The screenshot itself is confirmed to be from the shinyhunters Twitter, so I was interested in how he “leaked” this information to @valentin0 given that it was an integral part of this whole “honeypot” (not a honeypot) thing he was going with. But why is this interesting? VT has long been implicated as being Valentino, as it appears a reputable data breaches website has already implicated Troia as valentin0 back in July 2020: https://archive.is/nDPKa
As well as Shiny: https://web.archive.org/web/20200715001459/https://twitter.com/sh_corp/status/1283184298384863232
I’m sure VT will allege that he used @Exabyte to leak it or something, but I was curious that when he was accused first of being @valentin0 in July 2020.. this was never addressed on Raidforums. In fact, the user was last active on March 21, 2021 (two days before the incident report was released) and while now banned (just today) was inactive. Given the inclusion of valentin0 in the report I reached out to Raidforums staff to see if there were any inconsistencies .. and would you guess it! @Jaw @ [moot] will have to provide evidence of the mod logs, but it appears one post made by @valentin0 mistakenly made and quickly deleted only for @cyrax to post the exact same thing two minutes later. Again, one of the admins will have to verify but if this is indeed the case, it’s incredibly hard for VT to pretend that he isn’t valentin0 no matter how many excuses he has.
But how does valentin0 being cyrax prove it’s all VT?
Cyrax
Sigh, does your head hurt yet? Mine does. Since all of this is long-winded, the @cyrax saga is long and all over the place between VT multi-accounting to constantly argue with half the forum and more specifically his long-time enemy gnosticplayers. This simple summary with a bunch of threads below alleges that @cyrax is VT. You can see numerous threads of chat logs with respected members like Clorox releasing a shitload of them to attribute Cyrax to VT.
Shiny again calling VT @cyrax
https://archive.is/RBleH
@GnosticPlayers3 / @Clorox posting logs attributing Cyrax to VT:
https://web.archive.org/web/20200325155626/https://raidforums.com/Thread-NSFW-the-ruthless-piece-of-shit--80380
A decent thread speculating that Cyrax is indeed VT, with another alt of VT (@Bishop99) coming in to make sure his other alt doesn’t get banned:
https://web.archive.org/web/20191102072337/https://raidforums.com/Thread-BitMax-Crypto-DB-Exchange-Cracked-Dumped-By-AmIEdgyEnough
To end all this, it is not as in-depth as my previous reporting but I think it would be irresponsible to not keep up the pressure on the obvious cybercriminal Vinny Troia, NightlionSec, and every fucking alias he owns. To counter I am willing to give Vinny the benfit of the doubt and he's welcome to come on here and explain himself for any part of this. I think it's a great route to go as your 4D chess tactics won't work with me as I'm not influenced by money and you can't scare me with petty threats. The choice is yours.
Wake the fuck up Samurai, we’ve got a rat to burn.
For those just joining in, feel free to read Part 1 of this madness where I read over the report of the Dataviper incident report provided by Vinny Troia (VT) and poke holes in the ridiculous report:
TL;DR version of thie DataViper Incident
Astoria Breach + Seller13
After posting my original review on March 23, multiple people actually reached out and directed me to an article that had been published the day before VT released his “incident report”. Before we get into the details of the article, I did want to already don my tinfoil hat and point out how this article which has quite the eye-grabbing headline was posted a day before the incident report and how the only reference by VT was a retweet of another Twitter security researcher posting about his incident report ..
The article can be read here: https://archive.is/Z6MBO
Astoria is some lead generation company with a bunch of websites that collect information and got hacked, same story each year really. There is a lot I won’t cover because I want to keep most of these things simple, but in the article, the “nightlionsec” team (who we will just refer to as VT) talks about discovering shiny hunters selling the Astoria company db on Dark0de v2 .. which is a pretty new forum and anyone can make an account on it. Apparently, the same data is then sold a week later on Exploit but then would also end up on Raidforums by @seller13. Before we jump into that, let’s take a small glimpse at the company report he links to.
+ Darkowl Sponsorship Incoming +
https://www.darkowl.com/blog-content/shiny-leaks-and-criminalssolarwinds-seller13-andshinyhunters
DO finds some user named seller13 on some dark web shithole trying to sell the Solarwinds data leak. They give a questionable analysis of the user, implying that the typo’s by the vendor proves that they are not native English speakers even though those typos look like someone trying to appear non-native english speaker.
They track this group back to 2011 through some emails and username tracking, which is possible but it’s pretty rare for anyone to last 10 years in this shit. It smells a little bit more of someone snatching an old identity and using it to start selling shit to throw others off while having some credibility.
Seller13 Rebranding as ShinyHunters Affiliate
DO shows some changes in advertisements from seller13 to “S# Hunters” with it now showing “@Omn1p0t3nt”. Apparently, they even post on Telegram as “@Omn1p0t3nt” selling the SolarWinds shit. DO believes alleges this group to likely be scammers and unlikely to be Shiny but merely attempting to capitalize on shinys success. What I think is more fucked up, is this group seems to have a bone to pick with our lovely RF admin @Omnipotent. So DO makes a point that the seller13 is probably a scammer and trying to use petty tactics to throw others under the bus. What is interesting is that they first want to pretend to be shinyhunters, and then impersonate omnipotent? Seems like we all know a very specific person who would value from those people getting scrutinized. Now let’s look at the Raidforums account: https://web.archive.org/web/20211218235103/https://raidforums.com/User-seller13
Lists referred to by “shinyhunters” and their only thread is selling the same company data that VT is writing about with them thanking shinyhunters for the data. To be candid an RF user did come forward and tell me that they had actually sold the data to Troia and that they confirmed he is seller13. However when the user has failed to respond to my follow-up messages so I can’t actually confirm the validity based on this person's word alone. I will say that while I do think Troia is a criminal, this is one that also could be some 4D chess by one of the billion people who do hate Troia to set him up since this almost screams a little too much in his direction. So as I’m conflicted I’m not sure what to believe just from that, as it is convincing if you had to play bingo for Troia accounts that user would come up. I’ll let the forum and whoever else decide on that matter.
+ End Sponsorship +
..back to the report.
The flawed part of this report would be the company VT references saying they don’t believe it is shinyhunters and that the seller isn’t credible. VT conveniently ignores that and latches onto the theory it is shinyhunters and then almost too well-rehearsed shows exactly how he believes the breach happened. While he references multiple tools there was one that cracked me up because it just sounds weird for a professional cybersecurity company to do this. “We then leveraged an OSINT telegram bot to ping each of the URLs and return a list of any that were valid.” Why an OSINT telegram bot ping the urls?
At the end of it though he shows some URLs associated with the company, finds outdated adminer and some shells showing pwned. He then breaks down all the data and blah blah. He has had the data for three weeks it seems so he spent all the time looking up how it happened and parsing it out? It’s actually funny if you look at his Twitter how he apologies for not making it possible for people to check if their identity is in his shit even though he’s had it for weeks. To wrap all this up for this part, it’s kind of hard to ignore the obvious Troia “traits” with seller13 but with the types of users reaching out to me, I don’t want to play into some 4d chess bullshit if it is in fact a way to setup VT. However, there is a simple way to figure this out, @ShinyHunters can poke their head in here and clarify who is wrong/right.
Valentin0
Let’s have a bit of a laugh, shall we? Given the speculation of if VT could be behind the Astoria breach, we need to know the rat a little better and go through some history. The first name you might recognize, as it was in his incident report:
Source: Incident Report
In the report, Vinny appears to claim that @valentin0 is a rival of shinyhunters, and as such VT apparently leaks data to @valentin0 to get to megadimarus. The screenshot itself is confirmed to be from the shinyhunters Twitter, so I was interested in how he “leaked” this information to @valentin0 given that it was an integral part of this whole “honeypot” (not a honeypot) thing he was going with. But why is this interesting? VT has long been implicated as being Valentino, as it appears a reputable data breaches website has already implicated Troia as valentin0 back in July 2020: https://archive.is/nDPKa
As well as Shiny: https://web.archive.org/web/20200715001459/https://twitter.com/sh_corp/status/1283184298384863232
I’m sure VT will allege that he used @Exabyte to leak it or something, but I was curious that when he was accused first of being @valentin0 in July 2020.. this was never addressed on Raidforums. In fact, the user was last active on March 21, 2021 (two days before the incident report was released) and while now banned (just today) was inactive. Given the inclusion of valentin0 in the report I reached out to Raidforums staff to see if there were any inconsistencies .. and would you guess it! @Jaw @ [moot] will have to provide evidence of the mod logs, but it appears one post made by @valentin0 mistakenly made and quickly deleted only for @cyrax to post the exact same thing two minutes later. Again, one of the admins will have to verify but if this is indeed the case, it’s incredibly hard for VT to pretend that he isn’t valentin0 no matter how many excuses he has.
But how does valentin0 being cyrax prove it’s all VT?
Cyrax
Sigh, does your head hurt yet? Mine does. Since all of this is long-winded, the @cyrax saga is long and all over the place between VT multi-accounting to constantly argue with half the forum and more specifically his long-time enemy gnosticplayers. This simple summary with a bunch of threads below alleges that @cyrax is VT. You can see numerous threads of chat logs with respected members like Clorox releasing a shitload of them to attribute Cyrax to VT.
Shiny again calling VT @cyrax
https://archive.is/RBleH
@GnosticPlayers3 / @Clorox posting logs attributing Cyrax to VT:
https://web.archive.org/web/20200325155626/https://raidforums.com/Thread-NSFW-the-ruthless-piece-of-shit--80380
A decent thread speculating that Cyrax is indeed VT, with another alt of VT (@Bishop99) coming in to make sure his other alt doesn’t get banned:
https://web.archive.org/web/20191102072337/https://raidforums.com/Thread-BitMax-Crypto-DB-Exchange-Cracked-Dumped-By-AmIEdgyEnough
To end all this, it is not as in-depth as my previous reporting but I think it would be irresponsible to not keep up the pressure on the obvious cybercriminal Vinny Troia, NightlionSec, and every fucking alias he owns. To counter I am willing to give Vinny the benfit of the doubt and he's welcome to come on here and explain himself for any part of this. I think it's a great route to go as your 4D chess tactics won't work with me as I'm not influenced by money and you can't scare me with petty threats. The choice is yours.
