2020-01-01 Update: The table of actors listed in this story has been updated to reflect direct affiliation with Gnostic Players.

The following is the first of a two-part blog post which contains a sample from a single chapter of my upcoming book, “Hunting Cyber Criminals”. The book is both a technical guidebook showcasing my favorite investigative tools, and a collection of stories highlighting interesting cases and scenarios I have come across while working on several high-profile threat actor investigations.

My book was all but finished when something unexpected happened: GnosticPlayers, a well-known group that gained notoriety for a series of high-profile hacks, decided to publicly post his/their involvement in the theft of 10 million dollars’ worth of XRP cryptocurrency from GateHub. In an unprecedented admission of guilt, Nclay, the group’s leader, decided to repent for his sins, claiming full responsibility for hacking GateHub.

For more than a year, I have personally communicated with all members of GnosticPlayers, and I have grown to understand each of the members, their personalities, and their interactions with one another. The following blog post is a sample of this research taken from my upcoming book.

Who Is GnosticPlayers?

Circa February 2019, the name GnosticPlayers was born by way of several high-profile databases that went on sale on Dream Market (a dark web marketplace). Some of the hacked databases included MyFitnessPal, MyHeritage, EyeEm, 8fit, and WhitePages. At the time, my understanding of the group was that it was composed of two core members: Nclay and DDB. Nclay was the hacker and DDB was the seller (Additional members and associates would come into play later).

Shortly after the first round of databases went up for sale on Dream Market, several of the databases were shared with Troy Hunt’s HaveIBeenPwned website. According to the site, the data was provided “by a source who requested it to be attributed to Kuroi’sh or Gabriel Kimiaie-Asadi Bildstein”. At the same time, Nclay’s dox was being leaked to a small group of people naming him as Kuroi’sh, or Gabriel Bildstein.

Note: Gabriel Bildstein aka Kuroi’sh is a known hacker previously arrested by French authorities in connection with the Vevo hack that defaced “Despacito” and several other YouTube music videos.

The ensuing drama between the two main group members apparently spawned from a number of internal conflicts including the sale of the data, and superficial notoriety, including which member was receiving proper credit for the hacks. Confirming this, Nclay (the group’s primary hacker) sent the following message in a private Jabber chat:

Before going further into this story and what I believe really happened within the GnosticPlayers group, as well as who is responsible for the Gatehub hack, here is some background information on GnosticPlayers and the group’s members.

GnosticPlayers Group Members and Associates

The following is summary list of the actors either associated with GnosticPlayers or mentioned in this post.

Name Role Aliases Jabber IDs
Nclay Member GnosticPlayers
Outofreach
Snoupinet
Vlad
outofreach@jabber.ua
DDB Member Bline
Cacavert
Casper
RawData
Pumpkin
Ski Mask
bline@jabber.ru
casper2@yax.im
casper@jabber.ua
ddb@jabber.ua
pumpkin@securejabber.me
Peace Associate AmIEdgyEnough
Columbine
Frosty
NSFW
Peace of Mind
btc@richim.org
columbine@xmpp.su
nsfw@jabber.se
peace@rows.io
Photon Member Lava
NSFW
Overflow
Russian
russian@xmpp.is
Omnichorus Associate Momondo
Pernat1y
Porcupity
omniking@exploit.im
Jimmy Russel Associate WhackyIdeas
Pogo
whackyideas25@jabber.ua

note: Other relevant actors such as K3l0t3x and Prosox will be discussed in part two of this posts.

Known / Confirmed GnosticPlayers Hacks

The following is a list of hacks confirmed to be attributed to GnosticPlayers.

  • 500px
  • 8fit
  • 8Tracks
  • Animoto
  • Armor Games
  • Artsy
  • BookMate
  • Bukalapak
  • Chegg
  • ClassPass
  • CoffeeMeetsBagel
  • Coinmama
  • Coubic
  • DataCamp
  • Dubsmash
  • Estante Virtual
  • Evite
  • EyeEm
  • Fotolog
  • GameSalad
  • Ge.tt
  • GfyCat
  • HauteLook
  • Houzz
  • iCracked
  • Jobandtalent
  • Legendas.tv
  • LifeBear
  • Mindjolt
  • MyFitnessPal
  • MyHeritage
  • Onebip
  • OMGPop
  • PetFlow
  • Pizap
  • PromoFarma
  • Quora
  • Roadtrippers
  • Roll20
  • ShareThis
  • Storenvy
  • StoryBird
  • StreetEasy
  • Stronghold Kingdoms
  • Taringa
  • Wanelo
  • Whitepages
  • Wirecard
  • Xigo
  • Yanolja
  • YouNow
  • YouthManual
  • Zynga

Gnostic’s Hacking Technique

The method for Gnostic’s hacks was revealed to me by NSFW, and later confirmed by Gnostic over his Twitter. The group’s primary attack vector was also confirmed by several of the organizations on this list. The hack was simple but extremely effective: the group would target developers using credential stuffing attacks to log into their GitHub accounts. While there, they would pillage the code repositories, looking for AWS keys and similar credentials that were checked into code repositories.

Once logged into the the GitHub accounts, the group also used a method to bypass GitHub’s IP-based access restrictions. Specific details of this attack, including Gnostic’s own person account of these details, will be available in my book.

Resentment Brews Over Notoriety

Gnostic’s technique was extremely effective, and as a result, was adopted by the group’s third member(s), NSFW. According to all of the parties involved, this was the primary source for tensions within the group. According to Nclay, he felt NSFW stole “his method”, and did not give him “the credit he deserved”. Nclay also felt that DDB dropped him as a partner, essentially cutting him out of the money he was making once he joined forces with NSFW.

Who is NSFW

Evidence suggests the name NSFW is shared by two people: Peace of Mind and Photon. Over the past year I have engaged in regular conversations with both members, where conversations between the two actors and various aliases became interchangeable. Specific details of those conversations, and information on the group members identities will be made available in my book and forthcoming investigative reports.

List of Confirmed NSFW Hacks

The following hacks can be attributed to either of the two people associated with the name NSFW.

  • Adult Friend Finder
  • Army Force Online
  • Bell Canada
  • BotOfLegends
  • Carding Mafia
  • CodeChef
  • Datalot
  • DotaHut
  • Door Dash
  • Elections.ca
  • FemaleDaily
  • Filmow
  • FiveStars
  • Flipboard
  • GSMA Intelligence
  • Linux Mint
  • Foodera
  • FrontLineSMS
  • Lead 411
  • LifeSafer / LMG Holdings
  • LivSpace
  • Massachusetts Instiute of Technology (MIT)
  • MGM Grand
  • MPGH
  • PolyCount
  • Poshmark
  • RedBull Sound Select
  • Sephora
  • StockX
  • TeamSkeet
  • Timehop
  • Tokopedia
  • Turkish National Police (EMG)
  • University of Phoenix
  • Voxy
  • Zoomcar

Tension between NSFW and Gnostic

According to Gnostic, NSFW (who we can show are two separate people) “stole his method”, and began working with DDB directly in order to cut him (Gnostic) out of the profits. This new partnership is the reason why Gnostic decided to publicly sell all of the group’s databases on Dream and other darkweb markets. In the following conversation with “Russian” (aka Photon), one of the two people to use the alias NSFW, he openly admits to working with DDB.

Above all else, Nclay wants to be known and recognized as one of the world’s greatest hackers. I first noticed this in the following interview with ZDNet where Nclay compares himself to veteran hacker Peace of Mind. It is no coincidence that Peace happens to be NSFW, and the core of this feud.

A Second Version of These Events

The saga between NSFW and Gnostic (Nclay) is one version of the story. A more public version, which was posted on Raidforums.com, is that the group’s tensions were the result of the GateHub hack. Interestingly enough, despite Gnostic’s obvious animosity towards everyone involved, he never once mentions NSFW.

That is a lot of information to process, and because of the username change, we have no way of knowing whether or not this post was written by the real GnosticPlayers/Nclay or someone else. Preliminary stylometry analysis, while still inconclusive, tells us the authors are different.

Working with Disinformation

As I describe in my book, disinformation can only be effective if it is coupled with legitimate information. A threat actor that only provides incorrect information will not get very far. In order for disinformation to work (properly), a threat actor needs to build a trust by providing valid and verifiable information. Once the trust has been established, they can then throw in tiny tidbits of disinformation. The most effective pieces of disinformation are extremely subtle.

To that end, the following is a conversation I had with WhackyIdeas25 shortly after Nclay’s confession.

I believe the key piece of disinformation in this conversation is that Gnostic hacked Dailymotion and Zomato,  two hacks that have since been attributed to Kuroi’SH aka Gabriel Bildstein. I believe the intent of this conversation was to sell me on the idea that GnosticPlayers aka Nclay is actually Gabriel Bildstein. I do not believe this to be true.

The Dox of Gabriel Bildstein aka Kuroi’sh

Since Gnostic’s announcement of his involvement in the GateHub hack, there has been a literal implosion of the underground data market. There is now quite a bit of disinformation being thrown around, presumably to keep law enforcement officials running in circles.

Gnostic and those close to him have really gone out of their way to sell the idea that he is Gabriel Bildstein. In addition to the myriad of new players that have come forth to provide corroborating information, Kuroi’sh (by way of his Twitter account) has even gone so far as to send me pictures of himself holding his identification card.

 

This would be incredibly interesting if it were not for the private conversations I have received between Snoupinet (who I can personally confirm is the person I have always spoken with as Gnostic/Nclay), and Kuroi’SH the person claiming to be Gabriel.

Based on this screenshot, Snoupinet is the person sending the photos to Kuroi’SH… but if GnosticPlayers were truly Gabriel, and his intent was to actually come forth, confess, and tell the world his true identity, why would he he have to send the photo to a proxy to send to me? Why not send me these pictures himself?

All evidence I have gathered to date indicates that Gnostic and Gabriel are two different people.

There are a number of conflicting opinions on the subject, but those that do not seem to be directly tied to these events appear to be in agreement with this theory. The following is from a user close to Kuroi’SH.

Where is Law Enforcement?

As far as I can gather, the GateHub hack and crimes related to GnosticPlayers are being handled by the French OCLCTIC. According to both Nclay (via his Snoupinet Twitter account) and others close to the GateHub hack (who will be revealed in next blog post), several people have already been arrested and/or questioned. The following is a personal conversation between myself and Snoupinet.

Based on what I have heard from several other people, Prosox (who will be named in the forthcoming blog post) has been arrested. It is unclear whether or not Nclay and DDB have been arrested as well, but it looks as though the information is accurate.

Both Kuroi’SH and Snoupinet seem to be on the same page regarding the number of Gabriel’s cars that have been confiscated but not the amount of Bitcoin that has been seized from Gabriel.

Which one is right?

All of this information and more will be revealed and dissected in part two of this series.

Coming Up Next: GnosticPlayers and The 10 Million Dollar GateHub Hack

Stay tuned for the part two of the short GnosticPlayers mini-series, where we specifically discuss the 10 million dollar GateHub hack, introduce a handful of new players, and describe who we think is actually responsible – spoiler: It’s not GnosticPlayers! .