{
	"id": "ad945ca1-d9b8-4d83-aefb-b6df2b643161",
	"created_at": "2026-04-06T01:29:24.272098Z",
	"updated_at": "2026-04-10T03:21:15.921871Z",
	"deleted_at": null,
	"sha1_hash": "6b25964c8aa50f297a9dbda67ea18324ab928580",
	"title": "Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT methods",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2010471,
	"plain_text": "Tracking Down REvil’s “Lalartu” by utilizing multiple OSINT\r\nmethods\r\nBy Alon Gal — Under the Breach\r\nPublished: 2023-03-15 · Archived: 2026-04-06 00:56:55 UTC\r\n7 min read\r\nJan 30, 2020\r\nIn recent months we’ve seen a spike in companies having their servers breached and files encrypted.\r\nin order for the company to decrypt the files, hackers are demanding a payment, typically in Cryptocurrencies, for\r\nwhich in return they will give the key to open the files.\r\nA specific highly talented group has risen to power lately, they named themselves “REvil”[1] and have already\r\nbuilt quite the resume for themselves.\r\n*If you don’t want to read the whole thing go to the bottom of the page, I attached an image showing how I\r\narrived to conclusions without a thorough explanation.\r\nOn October 14, McAfee released a report[2] in which they analyzed one of the threat actors within REvil group.\r\nthe threat actor named himself “Lalartu” and posted several images of his earnings from his Ransomware\r\nactivities:\r\nPress enter or click to view image in full size\r\nEarnings of almost $500,000 were posted by Lalartu in total.\r\nI decided to investigate Lalartu and see who is the person behind that scary avatar.\r\nFirst I figured out that Lalartu posted the picture above via an exclusive hacking forum named Exploit.in where\r\nRussian hackers hang out and sell different illegal services to each other.\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 1 of 12\n\nI noticed Lalartu’s account was banned on the forum for some reason but I could still view his old threads.\r\nPress enter or click to view image in full size\r\nI found Lalartu was using the XMPP address “Lalartu@404.city” and wanted to find other forums Lalartu is active\r\nin, considering his banned Exploit.in account won’t help me much.\r\nI looked for that specific XMPP in several hacking forums until I got a match.\r\nPress enter or click to view image in full size\r\nLalartu’s XMPP was found in another Russian hacking forum named BHF.io.\r\nI knew it had to be the same person and not a different one using the same username because an XMPP address\r\ncan only be used by one person unlike a username.\r\nI noticed Lalartu is banned on BHF.io as well and wanted to figure out why so I went to his latest thread dated\r\nAugust 25, 2019 and found this:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 2 of 12\n\nLalartu is essentially admitting to exit scamming and to having three more usernames on BHF (also banned):\r\nProtokol, Marka, and Eng_Fog.\r\nI didn’t jump to conclusions and assumed Lalartu is telling the truth, he could be lying about those usernames\r\nwhich could belong to other people he wanted to bring down, so I kept looking at Lalartu’s threads and found this:\r\nPress enter or click to view image in full size\r\nLalartu is using the Skype live:dronmiron as a contact method. A somewhat known technique to find the email\r\nbehind a username that has the word “live:” before it, is to try all of Hotmail’s email domains in Skype’s search\r\nfield until you get a match displaying the username.\r\nI found that the email behind that username is dronmiron@outlook.com:\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 3 of 12\n\nIn order to find a censored email address used as a backup for this email address and a censored phone number\r\nconnected to this email address, I began a password recovery process on Outlook.com and found Lalartu’s phone\r\nnumber ends with 04:\r\nThe censored phone is great but I couldn’t find it anywhere in Lalartu’s threads so I looked up “Eng_Fog” on\r\nBHF.IO (Lalartu’s alleged secondary account) and started looking at his old threads, I very quickly found out he\r\nwas posting his censored phone on his sale threads in order for people to send him a private message in which he\r\nwill give them the full number:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 4 of 12\n\nbeing somewhat smart, Lalartu censored parts of the phone number but because he didn’t remember which part he\r\ncensored in every thread, I was able to piece the phone number together.\r\n7952220**04 and +7952***69*4 = +79522206904.\r\nThe phone indeed ends with 04 like the one connected to Lalartu’s outlook, this made it pretty clear that Lalartu\r\nwasn’t lying about his other accounts.\r\nI kept investigating both Lalartu’s and Eng_Fog’s threads and noticed that at one point Eng_Fog posted a thread\r\nleading to a Yandex Disk download page with a file he wanted people to download.\r\nThis is great because most file uploading sites keep metadata:\r\nPress enter or click to view image in full size\r\nAs can be seen in the photo, under file information, Yandex kept the owner’s name, which when translated from\r\nRussian is “Zima Taker”\r\nGet Alon Gal — Under the Breach’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nI decided to see if Lalartu had any similar threads, he did:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 5 of 12\n\nThis time from Dropbox and it says the file was uploaded by an “Alex Tucker”.\r\nwhen looking up “Eng_Fog” on Yandex’s search engine, which is way better when looking for Russians than\r\nGoogle, I found a VK profile in the url https://www.vk.com/engfog. it belongs to a person named Zima Taker!\r\nPress enter or click to view image in full size\r\nI figured it could be him, but what about that “Alex Tucker” name?\r\nWell I found a thread posted by Eng_Fog asking to watch a Twitch stream of his friend:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 6 of 12\n\nIn her Twitch profile, SleepTucker linked her VK account in the url https://www.vk.com/sleeptucker.\r\nI examined her followers and found this:\r\nOne of her followers is named Alexander Taker, similar to the person who uploaded the Dropbox file, I am now\r\ntorn between two options: Lalartu could either be Alexander Taker or Zima Taker and I can’t really know the\r\nanswer.\r\nThat is unless I recalled a smart person once said:\r\n“ There is no technology today that cannot be defeated by social engineering.” — Frank Abagnale\r\nI decided I will try contacting the Twitch streamer who could potentially still be in touch with the real Lalartu who\r\nposted a thread sharing her twitch account.\r\nDespite my poor Russian, I had Google Translate and some Hutzpa.\r\nI sent her a message asking if she still knows Alexander Taker, considering I knew he was following her, and\r\nasked where I can contact him by claiming I was an old friend of his who wanted to get back in touch again:\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 7 of 12\n\nTo my surprise she literally replied to me with his updated profile, https://www.vk.com/engfog, the same profile I\r\ncontemplated whether it belonged to him!\r\nSocial Engineering truly never fails.\r\nSo now I know that the identity behind Lalartu is a Russian person named Alexander Taker who also goes by the\r\nnickname “Zima”.\r\nTori warned me that he might not be friendly towards me considering we haven’t talked in a long time so I\r\nstopped my effort to reunite with my old pal…\r\nIn conclusion —\r\nWe learned several OSINT methods to find our target’s real identity:\r\na. Grave-digging old posts belonging to the person.\r\nb. Examining meta data.\r\nc. Finding emails behind Skype usernames.\r\nd. Finding censored emails and phones connected to an email address.\r\ne. Utilizing Social Engineering.\r\nAnd this is just OSINT in a nutshell, there are still many unique and interesting methods I use and would love\r\nsharing if I see posts like this spark the interests of people.\r\n*I would also like to mention that in the McAfee report the researchers display Lalartu as a serious threat\r\nactor who earned almost $500,000 from his Ransomware activities but considering that in my research I\r\nfound he was banned for scamming with over 8 different identities and I’ll add that he posted a sales thread\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 8 of 12\n\ntrying to earn himself “merely” $60, I would conclude that he is just a sophisticated scammer who\r\nfabricated the photo of his earnings and nothing else.\r\nPress enter or click to view image in full size\r\nIt is worth mentioning this thread is dated August 12, 2019 while Lalartu’s revenue thread is dated\r\nJune 4, 2019 so we can rule out the option that Lalartu just started making a lot of money very fast\r\nafter his scamming sprees.\r\nIf you’re too lazy to read the whole thing here is a graph displaying it without much to read\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 9 of 12\n\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 10 of 12\n\nConnect with me — https://www.linkedin.com/in/alon-gal-utb/\r\nReferences:\r\n1. https://www.kpn.com/security-blogs/Tracking-REvil.htm\r\n2. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-follow-the-money/\r\nSource: https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 11 of 12\n\nhttps://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80"
	],
	"report_names": [
		"tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80"
	],
	"threat_actors": [],
	"ts_created_at": 1775438964,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b25964c8aa50f297a9dbda67ea18324ab928580.pdf",
		"text": "https://archive.orkl.eu/6b25964c8aa50f297a9dbda67ea18324ab928580.txt",
		"img": "https://archive.orkl.eu/6b25964c8aa50f297a9dbda67ea18324ab928580.jpg"
	}
}