{ "id": "f9683a81-89fd-4874-84b1-2e72deb4cacf", "created_at": "2026-04-06T00:09:58.545284Z", "updated_at": "2026-04-10T03:38:19.565244Z", "deleted_at": null, "sha1_hash": "1a062dbe6bab59fb50ccfc5a72dac1a6300c8062", "title": "What is Pastebin and Why Do Hackers Love It?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 243313, "plain_text": "What is Pastebin and Why Do Hackers Love It?\r\nBy Alex Ciarniello\r\nArchived: 2026-04-05 19:40:51 UTC\r\nAlex Ciarniello September 24, 2019\r\nPastebin is a website that allows users to share plain text through public posts called “pastes.” The site currently\r\nhas 17 million unique monthly users. Why is it so popular, and where did it come from?\r\nThere are many similar web applications, known as “paste sites,” that have developed since the original Pastebin\r\nwas launched in 2002. The need for Pastebin rose out of user activity on the Internet Relay Chat (IRC). IRC is an\r\ninstant messaging application launched in 1988. It’s designed for a large user base to communicate in real-time,\r\nand is popular for sharing plain text, including blocks of source code.\r\nLearn more about dark web threat intelligence and darknet data\r\nCodesharing directly in IRC channels (and other messaging applications) disrupts the flow of messages or can\r\nalter the code itself. Users require a third-party site where they can share plain text blocks as a link, allowing other\r\nusers to easily access and edit it. Enter: paste sites.\r\nWhile paste sites mainly support innocuous text-sharing, they have also become popular platforms for illegal\r\nactivities, such as leaking breached data.\r\nWhat do people share on Pastebin and other paste sites?\r\nsharing source code on pastebin sites\r\nPaste sites are commonly used for sharing code. However, any data in text form can be uploaded and shared.\r\nUsers can use the Pastebin search tool to find relevant content based on keyword. The following are some\r\ncommon paste site uses:\r\nAs an alternative to sharing text files in applications like Google Docs\r\nTwitter users sharing updates longer than the 140 character limit often tweet a paste link with the complete\r\ntext\r\nUploading source code for the purpose of sharing or review/collaboration\r\nhttps://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it\r\nPage 1 of 4\n\nSpam/site promotion\r\nRe-publishing text that has been removed from other sites\r\nSharing dark web links\r\nPublicizing breached data and other sensitive information\r\nHow do adversaries use paste sites?\r\nAs it might be clear from the list above, paste sites are often used for nefarious purposes. In fact, Pastebin was\r\nsold to its current owner Jeroen Vader in 2009 after the site was shut down due to a Hotmail data breach.\r\nPastebin’s FAQ page currently prohibits posting:\r\nEmail addresses and password lists\r\nLogin details\r\nStolen source code\r\nHacked data\r\nCopyrighted information\r\nBanking, credit card, or financial information\r\nPersonal information\r\nPornographic information\r\nSpam links, including site promotion\r\nThese items are examples of how paste sites are used by adverse hackers. Pastebin specifically is user-friendly,\r\nsupports large text files, doesn’t require user registration, and allows for anonymous posting if the user has a VPN.\r\nIt also relies on users for reporting abuses, which means non-compliant pastes are not always flagged or removed\r\nimmediately. This allows black hat hackers to easily and anonymously breach data in an accessible place.\r\nPastebin and similar sites are hosted on the deep web. This means that they’re viewable in a regular internet\r\nbrowser, but the content is not indexed by Google and other conventional search engines. Users must use the site’s\r\ninternal keyword search tool to find specific content, or get paste links directly from other users.\r\nThere are also paste sites on the dark web that offer heightened anonymity through a Tor browser, catering\r\nexclusively to illegal activity. For example, the dark web’s DeepPaste is primarily used for advertising illegal\r\ngoods or services (e.g. financial fraud, ransomware, child pornography, human trafficking, narcotics), and\r\npersonally identifiable information breaches (doxxing). Site admins are prohibited from censoring or deleting\r\ncontent, which means that pretty much anything goes.\r\nWhat has been leaked on paste sites?\r\ncredit card information shared on pastebin sites\r\nHere are a few headline-worthy leaks discovered on Pastebin and DeepPaste.\r\nhttps://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it\r\nPage 2 of 4\n\nSony Pictures\r\nIn October 2014, Sony Pictures’ computer systems were hacked by a group known as Guardians of Peace (GOP).\r\nThe hack breached a large amount of data to Pastebin, including employee information for over a million\r\nindividuals, upcoming production details, and music codes. Pastebin was inundated with traffic as links to this\r\ninformation were uploaded.\r\nInfragard\r\nAnother hacker group known as LulzSec leaked the user base of Infragard, an FBI affiliate based in Atlanta, on\r\nPastebin. 180 of Infragard’s logins were exposed, as well as email communications that revealed sensitive intel\r\nabout a U.S. operation to control Libyan cyberspace.\r\nGoogle vs. Facebook\r\nPastebin’s highest ever traffic volume occurred in May 2011 after a user posted email correspondence between a\r\nFacebook-backed PR agency and Chris Soghoian, an internet security blogger. In the emails, the agency declined\r\nto disclose their client (Facebook), and pitched an anti-Google op-ed piece questioning Google’s user privacy\r\nstandards.\r\nRing\r\nIn December 2019, Amazon Ring customers were compromised in a public breach posted to DeepPaste. The\r\nbreach leaked data for over 3,000 sold cameras, including the customer emails and passwords. This data enabled\r\nhackers to access customer addresses, camera footage, and financial data.\r\nPaste sites and Beacon\r\nemail laptop message man\r\nPaste sites are valuable data sources for cybersecurity teams and public safety officials seeking threat intelligence.\r\nInformation linked to security breaches, doxxing or personal information leaks, hacked financial data, stolen\r\nsource code, and other criminal activity is all useful for investigating cyber crimes and mitigating threats.\r\nGiven that pastes sites are hosted on the deep and dark web, finding relevant content is cumbersome and\r\npotentially dangerous without specialized search tools. Pastes might also be taken down by moderated sites before\r\nyou are able to find their links.\r\nSearch the dark web with Beacon\r\nhttps://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it\r\nPage 3 of 4\n\nThese challenges necessitate tools that can search for relevant data on unindexed websites like Pastebin and dark\r\nwebsites like DeepPaste. Echosec Systems dark web tool, Beacon, also indexes deep websites like Pastebin. Users\r\ncan search unindexed content on the deep and dark web by keyword and other search filters, and separate data\r\nspecifically crawled from paste site sources. Relevant pastes are easier and faster to find—and if they’ve been\r\nremoved by moderators, the content is still viewable within Beacon, as long as retaining that paste is in\r\ncompliance with Pastebin’s terms of use. \r\nIn addition to data discovery tools like Beacon, Echosec Systems also offers a proprietary Platform API, which\r\nuses AI classifiers to find data breaches and toxicity on Pastebin and DeepPaste. The API gives Beacon users\r\nbroader data access to these sources than other commercial APIs. It can also be used independently as a raw data\r\nsource to support organizations with existing threat intelligence tools.\r\nThe dark web isn’t the only place with relevant intel for threat detection. Open websites like Pastebin have\r\nbecome popular sites for hackers to breach sensitive information. Being able to quickly and easily access this\r\ninformation requires advanced threat discovery tools.\r\nBook a demo today and see how Beacon can streamline your cyber investigations process.\r\nSource: https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it\r\nhttps://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20201107203304/https://www.echosec.net/blog/what-is-pastebin-and-why-do-hackers-love-it" ], "report_names": [ "what-is-pastebin-and-why-do-hackers-love-it" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434198, "ts_updated_at": 1775792299, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a062dbe6bab59fb50ccfc5a72dac1a6300c8062.pdf", "text": "https://archive.orkl.eu/1a062dbe6bab59fb50ccfc5a72dac1a6300c8062.txt", "img": "https://archive.orkl.eu/1a062dbe6bab59fb50ccfc5a72dac1a6300c8062.jpg" } }