By Investigative Scoping
This investigation was conducted to generate actionable leads for law enforcement agencies, who may further validate or disprove our findings through lawful investigative procedures. All information has been collected using legal and ethical investigative practices. We do not assert conclusive attribution of any individual or entity to cybercriminal activities unless such links are legally confirmed. However, since intelligence relies on probabilistic assessmentsโrather than confirmed factsโwe present our findings based on the strength of behavioral, technical, and contextual indicatorsโhighlighting confidence levels for each cluster.
Methodological Approach
Our analysis is centered on identifying activity clustersโgroupings of aliases, behaviors, infrastructure, and communication patterns that may converge on specific individuals. We have isolated three primary clusters with potential ties to the entity operating under the alias โEnergyWeaponUserโ, which is itself connected to activity on BreachForums and related cybercrime operations.
Cluster 1: Pakistan-Based Actor โ High Confidence
This cluster centers on Sikander Rasheed, believed to be operating from Rawalpindi, Punjab, Pakistan. Multiple aliases associated with this cluster include:
- machine1337 (GitHub, Telegram, LinkedIn)
- hellshot (BreachForums[.]to)
- machine404 (Keybase, RaidForums[.]com)
- machineroot1337 (HackerOne)
- invisibleclay100 (Instagram)
- R0ot1337 (Telegram)
- whoami4041 (X.com)
- unknownclay (Hackerone, Tryhackme, GitHub, YouTube, Intigriti)
- Pakhack (Blogspot); pakhack01 (Facebook), โPak Hackโ (YouTube).
Technical Tool Development:
Sikander has developed and publicly shared offensive security tools via GitHub, including:
- fake-sms: A script that enables the anonymous sending of SMS messages globally, often used to spoof sender identities.
- gmailc2: A command-and-control (C2) server that leverages Google SMTP services for covert communication, designed to bypass antivirus and network monitoring tools.
- TelegramRAT: A cross-platform remote access trojan that uses Telegram as its communication channel to evade traditional network restrictions.
- pycrypt: A Python-based crypter designed to obfuscate malware payloads and bypass antivirus detection.
- pyFUD: A fully undetectable (FUD), cross-platform remote access trojan (RAT) offering stealthy system access and control.
- zipcrack: An advanced utility for cracking password-protected ZIP archives using various brute-force and dictionary-based techniques.
Employment Claim:
On LinkedIn, Sikander lists himself as a Red Team Operator at ZettaByte (Islamabad), active since February 2021.
Linking Indicators:
- Sikanderโs GitHub account @machine1337 (ID: 82051128) is directly linked to the Telegram account @Machine1337 (ID: 2001371988) through a GitHub string for counting visitors (69,077 users as of 6th June 2025).
- A profile photo match between EnergyWeaponUser (on BreachForums[.]st) and @machine1337 (on XSS[.]is โ linked to @machine1337 Telegram account) indicates a potential connection or impersonation.
- Links to Angelferno and Inferno cryptocurrency drainer malware operations.
- Ties to Breachforums-affiliated groups on Telegram.
- A Binance account has been attributed to @EnergyWeaponUser /@mad_1337 (connected to โmachine1337โ groups and channels on Telegram).
Assessment:
Given the strong alignment between behavioral, technical, and contextual indicators, we assess with high confidence that Sikander Rasheed is a principal operator behind the EnergyWeaponUser persona and affiliated โmachine1337โ groups and channels on Telegram.
Cluster 2: Turkish Cybercriminal Activity โ Moderate Confidence
This cluster is anchored in Turkish-geolocated cybercriminal activity and includes the aliases:
- @EnergyWeaponUser (Instagram) โ display name FLAME
- @RacistDawg (Telegram ID: 6412210891; previous username โAngelusInfernoโ) โ display name FLAME
- โStoleโ (Telegram ID: 7015665822) โ also seen with display name FLAME
Geolocation & Linguistic Indicators:
- Both Telegram user IDs 6412210891 and 7015665822 were geolocated to Izmir, Turkey.
- Consistent use of Turkish language and engagement in Turkish-speaking cybercrime groups.
- Social media activity, including Instagram posts, suggests presence in Dubai, UAE as of June 2025.
Operational Connections:
- Involvement in Turkish โDarqโ-affiliated groups related to cybercrime.
- Links to Angelferno (Angel + Inferno) cryptocurrency drainer malware operations.
- Ties to Breachforums-affiliated groups on Telegram.
- Links to the CyberNiggers cybercriminal group.
Assessment:
The convergence of linguistic, and behavioral indicatorsโleads us to assess with moderate confidence that this individual, likely of Turkish nationality, may operate under the EnergyWeaponUser alias as related to Breachforums-affiliated Telegram groups.
Cluster 3: Unknown Actor Linked via @downloading โ Low Confidence
This cluster is based on intelligence from the Telegram user โgrepโ (linked to now-inactive Hellcat ransomware group) within the BreachForums-affiliated chat The Jacuzzi (t.me/baphchat). According to โgrepโ, the user @downloading (ID: 5302534689) may be behind the EnergyWeaponUser persona.
Operational Activity:
- @downloading is engaged in credential and proxy infrastructure trade.
- Operates WeHost.gg (RDP hosting) and spyderproxy.com (proxy services).
- Associated services are monetized via Stripe and cryptocurrency.
- A linked Bitcoin wallet cluster has been attributed to this user; Bitcoin cluster address linked to transactions originating from threat actors active on Breachforums.
Assessment:
No discernible behavioral correlation with the EnergyWeaponUser alias was observed. Therefore, we assess with low confidence that @downloading is the operator of the EnergyWeaponUser alias, though he may be indirectly affiliated through shared forums or proxy services.
Tracing EnergyWeaponUser: Behavioral, and Attributional Insights
EnergyWeaponUser is a major cybercriminal who often worked with the well-known hacker IntelBroker in the past. Together, they have been linked to several high-profile data breaches across various sectors, including technology, automotive, finance, government, educational institutions, e-commerce platforms, and even organizations associated with intelligence communities.
Notable Data Breaches Involving EnergyWeaponUser:
- Acuity Inc (U.S. Government Contractor): In April 2024, EnergyWeaponUser, along with IntelBroker and Sanggiero, allegedly leaked sensitive documents linked to the Five Eyes Intelligence Group. The data, reportedly acquired through a breach of Acuity Inc, included personal and contact information of individuals associated with various U.S. government departments.
- Cisco Systems (USA): In June 2024, EnergyWeaponUser, alongside IntelBroker and another hacker known as โzjjโ allegedly breached Ciscoโs systems. The attackers claimed to have exfiltrated sensitive data, including source code, hardcoded credentials, SSL certificates, and confidential documents. They reportedly maintained persistent access by exploiting hardcoded credentials found in the stolen data.
- Advanced Micro Devices (USA): In August 2024, EnergyWeaponUser and IntelBroker allegedly sold internal communications from AMD. The data reportedly originated from sources such as โidmp.prod.xilinx.comโ, and โamd.sso.okta.comโ, and included various internal documents and communications.
- Cartier via BORN Group (France): In August 2024, EnergyWeaponUser and IntelBroker purportedly exfiltrated data from Cartierโs AWS S3 storage by exploiting LFI vulnerabilities. The compromised data included source code, images, and various files.
- CellKey (South Korea): In September 2024, the duo claimed to have breached CellKey, a South Korean AI and analytics company, leaking its data on BreachForums.
- Smart Buy (UAE): In October 2024, EnergyWeaponUser exposed sensitive information of approximately 8,500 users from a UAE-based e-commerce platform, including email addresses and transaction details.
- Rivoli Group (UAE): In October 2024, EnergyWeaponUser and IntelBroker have leaked the Rivoli Group database. The claimed data includes 44,000 users, Order Status, Date, Country, and Email Address.
- Ford Motor Company (USA): In November 2024, EnergyWeaponUser claimed responsibility for leaking a database containing 44,000 customer records from Ford. The data, which included customer names, addresses, and purchase details, was posted for free on BreachForums. Ford initiated an investigation and later attributed the leak to a third-party supplier, stating that no breach of Fordโs systems occurred.
- PostEx (Pakistan): In December 2024, EnergyWeaponUser claimed to have breached PostEx, a billion-dollar company specializing in parcel and delivery services across Pakistan, UAE, and Saudi Arabia. The breach allegedly contains 400GB of data, including 9.9 million rows of sensitive user information such as last IP, email, bank account details, passwords, payment references, dates of birth, gender, motherโs name, and mobile numbers.
Using StealthMole, we have detected and monitored data breaches attributed to EnergyWeaponUser through the Leaked Monitoring (LM) module. For example, in April 2025 two (2) breached datasets were found attributed to EnergyWeaponUser: sece.ac[.]in (Sri Eshwar Engineering College, Tamil Nadu, India) and vietoon[.]net (Vietnamโs webtoon platform), as shown in the below screenshot.
The Telegram channel โDark Web Informer โ Cyber Threat Intelligenceโ (@TheDarkWebInformer) who monitors leaks across darknet forums, have traced at least 50 messages about leaks attributed to @EnergyWeaponUser, and 3 breaches attributed to @machine1337.
A summary table of the claimed victims by location is provided below.
| # Victims | Geography / Location | Victims |
| 13 | United States | 1tx[.]io, Mykukun, AMD, Walacor Corporation, Bubble, Deloitte, Cisco, ELife, MIT Technology Review, Ford, Liberty Latin America, Hewlett Packard Enterprise, Devolver Digital |
| 6 | South Korea | Toaping, Ministry of National Defense, CellKey, Munmak Animal Hospital, IBookPark, Ministry of Environment |
| 6 | India | Estel Technologies, The Commons Foundation, uLektz, Melorra, IndiGo, Sri Eshwar Engineering College |
| 4 | UAE | WeOne Skills, SmartBuy, Rivoli Group, Giordano MiddleEast |
| 4 | Vietnam | Thuocsi, TPSOFTS, VIETOON |
| 2 | France | Cartier, Daxium |
| 1 | South Africa | eTenders |
| 1 | Canada | Impact Auto Auctions โ IAA |
| 1 | Finland | Nokia |
| 1 | Germany | GUS Group |
| 1 | Indonesia | Pegadaian |
| 1 | Malaysia | Asia Recruit |
| 1 | Taiwan | Electronics Company |
| 1 | Pakistan | PostEx |
Cluster 1: Pakistan-Based Actor โ High Confidence
This threat profile provides an in-depth analysis of the โEnergyWeaponUserโ, derived from a comprehensive cross-platform investigation of its associated accounts, aliases, and behavioral patterns. Detailed information is provided in the table below.
| Attribute | Details | Confidence |
| Real Name | Sikandar Rasheed | High |
| Date of Birth | 14 August 1997 (via RaidForums[.]com) | Low |
| Primary Aliases | EnergyWeaponUser, machine1337, Mad_1337 | High |
| Known Platforms / Handles | โ Telegram: @EnergyWeaponUser, @machine1337, @Mad_1337, @LuffyNova, @cryptolordbroker, R0ot1337 โ GitHub: machine1337, unknownClay โ LinkedIn: machine1337 โ Blogspot: pakhack โ YouTube: Pak Hack โ X.com: whoami4041 โ Facebook: pakhack01 โ Keybase: machine404 โ RaidForums (seized): machine404 โ BreachForums[.]to (seized): hellshot โ Xss[.]is: machine1337 | High |
| Primary Telegram Channels / Groups | โ @M13DB (โDataBFโ; ID: 2408388872) โ ๐ธ๐๐๐๐๐๐1337 (t.me/+UVn96XLfEMA3MmE0) โ @Machine1337news (โInvoicesโ; t.me/Machine1337news; ID: 2560059470) โ Live traffic โ M13 (t.me/+FLenH6Gd899mOTA0) โ Machine1337 (t.me/Machine1337; ID: 2001371988) | High |
| Primary Website | machine1337.com (registered: 16 May 2025; Namecheap) | High |
| Primary Location | Rawalpindi, Punjab, Pakistan | High |
| Main Languages Used | English | High |
| Secondary Languages Identified | Russian, French โ Telegram metadata | Low |
| Skill Indicators | โ Malware Development (RATs, Crypters, C2s) โ Red Teaming โ Social Engineering / Phishing โ Web3 Drainer targeting โ SMS Bombers, credential phishing tools | High |
| GitHub Tools | fake-sms,ย gmailc2, TelegramRAT, pycrypt, pyFUD, zipcrack | High |
| Criminal/Threat Activity | โ Developing malware under guise of education โ Forum-based leaked data trading โ Wallet draining / scam groups โ Crypto-related phishing and impersonation | High |
| Anonymity Practices | High OPSEC on Telegram (username switching), VPN / geolocation spoofing likely used | High |
| Payment Methods | Monero (XMR), Ethereum (ETH), Bitcoin (BTC), Tron (TRX) | High |
| Darknet/Leak Forum Activity | โ BreachForums[.]st โ Xss[.]is โ Cracked[.]sh | High |
| Affiliations | โ CyberNiggers, a cybercrime ring that includes IntelBroker โ Angelferno (Crypto Drainer): A drainer-as-a-service operation โ Inferno Drainer (Crypto Drainer): A drainer-as-a-service operation | High |
Further information about the usernames used by EnergyWeaponUser across online platforms is provided in the Appendix, โOnline Platforms Associated with EnergyWeaponUser โ Pakistan-Based Actorโ.
Two Email Addresses Linked to Sikandar Rasheed โ Insights
At least two email addresses have been identified as associated with Sikandar Rasheed via OSINT:
- machineroot1337@gmail.com
- sk6928603@gmail.com
The email machineroot1337@gmail.com was found to be registered on the platforms listed below.
| Platform | Username / ID | Notes |
| GitHub | machine1337 / 82051128 | Registered: 6 April 2021 Last Seen: 11 February 2025 4:05:35 PM Name: clay Extracted Name: SIKANDER RASHEE Top Language: Python (44.0%) External Contributions: 392 Extracted Old Usernames: leetclay |
| 114441707103618287319 | Display Name: machine 404 Location: Pakistan Additional Email Hint: lucโขโขโขโขโขโข@gmail.com Phone Hint: โขโขโขโขโขโขโขโขโข11 | |
| machine1337 / urn:li:person:DgHgES_6XFz9Ee2z6-XrlN_oUOw3rX5TJOB_V053bwY | Name: root clay Identified Name: Sikander Rasheed (cybersecurity certifications) Location: Rawalpindi, Punjab, Pakistan Role: Red Team Operator with ZettaByte, Islฤmฤbฤd, Pakistan since February 2021 Bio: CRTO | eCPPTV2 | Offensive Security Engineer | Red Teamer | Malware Analyst Links to: github.com/machine1337 | |
| Adobe | N/A | N/A |
| Samsung | N/A | Phone Number Hints: +92****21**64 |
| Microsoft | DF27AD0854A289E4 | Registration: 2ย Juneย 2022 Phone Number Hints: ********74 Name: clay rooti Location: Pakistan |
| PayPal | N/A | Phone Number Hints: +447 *** 8611 |
| BreachForums[.]to | hellshot | N/A |
| Apple | N/A | Phone Hint: โขโขโขโข โขโขโขโขโข74 |
sk6928603@gmail.com was identified to be registered on the platforms outlined below.
| Platform | Username / ID | Notes |
| 108290411439482652454 | Phone Hint: โขโขโขโข โขโขโขโขโข64 | |
| N/A | Phone Number Hints: +**********64 | |
| Skype (inactive) | live:.cid.269b35479af50c39 | Name: SIKANDER RASHEED |
| Microsoft | 269B35479AF50C39 | Registered: 15ย Marchย 2019 Last Seen: 5 August 2024 4:40:57 AM Name: SIKANDER RASHEED Location: Pakistan |
| Medium | sk6928603 / 5cdfdcacc5bc | Name: Sikandar khan |
| Sololearn | Sikandar / 12313124 | Registered: 8ย Januaryย 2019 Location: Pakistan |
| Quora | 670056087 | Registered: 29ย Novemberย 2018 Name: Sikander Khan |
| Keybase | machine404 | N/A |
| RaidForums[.]com | machine404 | DOB: 14-8-1997 |
| GitHub | sk6928603 / 52903132 | Registered: 15 July 2019 Repository: clay |
Telegram Cross-Chat Intelligence Assessment
The user EnergyWeaponUser (ID: 6345767864) has been linked to the following historical Telegram usernames and display names.
| Username | Date | Display Name | Date |
| @LuffyNova | 22 May 2025 | โฟ๐ฆ | 20 March 2025 |
| @EnergyWeaponUserย | 25 August 2024 | ๐โโฌ | 17 May 2024 |
| @CryptoLordBroker | 13 June 2024 | ๐๐ฆ๐ฉ๐๏ธ | 17 May 2024 |
| @JohnSMCSilverย | 9 June 2024 | ๐๐ง ๐๐ฆ๐ฉ๐๏ธ | 15 May 2024 |
| @BrianOSCPย | 10 March 2024 | ๐พ๐๐๐๐๐๐ | 18 January 2024 |
| @csprshark ย | 25 February 2024 | ๐๐๐๐ ๐ข๐ก ๐๐จ๐ฃ๐๐ง๐๐ฅ ๐ฒ | 14 January 2024 |
| @tinode | 16 February 2024 | โฟ๐ฐ๐ฆ๐ข๐ช๐ | 3 January 2024 |
| @machine1337vip | 14 February 2024 | intel_brokers | N/A |
| @hm_tyla | 14 February 2024 | ย | ย |
| @TheCyb3rAlpha | 14 January 2024 | ย | ย |
| @Machine1337 | 3 January 2024 | ย | ย |
| @intel_brokers | N/A | ย | ย |
EnergyWeaponUser (ID: 6345767864) has been identified as a member of over 24 Telegram groups and currently holds administrator privileges in at least six of them. A review of this userโs group affiliations reveals involvement across multiple threat groups, summarized in the following clusters:
- Credential and Financial Data Trade Networks: Active participation in groups such as ShinyHunters, BEST LOGS CLOUD, and BidenCash CVV indicates a direct link to underground markets focused on stealer logs, compromised banking credentials, and card dumps.
- Cybercrime-as-a-Service (CaaS): Being part of groups like RAT and Botnet are my life and Stake Logs Chat shows involvement in communities that sell or share malware and stolen data, making cybercrime tools and services easy for others to access and use.
- Crypto-related Scams and Draining Schemes: Groups like USDTSPIN, JEFE Token, Cryptoz, InfernoXDrainer are known for phishing, stealing tokens, and running fake pump schemes, usually through platforms like WalletConnect or fake DeFi tokens.
- Links to Known Cybercrime Groups: Connections to established BreachForums cybercriminal groups, like ShinyHunters and The Jacuzzi, as well as Crazy Evil group (Russian origin).
A summary table of the relevant group affiliations is provided below.
| Telegram group / ID | Notes |
| t.me/ShinyHunters | Name: Shiny Hunters |
| t.me/c/1877803087 | Name: ะEST LOGS ะกLะUD |
| t.me/terminaldiscussion | Name: ๐๐๐๐๐๐๐๐ ๐๐๐๐๐๐๐๐๐๐ |
| t.me/FundingPipsofficial | Name: FundingPips Official |
| t.me/baphchat | Name: The Jacuzzi |
| t.me/cryptoz_chat | Name: Cryptoz Community |
| t.me/walletconnect | Name: WalletConnect |
| t.me/gazaalannetgroup | Name: ุชุนูููุงุช ู ุชุงุจุนู ุบุฒุฉ ุงูุขู ๐ต๐ธ (related to Gaza, Palestine) |
| t.me/jefetokencryptochat | Name: ๐ JEFE TOKEN ๐ CHAT |
| t.me/databreach | Name: Data Breach |
| t.me/+4zZkkUcYZ7g3ODc1 | Name: RAT and Botnet are my life |
| t.me/EgonCoin | Name: EgonCoin (EPoS Chain) |
| t.me/+Bmarfbd_kLsxZWMy | Name: Global Chat | Crazy Evil (6,091 members) |
| t.me/usdtspingroup | Name: USDTSPIN |
| t.me/scamsniffer | Name: Scam Sniffer Official |
| t.me/helio_pay | Name: Helio โ Web3 payment API |
| t.me/bidencashantipublic | Name: ๐๐ข๐๐๐ง๐๐๐ฌ๐ก ๐๐๐ [๐๐๐๐๐๐๐๐๐๐ REDIRECT] |
| t.me/CertiKCommunity | Name: CertiK |
| t.me/stake_logs_chat | Name: Stake Logs Chat |
| t.me/InfernoXDrainer | Name: Inferno Drainer |
Through StealthMole, we mapped the historic usernames used by EnergyWeaponUser (ID: 6345767864) as shown in the below screenshot.
The historic Telegram username @CryptoLordBroker (recorded date: 13 June 2024) currently active and tied to a different Telegram ID 6945713977, was found to be part of the below Telegram groups or channels.
| Telegram group / channel | Status | Telegram ID | Display Name / Details | Recorded Date |
| BerlinBigService | Active | 1181578263 | Big Service Berlin โ drugs | 3/10/2024 |
| CloudMoney01 | Inactive | 1367346688 | Money Cloud | 3/9/2024 |
| Coinmuhendisi | Active | 1274333834 | Coin Mรผhendisi (Topluluk) โ Turkish group | 2/20/2024 |
| DEPlugUnderWorld | Active | 1739150465 | [ DE ] ยถlug Uฯderworldโข โ German group; drugs | 3/10/2024 |
| RespectTrade | Active | 1450622162 | RESPECT TRADE โ Turkish group | 4/22/2024 |
| RewardQuestsOfficial | Active | 2165713367 | RewardQuests Official Telegram Group | 11/22/2024 |
| freifahren_BE | Active | 1370021231 | Freifahren_BE โ German group | 10/28/2024 |
| kvokvo4 | Active | 2213394973 | ย ย ย ืืืืื ืื ืืจืฆื ืจืืคืื | 11/22/2024 |
| procardgrp | Inactive | 1172346098 | Spammers Carders Group | 3/10/2024 |
| smkzerkanijk | Inactive | 1257767982 | รcretsiz & Analiz(Canli TAHMฤฐNLERฤฐ) โ Turkish group | 11/22/2024 |
| smm_experts_telegram | Active | 2073637077 | ๐ฅ๐ป SMM-Experts ๐ป๐ฅ | 11/3/2024 |
| termuxqueenyt | Inactive | 1455624826 | Termux Discussion Group | 11/23/2024 |
| willieelogs | Inactive | 1624066929 | WILLIE CLOUD LOGS | 8/4/2024 |
Further investigation into Telegram groups and channels associated with EnergyWeaponUser (ID: 6345767864) revealed additional insights. One such channel, @Machine_1337 (Display Name: Machine1337 2.0), had 400 subscribers as of 11 May 2025. Notably, the channel was previously named โAngel Fernoโ, as shown in the screenshot below.
The Telegram channel @Machine_1337 is also connected to a private group named โMachine 1337โ (t.me/+UVn96XLfEMA3MmE0), which had 56 members as of 11 May 2025. The group is administered by @EnergyWeaponUser. A supporting screenshot is provided below.
The Telegram channel @Machine_1337 advertises real-time premium phone numbers for purposes such as marketing, account verification (e.g., OTPs for social media and apps), and business use. Services are promoted with global coverage, including regions such as the UAE, Saudi Arabia, China, India, and the EU.
The channel has also shared data breach materials related to domains and entities such as federalbank.co[.]in, NMC Specialty Hospital (Abu Dhabi), and Steam.
An associated Telegram bot, @Machine_visits_bot, was also identified. It redirects users to t.me/Machine1337, which had 170 subscribers as of 11 May 2025.
The Telegram channel @Machine1337 (ID: 2001371988) was found to be directly connected to Sikander Rasheedโs GitHub account @machine1337 (ID: 82051128) via a GitHub string for counting visitors (69,077 users as of 6th June 2025). Illustrating screenshots are provided below.
On 18 April 2025, the Telegram group โMachine1337โ shared content related to the Angelferno crypto drainer panel, which, according to the screenshot below, displayed total funds drained amounting to $267,902 USD.
Additional data breaches, including kch[.]sa (29M records), propertyfinder[.]com (17M records), shory[.]com (24M records), and kucoin[.]com (46M records), were posted in the Telegram group Machine1337 (t.me/+nR8L3Ir3GZ8zZGU0).
The Telegram group ๐๐๐๐๐๐๐๐๐๐๐ (t.me/+nR8L3Ir3GZ8zZGU0), managed by @EnergyWeaponUser, was also archived by telemetr.io, where historic messages can be reviewed. A screenshot is provided below.
A previous message shared in the Telegram group ๐๐๐๐๐๐๐๐๐๐๐ (t.me/+nR8L3Ir3GZ8zZGU0) indicated a connection between @EnergyWeaponUser and the now-inactive account @AngelDrainer_Support.
In addition, an earlier message posted in the Telegram group ๐๐๐๐๐๐๐๐๐๐๐ (t.me/+nR8L3Ir3GZ8zZGU0) also revealed a link between the Crazy Evil group and Angel Drainer.
On 15 May 2025, a message referencing a Coinbase dataset was shared in the Telegram group ๐๐๐๐๐๐๐๐๐๐๐ (t.me/+nR8L3Ir3GZ8zZGU0). A supporting screenshot is included below.
Further investigation is required to better understand the connection between @EnergyWeaponUser and the Angelferno crypto drainer.
As of 5 June 2025, the following Telegram groups and channels remain active.
| Telegram group / channel | Display Name | Notable Details |
| @M13DB / 2408388872 | DataBF | Connected to @Mad_1337 (ID: 6389405939) 38 subscribers |
| t.me/+UVn96XLfEMA3MmE0 | ๐ธ๐๐๐๐๐๐1337 | Connected to @Mad_1337 (ID: 6389405939) 250 members |
| @Machine1337news / ย 2560059470 | Invoices | Connected to @Mad_1337 (ID: 6389405939) 36 members |
| Machine1337 / 2001371988 | โจ๐๐๐๐๐๐๐๐๐๐๐ โจ | Connected to @Mad_1337 (ID: 6389405939) 2,209 subscribers |
| t.me/+FLenH6Gd899mOTA0 | Live traffic โ M13 | Connected to @Mad_1337 (ID: 6389405939) 125 subscribers |
| @LuffyNovax / 2283975039 | EnergyWeaponUser | Connected to @Mad_1337 (ID: 6389405939) 11 subscribers |
The Telegram user @Mad_1337 (ID: 6389405939; display name: Seller | Real/Time LOG) was found to be listed on the Telegram channel @LuffyNovax (ID: 2283975039; display name: โEnergyWeaponUserโ). Illustrating screenshots are provided below.
Blockchain Insights via AMLBot
Our advanced monitoring of Telegram channels and groups associated with EnergyWeaponUser (ID: 6345767864) has revealed one ETH address which appeared as a story, showing a message from Coinbase on machine1337 Telegram channel. A screenshot is provided below.
The identified ETH address 0x9c0407f7f7598951071699202C54f702da6ec1D1 was further investigated through AMLBot which revealed funds withdrawn via @CryptoBot in Telegram.
A further Tron (TRX) address was identified and labeled in AMLBot. Through our analysis, we identified a Binance account from which funds were withdrawn. An additional Bitcoin (BTC) address was identified to be linked to a Binance account linked to EnergyWeaponUser (ID: 6345767864) / Mad_1337 (ID: 6389405939).
Cluster 2: Turkish Cybercriminal Activity โ Moderate Confidence
This threat profile provides an in-depth analysis of the โEnergyWeaponUserโ, derived from a comprehensive cross-platform investigation of its associated accounts, aliases, and behavioral patterns. Detailed information is provided in the table below.
| Attribute | Details | Confidence |
| Primary Aliases | @EnergyWeaponUser (Instagram and Chess.com) @RacistDawg and โStoleโ (Telegram ID: 7015665822) | High |
| Primary Screen Name | ๐ฉ ๐ ๐ ๐ ๐ ๐ ๐ช (Instagram and Telegram) | High |
| Known Platforms / Handles | โ Telegram: @RacistDawg; @StoleLol โ Instagram: EnergyWeaponUser โ Chess.com: EnergyWeaponUser | High |
| Primary Telegram Channels / Groups | โ FlameFragsLLC (ID: 2252523645) โ ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐ (ID: 2196571123) โ Darqhackicraat (ID: 2443613902) โ darqchat4 (ID: 1686427823) โ darqbankchat (ID: 2275647463) โ Xvachat (ID: 2195535567) โ baphchat (ID: 1806390689) | High |
| Crypto Swapping Service Used | Swap.my | High |
| Primary Location | Izmir, Turkey | High |
| Secondary Location | Dubai, UAE (Instagram) | High |
| Main Languages Used | Turkish, English | High |
| Secondary Language(s) Identified | Arabic โ Instagram metadata | Low |
| Interests | Money, Cars, Gambling, Crypto draining, Travel, Computer Games | High |
| Skill Indicators | โ Social Engineering / Phishing โ Web3 Drainer targeting | High |
| Criminal/Threat Activity | โ Trade of stolen credentials and account data, compromised credit cards, 3D Secure authentication bypass methods, and malicious bots for account checking or SMS spamming โ Crypto-related phishing and impersonation | High |
| Anonymity Practices | High OPSEC on Telegram (username switching), VPN (Mullvad) / geolocation spoofing likely used | High |
| Payment Methods | Bitcoin (BTC), Litecoin (LTC) | High |
| Darknet/Leak Forum Activity | โ BreachForums[.]st โ Xss[.]is โ Cracked[.]sh | High |
| Affiliations | โ CyberNiggers, a cybercrime ring that includes IntelBroker โ Angelferno (Crypto Drainer): A drainer-as-a-service operation โ Darq Hack: Turkish cybercriminal group | High |
A username enumeration for EnergyWeaponUser has uncovered an Instagram account EnergyWeaponUser (ID: 69628457694).
Further analysis of this Instagram account uncovered evidence of cryptocurrency transactions through the swapping service swap.my, images featuring a 2021 Tesla Model 3, a photo that displays their flight to Dubai that includes the Turkish word โHedefโ (meaning โAimโ), and indications of gambling activity in Dubai. Supporting screenshots are provided below.
Notably, the Instagram account EnergyWeaponUser (ID: 69628457694) has a follower base that includes multiple Turkish and Arabic accounts. Further investigation on Telegram identified a user under the name โ๐ ๐ ๐ ๐ ๐ โ (@RacistDawg; ID: 6412210891), which matches both the display name โFLAMEโ, their activity on both platforms, and one of the profile photos featured in a post on the Instagram account. The Telegram user @RacistDawg has been active since at least September 2024, with over 53,762 messages posted across at least 98 groups. Their most frequented group appears to be โ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐โ, and they hold admin privileges in at least 14 groups.
Using StealthMole, we also mapped the historical usernames associated with Telegram ID: 6412210891.
Notably, the Telegram username @korkuyorsun (English translation: @youarescared; ID: 2321518987; display name: โSGโ) currently corresponds to a group consisting of 8 members, which includes @RacistDawg, @angelmisinbe (ID: 6835437439), @Savas5445 (ID: 6408919817), @FlameFragsLLCbot (ID: 8177711664), @FlameFMBot (ID: 7670035343), and @flamespajeetbot (ID: 7672418466).
Using complementary OSINT tools, we uncovered an additional username linked to Telegram ID: 6412210891: @AngelusInferno.
Historical display names associated with this ID, as retrieved via StealthMole, are shown below. Notably, on 2025-04-06 at 01:01:31 AM, the user briefly adopted the display name โCyberniggersโ.
Using StealthMole, we also mapped the Telegram groups / channels linked to Telegram ID: 6412210891.
Through a complementary OSINT tool, we identified additional Telegram groups / channels linked to @RacistDawg. A summary table is provided below.
| Telegram group / channel | Notable Details |
| t.me/livegoonparty | Live Goon Party |
| t.me/baphoporn | Jacuzzi 6 โ Breachforums related |
| t.me/MarianasForum_chat | MarianasForum [Chat] |
| t.me/qnbcomtrchat1 | Inactive |
| t.me/zirveiletisimsohbet | Zirve ฤฐletiลim Sohbet โ Turkish group |
| t.me/watsupchat | ๐ฌใป CHAT |
| t.me/AnarchyGrup | SonsOfAnarchy โ Turkish group |
| t.me/CONTRAVOLTA7 | CONTฤฐSTAN #VOLTA โ Turkish group |
| t.me/m3ngchh3a_group | M3NGCHH3A โ GROUP |
| t.me/MalevolencSec | Malevolence Sec |
| t.me/hackservis_chat | Hack Servis Chat โ Turkish group |
| t.me/japonyataht | Inactive |
| t.me/osintschat | Osint Service Chat |
| t.me/dertli_hanem | Huh โ Turkish name; links to LaFlame & #808 |
| t.me/Arianmedya | Arian Media โ Turkish group |
| t.me/iran_highweb | GANZIR CITY โ Iranian group |
| t.me/ezilmeyiz | Turkish group |
| t.me/swarehackteamchat | Yรถnlendirme โ Turkish group |
| t.me/blackmarket | blackmarket |
| t.me/darqbankchat | darq bank chat โ Turkish group @RacistDawg is active since September 2024, posting in Turkish; identified location: ฤฐzmir, Turkey; @RacistDawg works closely with @serkancobanexee [Serkan รoban โ K4BE] in card fraud activities; On 7 January 2025, @RacistDawg was geolocated in Bursa, Turkey. |
| t.me/cyberxleakchat | Inactive |
| t.me/TRArayisGrup | Inactive |
| t.me/H_6_N_N | Python Problem Solving โ Arabic group |
| t.me/darqgrup | Inactive |
| t.me/Xvachat | XVA #AFK (@RacistDawg is active since October 2024) |
| t.me/CyborxCheckerChat | Inactive |
| t.me/cyberextorters | Inactive |
| t.me/vipdarqaq | Inactive |
| t.me/darqsorgu | Inactive |
| t.me/darqticaret | Inactive |
| t.me/thescamgalaxy | The Scam Galaxy |
| t.me/darqhacklogsohbet | Inactive |
| t.me/SworD_guvence | Gรผvence โ Turkish group |
| t.me/bankjobaffairs | BANK JOB AFFAIRS ๐ฆ |
| t.me/Osintcorp_chat | Osintcorp chat |
| t.me/darqkanallar | Inactive |
| t.me/Pentester_Club | Pentester Club |
| t.me/notifyapp | Notify for Mi Band & Amazfit โ Discussion |
| t.me/BotsArchiveChat | BotsArchive Chat |
We extended our analysis to over 1,000+ messages posted by Telegram ID: 6412210891 using StealthMole. A selection of these messages is shown in the screenshot below. Specifically, we identified signs of affiliation with BreachForums-related Telegram groups, demonstrated proficiency in the Turkish language, discussions around crypto draining, and references to the Russian cybercrime forum XSS[.]is.
It is notable that Telegram ID: 6412210891 serves as the admin of the channel @FlameFragsLLC (display name: โ๐๐ฎ๐๐น๐ฎ๐บ๐ฒโ; ID: 2252523645). The channel contains messages in Turkish, along with references by the admin to Turkey, cryptocurrency, bank cards, and gambling. A screenshot of the channel is provided below. Additionally, Telegram ID: 6412210891 is linked to the bot @FlameOSINTbot (ID: 7797783556), which appears to be used for conducting user investigations on Telegram.
Analysis of The Jacuzzi Telegram group (t.me/baphchat; ID: 1806390689), where @EnergyWeaponUser was active, has revealed another account: Telegram ID 7015665822. This account is linked to @RacistDawg (ID: 6412210891; also known as โFLAMEโ) through its former display name โ๐ฉ ๐ ๐ ๐ ๐ ๐ ๐ชโ and past message interactions.
The user behind ID 7015665822 most recently appeared under the name โStoleโ before the account was deleted. It was registered with a Turkish phone number. A table below outlines the historical usernames and display names associated with this account.
| Username | Date | Display Name | Date |
| @StoleLolย | 5 May 2025 | Stole | 6 May 2025 |
| @eIvisnpcย | 4 May 2025 | ElvisS ะะฐmilt0n*5*4(nัc) | 6 May 2025 |
| @EnesBaba8ย | 3 May 2025 | Enes STARS | 3 May 2025 |
| @lewis14hย | 29 April 2025 | puffy | 3 May 2025 |
| @LokiLmaoย | 14 March 2025 | Lะพki | 15 March 2025 |
| @CuteyPatootieย | 10 February 2025 | ะกuddlั | 14 March 2025 |
| ย | ย | ะกuddlั *legะพlะฐsinkediัigi | 17 February 2025 |
| ย | ย | ๐ฉ ๐ ๐ ๐ ๐ ๐ ๐ช | 10 February 2025 |
| ย | ย | Retry | 3 February 2025 |
Analysis of messages posted by Telegram user ID 7015665822 across various groups has revealed the following key insights:
- He was part of the original BreachForums team
- He stated that โLะพkiโ is based in the United Kingdom
- He claimed, in a conversation with IntelBroker, that IntelBroker operates out of Russia
- He is active in groups and channels associated with โDarqโ (derived from the English word โdarkโ, as in dark web)
- He was geolocated to Izmir, Turkey, and is a Turkish speaker.
The Telegram groups linked to user ID 7015665822 are listed below.
| Telegram group / channel | Notable Details |
| ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐ (t.me/c/2196571123) | 607 messages posted by 7015665822 |
| TะLฤฐGUN #GLะDฤฐO (t.me/TaIigun) | 5 messages posted |
| QNB FinansBะฐnk #C.. (t.me/+mxV-Pwzn2JxiMTcx) | 4 messages posted |
| Datะฐbะฐsะต Wะพrld ROC (t.me/+VQ6eRxRW021kYjZk) | 1 message posted |
| ๐ฬ๐๐๐ฬ๐๐๐.. (t.me/c/2451141248) | 8 messages posted |
| ๐๐๐๐๐๐๐.. (t.me/c/2332759678) | 145 messages posted |
| ะsint Lovะตrs (t.me/postexploitation) | 21 messages posted |
| CฤฐTฤฐBANK ะกะะT #Yะ.. (t.me/CTYBANK) | 8 messages posted |
| ะI | ะ ubliั Chะฐt (t.me/+QXQgHf2wEY41ZGY0) | 48 messages posted |
| Thะต Jะฐcuzzi (t.me/baphchat) | 86 messages posted |
| TะตlะตGuard (t.me/teleguard) | 1 message posted |
| Holyland (t.me/unbullyable) | 15 messages posted |
| ๐๐๐๐๐ฬ๐๐ #.. (t.me/c/2262339728) | 6 messages posted |
| LะะกKะIT_2.0_LOGS (t.me/LOCKBIT20) | 1 message posted |
| QNะ FinansBank #CHะT (t.me/c/2462822942) | 0 messages |
Darq cybercrime group and Serkan รoban โ K4BE
Darq has been identified as a collective of Turkish hackers, operating through a network of Telegram groups and channels. A summary of these affiliated entities is presented in the table below.
| Telegram group / channel | Notable Details |
| ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐ (t.me/c/2196571123) | N/A |
| t.me/darqTrsohbet | ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐ (877 members) |
| t.me/darqhackicraat | ๐๐๐๐ โข ๐๐๐๐ #๐๐๐๐๐๐ (17 members) |
| ๐ ๐ ๐ ๐ โข ๐.. (t.me/c/1895303051) | N/A |
| t.me/darqchat4 | Darq Hack Log #CHAT (831 members) |
| t.me/darqbankchat | darq bank chat โ Turkish group (@RacistDawg active since September 2024; posting in Turkish; identified location: ฤฐzmir, Turkey; RacistDawg works closely with @serkancobanexee [Serkan รoban โ K4BE] in card fraud activities; On 7 January 2025, @RacistDawg was geolocated in Bursa, Turkeyย |
| t.me/darqgrup | Inactive |
| t.me/darqsorgu | Inactive |
| t.me/darqticaret | Inactive |
| t.me/darqhacklogsohbet | Inactive |
| t.me/darqkanallar | Inactive |
Two users were identified as highly active participants within the previously mentioned Darq-affiliated Telegram groups and channels:
- @RacistDawg (ID: 6412210891)
- @serkancobanexee (ID: 6210092900; display name: Serkan รoban #๐๐๐๐)
Further investigation revealed that @serkancobanexee is connected to the account @angelmisinbe (ID: 6835437439; display name: ๐ฉ ๐๐๐๐๐ ๐ช #๐๐๐๐). This user has been active since March 2024, with over 38,897 messages posted across more than 57 Telegram groups. A table summarizing the historical usernames and display names associated with ID: 6835437439 is provided below.
| Username | Date | Display Name | Date |
| @otistikyaratikย | 13 April 2025 | ๐ฉ ๐๐๐๐๐ ๐ช *๐๐๐๐ | 3 June 2025 |
| @hypzelย | 6 April 2025 | ๐ฉ ๐๐๐๐๐ ๐ช*QNะFinansะank | 3 June 2025 |
| @amazonsikenย | 25 March 2025 | ะฐngelะผisinbe | 21 May 2025 |
| @nefesalsinyeterย | 22 March 2025 | ๐ฉ A N G E L ๐ช | 7 May 2025 |
| @yapamamsensizย | 20 March 2025 | <ะฐngะตl/>*ะFK | 7 April 2025 |
| @baldizezenย | 15 February 2025 | ๐๐๐ซ๐ช๐๐ง๐ ๐๐ฅ *QNBFinansะะฐnk | 6 April 2025 |
| @siktimbittinย | 13 February 2025 | A N G E L(god mะพd) | 31 March 2025 |
| @banabenzemeย | 10 February 2025 | ๐ฉ A N G ะ L ๐ช*QNะFinansBะฐnk | 18 February 2025 |
| @angelmisinbeย | 19 August 2024 | ๐ฉ BะLDIZ EZะN๐ช*QNะFinansะะฐnk | 16 February 2025 |
| @angelofflinee [first] | N/A | ๐ฉ ๐ด๐๐บ๐ธ๐ฟ๐๐ ๐๐๐ ๐๐ผ๐ ๐ช*darqbank | 4 February 2025 |
| N/A | N/A | SฤฐKฤฐSKEN KURะะGะ | 27 January 2025 |
| N/A | N/A | ะngel *Darq | 11 January 2025 |
| N/A | N/A | ะNGะL WAS ะะRะ | 3 January 2025 |
| N/A | N/A | ๐ฉ ๐ฐ๐๐๐๐๐๐ ๐๐๐๐๐๐ ๐ช*XVะ | 30 December 2024 |
| N/A | N/A | ๐๐๐๐๐ @QNBFinansBank | 6 October 2024 |
| N/A | N/A | Yetimhane kundะฐkรงฤฑsฤฑ ANGEL | 21 September 2024 |
| N/A | N/A | ะNGะL MARKะ *ะกะก | 18 September 2024 |
The user @angelmisinbe (ID: 6835437439) was identified as a member of multiple Turkish Telegram groups and channels linked to cybercriminal activities, including the trade of stolen credentials and account data, compromised credit cards, 3D Secure authentication bypass methods, and malicious bots for account checking or SMS spamming.
Analysis of this activity indicates that the user is most active in the group โ๐ ๐ ๐ ๐ โข ๐ ๐ ๐ ๐โ (ID: 2196571123). Additionally, a possible location for the user was identified via a delivery address on Amazon.com.tr: Koza Cd. No:11 D:15, Gรถrรผkle, 16285 Nilรผfer/Bursa, Turkey.
Further screenshots linked to @angelmisinbe include images featuring Turkish cash (lira). Supporting screenshots are provided below.
A screenshot shared by @serkancobanexee (ID: 6210092900; display name: Serkan รoban #๐๐๐๐) depicting various activities along with Turkish currency is provided below.
@serkancobanexee (ID: 6210092900; display name: Serkan รoban #๐๐๐๐) was also found to be linked to the following Telegram entities:
- Channel @wazebiola (display name: ๐ฐ๐๐ณ๐โ๐ง๐ข๐ง ๐ฆ๐๐ค๐๐ง; 475 subscribers)
- Channel @k4be4 (ID: 2577905307; 596 subscribers)
- Group t.me/+oF-Q-cX1wF5iNTZh (172 members)
Cluster 3: Unknown Actor Linked via @downloading โ Low Confidence
This threat profile provides an in-depth analysis of the โEnergyWeaponUserโ, derived from a comprehensive cross-platform investigation of its associated accounts, aliases, and behavioral patterns. Detailed information is provided in the table below.
| Attribute | Details | Confidence |
| Primary Alias(es) | @downloading (ID: 5302534689) | High |
| Primary Screen Name | ย Liars | High |
| Known Platforms / Handle(s) | โ Telegram: @downloading | High |
| Primary Telegram Channels / Groups | โ baphchat (ID: 1806390689) โ 139 messages โ synergylounge (ID: 1510230751) โ 1382 messages โ aezachat (ID: 1972163148) โ related to hosting services; 6 messages โ WeHosts_Bot (ID: 2213203769) โ 5 messages | High |
| Associated Websites | โ synergy.do (inactive) โ a marketplace for compromised accounts and services โ wehost.gg โ offering bulletproof hosting services โ spyderproxy.com โ offering proxy services; hosted in the U.S. | High |
| Payment Methods | โ Stripe (wehost.gg and spyderproxy.com) โ Cryptocurrency via NOWPayments.io (wehost.gg) and Cryptomus (spyderproxy.com) โ CashApp (synergy.do) โ PayPal | ย |
| Cryptocurrency Address identified and tagged | Bitcoin cluster address linked to transactions originating from threat actors active on hacking forums | High |
| Primary Location | N/A | High |
| Main Language(s) Used | English | High |
| Interests | โ Bulletproof Hosting, Residential Proxies, Credential Theft โ Hacking forums (e.g., Cracked, Nulled) for customers | High |
| Criminal/Threat Activity | โ Trade of stolen credentials and account data โ Bulletproof hosting and proxy services โ Middleman deals (MM deals) โ escrow-like services for transactions | High |
| Anonymity Practices | High OPSEC on Telegram (username switching), VPN / geolocation spoofing likely used | High |
| Darknet/Leak Forum Activity | โ BreachForums[.]st โ Cracked[.]sh | High |
| Affiliation(s) | โ CyberNiggers, a cybercrime ring that includes IntelBroker | Low |
Further analysis of The Jacuzzi Telegram group (t.me/baphchat; ID: 1806390689) has yielded the following key findings:
- Telegram user โzjjโ (ID: 6772882827) โ identified as having links to the cyberattack targeting Cisco Systems.
- Telegram user โSanggieroโ (ID: 5879429917) โ identified to be linked to the cyberattack against Acuity Inc, a U.S. government contractor, reportedly carried out in coordination with EnergyWeaponUser and IntelBroker.
- Telegram user โgrepโ (ID: 7430697411), previously affiliated with the Hellcat ransomware group, alleged that @downloading (ID: 5302534689) is the individual behind the โEnergyWeaponUserโ alias.
- The user @downloading has been connected to several services, including the now-inactive synergy.do, WeHost.gg (a platform offering RDP access), and spyderproxy.com (a provider of proxy services).
Activity Linked to @downloading (Telegram ID: 5302534689)
At least three websitesโsynergy.do (now inactive), wehost.gg, and spyderproxy.comโhave been attributed to @downloading based on Telegram-linked associations.
Synergy.do (Synergy Shop) offered access to compromised credentials for services such as Netflix, Sephora, Hilton Honors (2FA), Paramount+, Sling TV, PlexTV, HBO MAX, Victoriaโs Secret, Groupon, and others. The site accepted Cash App and cryptocurrency payments and specified that legal matters would be governed by Romanian law, as stated in its privacy and dispute resolution policies.
A screenshot of the historical website synergy.do is provided below via WebArchive.org.
The Telegram channel @synergyshop (ID: 1586888933; display name: โSynergy [Hungerstation.io]โ), previously linked to Synergy Shop, was suspended by Telegram for Terms of Service violations. However, an affiliated Telegram group @synergylounge (ID: 1510230751; display name: โSynergy Chat [Hungerstation.io]โ, with 1,231 members) remains active and is associated with @downloading.
WeHost.gg Infrastructure
- Domain: Registered via NameCheap, Inc on 30 April 2024, protected by Cloudflare to obfuscate backend IP address.
- Policy: Terms of Service cite Canada as the jurisdiction for legal matters.
- Social Media Presence:
- Telegram channel: @wehosts (ID: 2046303235; 330 subscribers)
- Telegram group: @WeHosts_Bot (ID: 2213203769; 11 members)
- Discord channel: discord.gg/T2fVdDe2Dw (142 members), linked to Discord user ID: 1136575220178747392 (33guy), registered on 23 August 2023
- X.com account: @wehostgg, created May 2024, follows @SpyderProxy (registered in January 2025).
- Payments: Accepts Stripe and cryptocurrency via NowPayments.io
SpyderProxy.com Infrastructure
- Domain: Registered via NameCheap, Inc on 19 August 2023
- Hosting IP: 23.26.108.199, geolocated to New Jersey, hosted by ReliableSite.Net LLC
- Legal Disclosures:
- Claims to be operated by โSPYDER PROXY LLCโ (a likely fictitious entity)
- Privacy Policy lists the United States as the legal jurisdiction
- Social Media Presence:
- Telegram channel: @spyderproxy (ID: 1948136699; 517 subscribers)
- Telegram user support: @SpyderProxySupport (ID: 6551038951)
- Discord channel: discord.gg/r55fWbzSNT (873 members), linked to user SpriteLover (Discord handle: @themoonone4172; ID: 400291893075771392)
- X.com account: @SpyderProxy (registered in January 2025), follows @Cop_Supply (cop.supply; a platform providing resources such as automation bots, proxy services, and sneaker-focused forums).
- Payments: Accepts Stripe and cryptocurrency via Cryptomus
- Promotion: Widely advertised on underground forums, including:
- blackhatworld.com, hackforums.net, forum.gsa-online.de, addset.ru, cream-team.ru, cpamafia.pro, crackingx.com, patched.to, leakzone.net, among others.
- Cryptocurrency Attribution
- A Bitcoin cluster linked to @downloading was tagged in AMLBot, receiving over $130,000 USD in transactions.
- The wallet history includes transactions from darknet markets, threat actors, and sources tied to stolen funds and fraudulent activity.
Appendix
- Online Platforms Associated with EnergyWeaponUser โ Pakistan-Based Actor
| Platform | Confidence Level | Username / ID | Notes |
| Breachforums.st (inactive) | Moderate | EnergyWeaponUser / 117986 | Registered: 3 February 2024 The profile photo matched that of user machine1337 on XSS[.]is at some point of time. |
| Telegram | High | EnergyWeaponUser / 6345767864 | Registered: 7 August 2023 Linked Language: French |
| XMPP | Low | N/A | EWU@thesecure.biz |
| Steam | Low | Energyweaponuser / 76561199853311576 | Display Name: EWP |
| Discord | Low | Energyweaponuser / 475686180491493386 | Registered: 5 August 2018 Display Name: kat |
| Pokemonshowdown.com | Low | EnergyWeaponUser | Registered: 11 April 2024 |
| Minecraft | Low | EnergyWeaponUser / 944d5540-43aa-48fb-9dd0-63e108b39921 | N/A |
| Xss.is | High | machine1337 | Registered: 19 January 2024 Links to t.me/machine1337 |
| GitHub | High | machine1337 / 82051128 | Display name: clay Links to Instagram @invisibleclay100 and YouTube Pak Hack (Location: Pakistan) Repositories: |
| High | machine1337 | Display Name: root clay Location: Rawalpindi, Punjab, Pakistan Links to: github.com/machine1337 Identified Email: machineroot1337@gmail.com Identified Name: Sikander Rasheed Role: Red Team Operator with ZettaByte, Islฤmฤbฤd, Pakistan since February 2021 | |
| Cracked.sh | Low | machine1337 | Posts: 13 |
| Roblox | Low | machine1337 / 15801924 | N/A |
| Low | machine1337 / 1747993453 | Registered: March 2015 Bio: ๐ฐ๐ฆ๐ข๐ช๐ Followers: 411 Following: 427 | |
| Snapchat | Low | hm_tyla | Display Name: ๐๐ง ๐๐ฆ๐ฉ๐ Last updatedย 21 December 2023 |
| Telegram | Low | Cryptolordbroker / 6945713977 | Member of Turkish groups |
| Breachforums.st (inactive) | Low | cryptolordbroker | N/A |
| X.com | Moderate | Brianoscp / 1753394160898379800 | Registered: 2 February 2024 Name: Mohamed Ali Registered Email: ha********@gmail.com Followers: 4 Following: 27 Links to t.me/Machine1337 |
| Breachforums.st (inactive) | Low | brianoscp | N/A |
| hackerone.com | High | machineroot1337 / Z2lkOi8vaGFja2Vyb25lL1VzZXIvMTY4ODIxNw== | Registered: April 2021 Display Name: Machine404 Links to GitHub @machine1337 and X.com @whoami4041 |
| Raidforums.com (inactive) | High | machine404 | Registered Email: sk6928603@gmail.com DOB: 14-8-1997 |
| Keybase.io | High | machine404 | Display Name: Unknown Clay Following hide01 (Iran) |
| Telegram | High | R0ot1337 / 1015386975 | Display Name: Unknown C Bio: The Beginning is Near #Anonymous History of usernames and display names: @R0ot1337 (18-04-2022 07:58) โ Unknown C @R0ot1337 (21-01-2021 07:26) โ Unknown Clay @Machine404 (16-12-2020 11:48) โ Unknown Clay |
| X.com | High | whoami4041 / 1336314911488499712 | Registered: December 2020 Bio: Bug Bounty Hunter | Penetration Tester | Malware Dev | Computer Science Student Links to github.com/machine1337 |
| High | invisibleclay100 / 34082359328 | Registered: April 2020 Display Name: unknownclay Links to GitHub @machine1337 and Hack The Box @unknownspy100 | |
| hackerone.com | High | unknownclay / Z2lkOi8vaGFja2Vyb25lL1VzZXIvMTA3Mzk4Nw== | Registered: 25 April 2020 Display Name: Sikander Rasheed |
| tryhackme.com | High | unknownclay / 43594 | Location: Pakistan |
| GitHub | High | unknownClay / 115655735 | Registered: 12ย Octoberย 2022 Repositories: |
| YouTube | High | Unknownclay / UCZ8G1elVHJsDGG5A-DG8kJQ ย | Registered: 10ย February 2023 Name: unknown clay Profile Photo with โMuhammad Aliโ |
| intigriti.com | Moderate | Unknownclay / 7404c611-b86d-4feb-8585-3ac18d403f7c | N/A |
| Discord | Moderate | Unknownclay / 1081879698474287144 | Registered: 5 March 2023 |
| BreachForums.to (inactive) | High | hellshot | Registered: 23 October 2022 Registered Email: machineroot1337@gmail.com |
| Blogspot | High | pakhack / 5812711222077627409 | Profile Url: machine1337.blogspot.com Links to Facebook @whoami4041, X.com @whoami4041 and Instagram @invisibleclay100 |
| YouTube | High | UCC_aPnmV_zGfdwktCFE9cPQ | Registered: 21 September 2020 YouTube Channel Name: Pak Hack Location: Pakistan Links to Instagram @invisibleclay100, Facebook @pakhack01 and X.com @whoami4041 |
2. Visual Map of EnergyWeaponUser โ Pakistan-Based Actor
