Stay Ahead of Data Leaks – Discover the Invisible with StealthMole

About StealthMole

StealthMole is a cutting-edge AI-driven Dark Web threat intelligence platform built to enhance cybersecurity through advanced dark web monitoring and threat intelligence.

It offers a comprehensive suite of modules, including Dark Web Tracker, Telegram Tracker, Compromised Data Set, Combo Binder, Credential Lookout, ULP Binder, Ransomware Monitoring, Leaked Data Monitoring, Government Monitoring, and Defacement Alerts — all integrated into a single platform that enables powerful monitoring and efficient investigative capabilities.

Government Monitoring (GM)

StealthMole delivers weekly reports on government-related leaks found on the Dark Web and Deep Web. This information enables public authorities to take proactive measures to prevent further compromise of their organizations’ sensitive data and collaborate with appropriate agencies to investigate, identify, and prioritize key perpetrators.

Case Study: Aurorabchms – Threat Actor Active in Deep Net Carding Communities

On 17 May 2025, StealthMole’s weekly government leaks feed identified Aurorabchms offering a database linked to the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (mofa.gov.sa), purportedly containing over 1.4 million personal records. The database was advertised on the Craxpro[.]to carding forum on 1 May 2025, at 6:42 AM, with the threat actor sharing a gofile.io link for downloading a sample. Aurorabchms registered on Craxpro[.]to on 1 February 2025. Below are two screenshots: the first illustrates the identification of the threat actor Aurorabchms within StealthMole‘s government leak feed, and the second pertains to the leak associated with the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (mofa.gov.sa).

StealthMole‘s analysis indicates that the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (mofa.gov.sa) is linked to 204 results in the Credential Lookout (CL) module, 75,705 results in the Compromised Data Set (CDS) module, 273 results in the Combo Binder (CB) module, and 51,947 results in the ULP Binder (UB) module.

Notably, Saudi Arabia is recognized as a Middle Eastern country with robust cybersecurity measures. However, in 2025 alone, approximately eight datasets have been claimed by various cyber threat actors on notorious dark web and deep web forums, such as Xss[.]is and BreachForums[.]st.

As with any investigation, meticulously capturing evidence and verifying each data point in the threat actor’s listing is critical. In this instance, the sample file “oa0onm.zip”, identified on gofile.io (uploaded on 1 May 2025, at 3:01:37 AM), contains a distinct dataset related to compromised Chinese users. Additionally, Aurorabchms provides a Telegram handle (@trxcompressor) for contact, as depicted in the screenshot above.

Tracking Aurorabchms’ Activities Across Deep Net Forums

Using StealthMole, we conducted an in-depth investigation into Aurorabchms to uncover additional dataset leaks and their presence on Deep Net platforms. This analysis was facilitated by the Leaked Monitoring (LM) module, which revealed leaked datasets linked to China, New Zealand, and broader personal data shared on the Craxpro carding forum. A screenshot of these findings is provided below.

Tracing trxcompressor’s Activities on Telegram

The Telegram user trxcompressor, identified by the user ID 7710379190, has been active on the platform since March 2025. Their primary group of engagement is K7 СVV Оnline bаnking (Group ID: -1002116568496; t.me/K7CVVFA). Through Telegram OSINT tools, we mapped trxcompressor‘s participation in several groups, predominantly focused on illicit activities such as trading stolen credit card data (CVVs) and cloned cards. A detailed overview of these groups is provided below.

Telegram group name	Link / ID	Details
DАRK CHАT	t.me/darkchat555 / -1002094198886	2 messages posted by trxcompressor
K7 CVV Online banking	t.me/K7CVVFA / -1002116568496	3 messages posted by trxcompressor
Grаyhаt Eмpirе сhat	t.me/grayhatempire_chat / -1002459203557	1 message posted by trxcompressor
CуberaltsLounge	t.me/c/1898690742	2 messages posted by trxcompressor
Sаuce World🔥💳💵	t.me/SauceWorldd / -1001532019494	Topic: cloned cards 4 messages posted by trxcompressor
id3n Family 🍭 [iden.fo]	t.me/idenfamily / -1001930549489	1 message posted by trxcompressor
Ваbuk Grоuр Оffiсials	t.me/BabukLockerGroups / -1002199157653	No messages posted by trxcompressor
🔒 VENОMОUS SЕLLERS	t.me/c/2280648545	No messages posted by trxcompressor

Through the StealthMole platform, we confirmed that trxcompressor is a member of the Ваbuk Grоuр Оffiсials Telegram group (Group ID: 2199157653; t.me/+tnJae796E8g2MDI9). According to a report by Rapid7.com, early 2025 saw the emergence of a Telegram channel promoting itself as Babuk Locker, despite the original Babuk group ceasing operations in 2021. Rapid7.com identified that the activities of this so-called Babuk Locker 2.0 are closely tied to two key groups—Skywave and Bjorka. These groups have been actively discussed on underground forums and Telegram channels, where they claim responsibility for cyberattacks and promote leaks associated with Babuk.

Since February 2025, Skywave has asserted control over at least five distinct Telegram channels, posting daily updates about their past and ongoing victims. Rapid7.com also discovered numerous newly created Telegram channels with names such as “Babuk Locker 2.0” and “Babuk 2.0 Ransomware Affiliates”. A technical analysis conducted by Rapid7.com on a malicious sample named “babuk.exe”, found on the “Babuk 2.0 Ransomware Affiliates” Telegram channel, revealed that it is linked to LockBit 3.0 (also known as LockBit Black). Rapid7.com concluded that threat actors are likely rebranding ransomware strains to mislead researchers, attract affiliates, or maintain a fresh public image. For more details on the deceptive rebranding of Babuk Locker 2.0, refer to Rapid7.com.

Using the StealthMole platform, we identified several Indicators of Compromise (IOCs) associated with the Ваbuk Grоuр Оffiсials group (ID: 2199157653; t.me/+tnJae796E8g2MDI9), of which trxcompressor is a member.

Indicators of Compromise (IOCs)	Details
TOX ID	022𝘈7𝘌𝘌𝘉83𝘉648𝘍55𝘋𝘈7𝘈6𝘉𝘌𝘍𝘋130𝘊2156𝘊74𝘍3501𝘈31𝘋853234𝘌𝘊2𝘋18𝘌77𝘈1𝘌5𝘉𝘌𝘊7𝘍602011
Telegram channel	@LockerData / -1002028583462 (created on 13 March 2024; 10 subscribers) – linked to @lock (ID: 7023139424; +88809929292)
Telegram channel	@babuklockerV2 (inactive)
Telegram group	@BabukLockerGroups / -1002199157653; 180 members
Telegram user	@babuklocker (display name: 𝕊𝕜𝕪 𝕎𝕒𝕧e; ID: 6698585078; registered in November 2023)

The Telegram group Ваbuk Grоuр Оffiсials (Group ID: 2199157653; t.me/+tnJae796E8g2MDI9) has been identified as disseminating leaked data from multiple victims across different regions. Notably, the group shared leaks related to various Chinese colleges and universities. A screenshot from the StealthMole platform, provided below, illustrates these findings and includes the associated Indicators of Compromise (IOCs).

The StealthMole platform recorded the precise timestamp (7 May 2025, 01:35:35 AM) when trxcompressor joined the Babuk Group Officials Telegram group (Group ID: 2199157653). The screenshot provided below highlights these details and reveals the claimed connection between Babuk Locker 2.0 and Qillin Ransomware in an attack targeting MALAYSIA AIRPORTS HOLDINGS BERHAD (malaysiaairports.com.my/en/).

Using the StealthMole platform, we conducted a comprehensive analysis of the Babuk Group Officials Telegram group (Group ID: 2199157653), identifying key details such as Telegram users, messages, TOR links, IP addresses, PGP-encrypted emails, ID cards (some including GPS coordinates), Bitcoin wallets, and leaked datasets. Through this investigation, we uncovered a PGP-encrypted email and a Bitcoin wallet associated with the group. A screenshot of these findings is provided below.

Additionally, we identified compromised ID cards embedded with GPS coordinates, which we mapped to countries including the Netherlands, Germany, Italy, and Turkey. These ID cards may have been stolen, with threat actors either neglecting to remove the metadata from the images or deliberately leaving it to mislead investigators. Based on our investigative expertise, the more likely scenario is that the ID cards were stolen, and the metadata was inadvertently left intact. A screenshot showcasing these ID cards, identified through their GPS coordinates, is provided below via the StealthMole platform.

Broadening OSINT Investigations into trxcompressor

Extended OSINT searches on trxcompressor revealed an account on demonforums.net, registered in May 2025. On this platform, the user was found selling regiocheck.com (Austria Business Data), with a post dated 2 May 2025, at 12:57 AM. Trxcompressor included a link to their Telegram account and a Telegram group, “HIJACKERZ Chat” (t.me/+5I9TJpHd1bU0ZWFk). A screenshot of these findings is provided below.

The Telegram group “HIJACKERZ Chat” (established on 14 March 2025) had 239 members as of 21 May 2025. The group is a hub for sharing leaked datasets, including infostealer data such as Coinbase and PayPal logs, and offers KYC documents from multiple countries for sale. The primary contacts are trxcompressor and wickybachman (User ID: 5648913744), with wickybachman also providing a Signal ID (blackfridaystub.12). Wickybachman claims to be a verified vendor from Evo Market and Wicky Bay Forum (t.me/wickybay, Group ID: -1002331687872), though the latter was suspended by Telegram for violating its Terms of Service.

Through our analysis, we identified several high-value leaked datasets shared within the “HIJACKERZ Chat” Telegram group, including:

• A sample of the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (mofa.gov.sa) database, posted on 6 May 2025, at 4:14:18 PM.
• A 21GB dataset from the Jakarta Government website, posted on 8 May 2025, at 4:36:09 PM.
• An NHS UK SQL database.
• A 630 million Chinese user database from China Telecom.
• A Binance 2025 dataset containing phone numbers from users in the U.S., Spain, Australia, and Germany.
• A 2TB dataset from Malaysia Airports Holdings Berhad, posted on 12 May 2025.
• A 3.8 million Thailand citizen dataset.
• Coinbase logs from France (350K), Australia (565K), U.S.A. (600K), Italy (1.5M), Canada (72K), and Germany (55K).
• A 5.9TB dataset from the Ministry of Finance of Thailand (2024), posted on 15 May 2025, and offered for $2,000 USD.
• An 8 million Thai passport dataset.
• A Discord Nitro Gift codes checker.
• A 1.4 million company dataset from regiocheck.com (Austria Business Data), posted on 17 May 2025.
• An 8TB China Intellectual Property Rights Database (2024).
• An FBI doxing dataset.
• A dataset of over 3 million customers from Interbank Peru.
• A 9GB NATO sensitive information leak.
• A Mazaya Qatar dataset.
• A 90GB dataset from the Ministry of Defense of the Republic of Korea.

Wickybachman was found to maintain a significant presence across both the Surface Web and Deep Web. A summary table of their activities and affiliations is provided below.

Platform	Username / ID	Notable Details
Facebook	sal.way.54064	Photos of an individual point to an African country. Listed “Lives in” Location: Bennington, Vermont (highly likely fake or misleading) Listed “From” Location: Philadelphia, Pennsylvania (highly likely fake or misleading) Associated Facebook Page: “XSVS CRIME TIME” Active Facebook Group: “Documents Editing Service (Image, PDF, etc)”
Facebook	679283431926294	Display Name: XSVS CRIME TIME Registration Date: 8 May 2025 Listed Address: 3648 Ashford Creek Pl, Atlanta, GA, United States (highly likely fake or misleading) Listed Email: ogsgdoxck7283@gmail.com Linked Account: Associated with the Telegram handle @wickybachman
cracking.org	hijackr.589665	Profile Photo: Matches the profile image used by the Telegram group “HIJACKERZ Chat” Linked Account: Connected to the Telegram handle @wickybachman
crdpro.cc	wickybachman	Listed as spammer / potential scammer

An additional account linked to trxcompressor was discovered on patched.to (User ID: 478659; registered on 30 March 2025) under the username “trvck7”. The user trvck7 was found to be selling the same database containing 1.4 million personal records from the Ministry of Foreign Affairs of the Kingdom of Saudi Arabia (mofa.gov.sa), while explicitly linking to the Telegram handle trxcompressor. A screenshot of these findings is provided below.

Tracing Connections from trxcompressor to wickybachman to Aurorabchms

Through an in-depth investigation into the historical usernames and display names associated with wickybachman (Telegram User ID: 5648913744), we established that wickybachman is the same entity as Aurorabchms. Our analysis revealed the following historical usernames and display names used by wickybachman on Telegram, detailed below.

Username	Date	Display Name	Date
wickybachman	16 July 2024	Wiсky Baсhmаns	20 May 2025
Abachmans	21 December 2023	Wicky	16 July 2024
MrStacks7	24 October 2023	Aurоrа	16 July 2024
Mrblackcplugs	N/A	RеdDdg	21 December 2023
N/A	N/A	АuroraBachmans	21 December 2023
N/A	N/A	MRSTАСKz SUB	5 November 2023

Wickybachman was identified as maintaining accounts on Matrix.org and GitHub (User ID: 205972784) under the same username. Their Telegram activity, spanning from 5 November 2022 to 30 March 2025, includes at least 516 messages across 49 Telegram groups. A summary table highlighting key Telegram groups relevant to their activity is provided below.

Telegram group / ID	Details
LОGS & АCСS MАRKET  (t.me/DealOTC) / -1002147469311	2 messages posted by wickybachman
Leads4U – FX/Crypto Traffic & Leads (CPA CPL) (t.me/LeadsAreUs) / -1001625050503	4 messages posted by wickybachman
Card.ing аnd mоrе (t.me/+pwjf0iPnfT8wYWNh)	1 message posted by wickybachman
VENOMOUS SЕLLЕRS 🚬 (t.me/c/2280648545)	1 message posted by wickybachman
💎RIСОCHET РЫНОK🔝 (t.me/+Z0B9Qixy8481YzQ0)	1 message posted by wickybachman
Аnonумous Сolleсt.. (t.me/c/2054373014)	5 messages posted by wickybachman
Kаrма Lounge (t.me/c/2440912399)	2 messages posted by wickybachman
REаL MoTiоn GeTTe.. (t.me/realmotiongetters25)	2 messages posted by wickybachman No longer present in the channel
𝙎𝙥𝙖𝙢𝙢𝙚𝙧𝙯.. (t.me/c/2184864767)	7 messages posted by wickybachman
NухNеt Chat (t.me/c/2004385822)	3 messages posted by wickybachman
DVWG 🦴 LØVЕRS (t.me/c/2152157501)	16 messages posted by wickybachman
Fоrеx/crypto Lеad.. (t.me/forextraffi)	1 message posted by wickybachman
ANTI_SCAM ВRОTНЕRS.. (t.me/+yrH8fvu36KUxOGJh)	1 message posted by wickybachman
🏧MОTIОN MATTERS🏧 (t.me/c/1656714088)	3 messages posted by wickybachman
🚩Нacking сhannеl🚩 (t.me/c/1778961292)	2 messages posted by wickybachman
а🅽amakа Rесоrding (t.me/c/1179554343)	1 message posted by wickybachman
ОTРВОT DISСUSSION (t.me/c/1988958349)	13 messages posted by wickybachman
ᙖᙀSSIᑎ’ 🍔 (t.me/c/2136316725)	3 messages posted by wickybachman
CivilityBrеaсhеs.. (t.me/whoreactvity)	1 message posted by wickybachman
DocsMafia Chat 🗣️ (t.me/docsmafia_chat)	29 messages posted by wickybachman No longer active in this group
B.L.A.C.K.F.R.I.D.A.Y. ⛔️ S.T.U.B. (t.me/cplugs)	96 messages posted by wickybachman
Tԋҽ Sƚҽɯɱαƙҽɾ (t.me/Thestewmaker)	1 message posted by wickybachman No longer active in this group
SteаlthVарe 🇸🇬 (t.me/StealthVape) – suspended by Telegram	7 messages posted by wickybachman Geolocation: Singapore
СrdРro Сarders (t.me/c/1594157793)	49 messages posted by wickybachman
Bjоrka Sрirit (t.me/c/2356544496)	No messages
UK SALES MARKET SERVICES🇬🇧🇮🇸🇮🇪🇺🇸🏴 🏴 (t.me/unitedkingdomservicesworldwide)	No messages Geolocation: United Kingdom No longer active in this group
🇸🇬 Sg Vape Wong 🇸🇬 (t.me/fretialv15388)	No messages Geolocation: Singapore No longer active in this group
FeShop cc shop (underground outlet) (t.me/feshopunderout)	No messages No longer active in this group
Leaks & Breaches [ Databases – Emails – B2B – B2C ] (t.me/Leaked_BreachDBS)	No messages
SCAMS NO GRAMS👽 (t.me/sCams_No_GRAMSS1)	No messages
GHANА 🇬🇭 GIST Chat (t.me/c/2067195912)	No messages Geolocation: Ghana
Jacuzzi Customer Sevice (t.me/JacuzziSpa)	Geolocation: Preah Sihanouk, Cambodia
vaрe Express Sg (t.me/c/2089153928)	No messages Geolocation: Singapore
CARDING MARKET (t.me/crdmrket)	No messages No longer active in this group
UNITED STATES 🇺🇸 – US (t.me/ussamples)	No messages Leaked data about U.S. citizens No longer active in this group
Vоntр Sg Vаpе 🇸🇬 (t.me/c/1606157877)	No messages No longer active in this group
JOKЕR’S STASH💰 t.me/c/1912320309	No messages No longer active in this group
Raidforums | Discussion (t.me/RFrepoV1Chat)	No messages
RAIDFORUMS INDO CYBER (t.me/raidforumsindouser)	No messages Geolocation: Indonesia
SG VAРEuniversе (t.me/SG_UniverseVAPE)	No messages Geolocation: Singapore No longer active in this group
W I C K У B A У📟 Сhat (t.me/wickybay)	No messages No longer active in this group

Intelligence Analysis of Wickybachman’s Cybercriminal Activities

An in-depth intelligence analysis of 516 messages posted by Wickybachman across various Telegram groups provides critical insights into their profile, operations, and motivations.

Profile and Affiliations

• Platform Activity: The user is active on Telegram, engaging in multiple groups and channels focused on cybercrime, including data trading, hacking, carding, and financial fraud. Examples include groups like “LOGS & ACCS MARKET”, “Card.ing and more”, “Leads4U”, “VENOMOUS SELLERS”, and “CrdPro Carders Lounge”.
• Group Affiliations: The user is likely part of a loosely organized cybercriminal network, as evidenced by their engagement in chats with names like “Anonymous Collective Chat” “NyxNet Chat”, and “Spammerz Chat Group”. These groups suggest a community of individuals sharing tools, data, and methods for illicit activities.
• Handles and Contacts: Wickybachman is linked to the Telegram handles @Wickybachman and @Mrblackcplugs, as well as the Signal ID “blackfridaystub.12”. These identifiers are consistently associated with the sale of stolen data and illicit services.

Activities and Tradecraft

• Data Trading: The user is involved in buying and selling various types of stolen data, including:
  • Shipping Label Accounts: Offering accounts for FEDEX, USPS, UPS, and DHL.
  • Private Databases: Seeking high-quality databases from over 100 countries, covering personal information (SSN, DL, passports, selfies), crypto exchanges, gambling, forex, B2B, social media, and banking data (e.g., messages from 17 March 2025 across multiple groups).
  • KYC Documents: Trading real individuals’ documents (passports, driver’s licenses, ID cards) from countries like Poland, Romania, Belarus, and others for KYC verification bypass (e.g., messages from @LeadsAreUs and @forextraffi on 26 January 2025).
  • Credit Card Data: Offering and seeking credit card databases with details like card numbers, CVV, and personal information (e.g., message from DVWG LØVERS on 8 January 2025).
  • Bank Logs and ACH Logs: Trading bank account credentials linked to platforms like Plaid, including Navy Federal Credit Union, Vystar, and others (e.g., messages from @StealthVape and @cplugs on 21 July 2023).

Financial Fraud: The user engages in or facilitates financial fraud schemes, such as:

• Debt Clearance Scams: Offering to clear maxed-out debts (e.g., house rent, car debts, mortgages) instantly, which is likely a scam (e.g., messages from @docsmafia_chat and  @cplugs from 19 September 2023 to 1 November 2023).
• Tax Refund and ERC Methods: Selling methods for tax refund fraud and Employee Retention Credit (ERC) scams (e.g., messages from @cplugs on 24 July 2023).
• Credit Card Top-Ups and Cashouts: Seeking aged bank accounts and credit cards for same-day cashouts or high-value transfers (e.g., messages from @cplugs and @richovernight10 from 2022–2023).

Hacking and Tools: The user is involved in hacking-related activities, including:

• Offering SMTP cracking tools and cracked accounts (e.g., NyxNet Chat on 30 November 2024).
• Trading Telegram RATs (remote access tools) and other hacking tools (e.g.,  @vapGlobalchat on 9 November 2024).
• Discussing spoofed calls and OTP bots for bypassing authentication (e.g., Hacking channel on 7 January 2025 and OTPBOT DISCUSSION on 20 December 2024).

Scamming and Disputes: Operating in a scam-heavy environment, Wickybachman is likely involved in deceptive practices and frequently faces accusations of being a “ripper” or scammer, reflecting the contentious nature of their interactions.

Motivations and Goals

• Financial Gain: The primary motivation appears to be financial profit through the sale of stolen data, fraudulent financial transactions, and hacking services. The user frequently emphasizes quick cashouts, high-value hits (e.g., $19k, $60k drops), and instant payments.
• Community and Reputation: The user seeks to build credibility within the cybercrime community, as seen in offers of “live proof” (e.g., @cplugs on 21 July 2023) and claims of not sharing “the same shit as others” (e.g., @LeadsAreUs on 30 January 2025). However, accusations of scamming indicate a precarious reputation.

Behavioral Patterns

• Frequent Posting: The user is highly active, posting across multiple groups over an extended period (2022–2025), indicating a sustained commitment to cybercrime.
• Diverse Interests: The user engages in a wide range of illicit activities, from data trading to financial fraud and hacking, suggesting adaptability and opportunism.
• Conflict-Prone: The user frequently engages in disputes, accusing others of scamming or incompetence (e.g., CrdPro Carders Lounge on 26 June 2023, OTPBOT DISCUSSION on 20 December 2024), which may reflect a combative personality or a reaction to being scammed.
• Deal-Oriented: The user’s messages often include calls to action (e.g., “Inbox me”, “Slide this way”) and emphasize quick deals, indicating a focus on immediate transactions.

Potential Indicators of Identity

• Geographic Clues: The user’s activities span data from over 100 countries, but there’s a strong focus on U.S.-based targets (e.g., SSN, DL, U.S. bank logs).
• Language and Tone: The user employs informal, slang-heavy language (e.g., “niqqahs”, “fam”, “slide this way”) and aggressive or mocking tones (e.g., “ur brain looks like under the bed”).
• Technical Knowledge: The user demonstrates familiarity with cybercrime tools and methods (e.g., SMTP cracking, Telegram RATs, Plaid-linked bank logs), suggesting at least moderate technical expertise.

Broadening Investigations Using Telegram-Derived Leads

Further analysis of Wickybachman’s Telegram activity revealed a WhatsApp phone number, +18135402481, registered as a landline in Florida (Carrier: BANDWIDTH.COM-NSR-10X/1). A screenshot documenting this finding is provided below.

Leveraging Osint.Industries, we confirmed that the phone number is registered on the platforms/services listed below.

Platform	Details
Facebook	N/A
WhatsApp	N/A
Instagram	N/A
EyeCon	Name: Mr Black Loader
ATNT	Location: TAMPAEST FLORIDA
CallApp	Name: Sandy

Additional investigations were performed on the email ogsgdoxck7283@gmail.com, associated with the Facebook page “XSVS CRIME TIME” and linked to Wickybachman. A summary table of the findings, generated using Osint.Industries, and osint.lolarchiver.com (who provided additional metadata for GitHub) is provided below.

Platform	Details
Spirit Airlines (U.S. airline company)	Travis Mcateer / ID: 24825701
Adobe	Authentication provider: Google
Glovo (food delivery)	N/A
Freelancer	N/A
Instagram	N/A
WordPress	N/A
GitHub	Username: wickybachman (ID: 205972784) Registered: 2 April 2025 Updated on: 2025-05-22 T18:05:38Z
Google	ID: 102952259894708250631 Last Updated: 2025/04/25 15:36:41 (UTC)

Uncovering Wickybachman’s Digital Footprint Through Breach Data Analysis

Breach data investigations have uncovered the following relevant details associated with Wickybachman.

Breached Dataset	Details
RaidForums, 2020	Email: wickybays@gmail.com DOB: 15-3-1985 Nickname: wickybays / ID: 202151
Bitrix24, 2022 (Russian service)	Email: wickybays@gmail.com

The email wickybays@gmail.com was identified as being registered on the platforms listed below, as determined through Osint.Industries.

Platform	Notable Details
Google	ID: 103574123938145905860
GitHub	N/A
SeoClerks	N/A
Dropbox	ID: AABYnDVWoFFUQ6WllkKOtddbCKpZSSMZ2a4 Name: LTGroup-technology technology
PayPal	Phone Hint: +16 *** 5021

Cryptocurrency Analysis – Tracing Financial Transactions

Our investigation identified a cryptocurrency wallet linked to Wickybachman, which was analyzed and tagged in AMLBot.com. The wallet has received over $8,000 USD. Our findings show that the threat actor primarily transfers funds to a Binance account (accounting for 97% of the funds) and a BitAfrika.com account (an exchange headquartered in Accra, Ghana; operating in Ghana and Nigeria).

Intelligence Conclusion: Assessing the Cyber Threat Actor – Aurorabchms

Based on a comprehensive analysis of the available data, we assess with moderate certainty that the individual operating under the aliases trxcompressor, wickybachman, and Aurorabchms is likely based in Africa and is highly likely engaged in scam operations, primarily focused on aggregating, reposting, and selling or reselling leaked datasets previously exposed on Dark Web, Deep Web forums, or Telegram groups and channels.

Key Supporting Evidence:

• Unified Identity Across Aliases:

Historical username and display name analysis confirms that wickybachman (Telegram User ID: 5648913744) is the same entity as Aurorabchms, with trxcompressor (Telegram User ID: 7710379190) closely linked through shared activities and contact points (e.g., Telegram handle @trxcompressor referenced by wickybachman in “HIJACKERZ Chat”). This convergence of identities across platforms (e.g., Telegram, demonforums.net, Matrix.org, GitHub) suggests a single actor.

• Geographic Indicators Pointing to Africa:

• Facebook Photos: Images from the “way.54064” Facebook account, associated with wickybachman, portray an individual identified as “Salaway Gariba” from Accra, Ghana, with one photo containing an embedded timestamp of 6 November 2021. Furthermore, an analysis of the account’s Facebook friends, considering their number and geographic distribution, strongly suggests a primary location in Accra, Ghana.

• • Membership in Ghana-Focused Telegram Group: The actor’s historical membership in the “GHANА GIST Chat” Telegram group.
  • Cryptocurrency Transactions via BitAfrika: The actor’s cryptocurrency wallet, flagged on AMLBot.com, shows funds transferred to BitAfrika.com (a Ghana-based exchange) for 3% of transactions, with 97% going to Binance. BitAfrika’s operation in Ghana and Nigeria, combined with West Africa’s noted prevalence in crypto-related scams, supports the hypothesis of an African operational base, likely in Ghana.
• Behavioral Patterns and Modus Operandi:
  • Slang and Communication Style: The actor employs informal, gang-related slang (e.g., “niqqahs”, “fam”, “slide this way”) and an aggressive tone (e.g., “ur brain looks like under the bed”), consistent with cybercrime communities in West Africa, particularly in “hustle kingdoms” known for training scammers.
  • Urgency and Deal-Oriented Approach: The actor’s insistence on quick deals, frequent calls to action (e.g., “Inbox me”, “Slide this way”), and pressure to send money or details align with scam tactics designed to exploit trust and haste.
  • Scam Operations: The actor’s involvement in debt clearance scams (e.g., promising instant clearing of house rent, car debts, mortgages) and accusations of being a “ripper” (e.g., CrdPro Carders Lounge, OTPBOT DISCUSSION) indicate a high likelihood of engaging in fraudulent schemes.
• Leaked Data Aggregation and Reselling:
  • The actor’s posts in “HIJACKERZ Chat” and other forums include datasets previously leaked elsewhere, such as the mofa.gov.sa database, NHS UK SQL database, and Binance 2025 dataset. The diversity of datasets (e.g., Thailand passports, China Telecom, NATO leaks) suggests the actor aggregates data from multiple sources, repackaging and reselling them for profit (e.g., Thailand Ministry of Finance dataset sold for $2,000 USD).
  • The presence of mismatched samples (e.g., “oa0onm.zip” containing Chinese user data instead of mofa.gov.sa data) indicates either sloppy tradecraft or intentional deception, both consistent with scam operations.

Assessment and Confidence Level:

We assess with moderate certainty that the individual is based in Africa, likely Accra, Ghana, due to the combination of photographic evidence, Telegram group affiliations, cryptocurrency transactions via BitAfrika, and West African cybercrime patterns. The high likelihood of engagement in scam operations stems from the actor’s scam-heavy environment, fraudulent offerings (e.g., debt clearance), and accusations of ripping off others. Their role in aggregating and reselling leaked datasets is evident from the rapid reposting of data across Telegram and Deep Web forums, often with minimal verification of content, aligning with opportunistic cybercrime tactics.

Limitations and Uncertainties:

• The exact physical location in Accra, Ghana remains unconfirmed.
• The actor’s technical sophistication is moderate, suggesting they may rely on others’ leaks rather than generating original breaches.
• The possibility of a coordinated group rather than a single individual cannot be ruled out, though the consistent use of aliases supports a primary actor.

Recommendations:

• Law Enforcement Action: Prioritize investigation of Telegram accounts @wickybachman, @trxcompressor, and associated accounts (e.g., GitHub ID 205972784) for further intelligence. The WhatsApp number (+18135402481) and email (ogsgdoxck7283@gmail.com) should be investigated for additional leads.
• Cryptocurrency Tracking: Subpoena the flagged accounts on Binance and BitAfrika to identify KYC information and metadata.
• Platform Disruption: Collaborate with Telegram to suspend accounts, groups, and channels, disrupting their data trading operations.
• Victim Notification: Alert affected entities (e.g., Saudi Arabia’s Ministry of Foreign Affairs, Malaysia Airports Holdings Berhad) to mitigate further data exposure.

This conclusion reflects a robust synthesis of multi-platform data, tempered by the need for further verification to elevate confidence in the actor’s precise location and operational structure.