{ "id": "d1135d3f-7410-4128-b17e-b8faecfcd4c2", "created_at": "2026-04-06T00:16:13.174672Z", "updated_at": "2026-04-10T13:12:54.545619Z", "deleted_at": null, "sha1_hash": "b0062f25dbd1f17a9c6b55e01d2aa1e60be9c5ba", "title": "Who’s Behind the 8Base Ransomware Website?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1279780, "plain_text": "Who’s Behind the 8Base Ransomware Website?\r\nPublished: 2023-09-19 · Archived: 2026-04-05 19:01:30 UTC\r\nThe victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active\r\nransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did\r\nnot intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-\r\nyear-old programmer residing in the capital city of Moldova.\r\nThe 8Base ransomware group’s victim shaming website on the darknet.\r\n8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The\r\nsite lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a\r\nransom to keep their stolen data from being published.\r\nThe 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and\r\nnegotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works\r\nfine as long as you are *sending* information to the site (i.e., by making a “POST” request).\r\nHowever, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the\r\nwebsite until quite recently generated an extremely verbose error message:\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 1 of 6\n\nThe verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of\r\nthis image, which is generated when one hovers over the “View commit” message under the “Git” heading.\r\nThat error page revealed the true Internet address of the Tor hidden service that houses the 8Base website:\r\n95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based\r\nhosting giant Hetzner.\r\nBut that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab\r\nserver called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab\r\naccount, we can find some curious data points available in the JCube Group’s public code repository.\r\nFor example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month\r\nago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED,\r\nand KYC_PENDING).\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 2 of 6\n\nThis is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and\r\nreporters,” which says the crime group is open to interviews but that journalists will need to prove their identity\r\nbefore any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically\r\nstands for “Know Your Customer.”\r\n“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We\r\nhave a special program for journalists which includes sharing information a few hours or even days before it is\r\nofficially published on our news website and Telegram channel: you would need to go through a KYC procedure\r\nto apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”\r\nThe 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)\r\nThe 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a\r\ncommercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that\r\nreads, “Welcome to 8Base. Admin Login to 8Base dashboard.”\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 3 of 6\n\nThe login page on the 8Base ransomware group’s darknet website.\r\nRight-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code\r\nis virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab\r\nrepository roughly three weeks ago.\r\nIt appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova\r\nnamed Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s\r\ncurrently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that\r\nMoldovan business records confirm is tied to Mr. Kolev.\r\nThe posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several\r\nnow-defunct online businesses, including pluginspro[.]ru.\r\nReached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code\r\nfrom the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even\r\nincluded.\r\n“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually\r\nwe currently have just our own projects.”\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 4 of 6\n\nMr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However,\r\nKrebsOnSecurity captured a copy of the image before it was removed:\r\nA screenshot of Mr. Kolev’s current projects that he quickly deleted.\r\nWithin minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of\r\nfinding this connection, the 8Base website was changed, and the error message that linked to the JCube Group\r\nprivate Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the\r\n8Base website to return a “405 Method Not Allowed” error page:\r\nMr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his\r\nprivate Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private\r\ninformation.\r\nRansomware groups are known to remotely hire developers for specific projects without disclosing exactly who\r\nthey are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 5 of 6\n\nmerely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists,\r\nKrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.\r\nThe tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a\r\nlegitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that\r\nwhoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site\r\nto be so verbose with its error messages.\r\n“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization\r\nwould have never been possible,” @htmalgae said.\r\nA recent blog post from VMware/Carbon Black called the 8Base ransomware group “a heavy hitter” that has\r\nremained relatively unknown despite the massive spike in activity in Summer of 2023.\r\n“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June\r\nof 2023,” Carbon Black researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided\r\nvictim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”\r\nAccording to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage\r\nthat is strikingly familiar to another known cybercriminal group: RansomHouse.\r\n“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their\r\nransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims\r\nspanning across varied industries. Despite the high amount of compromises, the information regarding identities,\r\nmethodology, and underlying motivation behind these incidents still remains a mystery.”\r\nUpdate, Sept. 21, 10:43 a.m. ET: The author of Databreaches.net was lurking in the 8Base Telegram channel\r\nwhen I popped in to ask the crime group a question, and reports that 8Base did eventually reply: ““hi at the\r\nmoment we r not doing interviews. we have nothing to say. we r a little busy.”\r\nSource: https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nhttps://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://krebsonsecurity.com/2023/09/whos-behind-the-8base-ransomware-website/" ], "report_names": [ "whos-behind-the-8base-ransomware-website" ], "threat_actors": [ { "id": "921cea27-4410-42e4-8c11-7d40ba313225", "created_at": "2023-01-06T13:46:39.375789Z", "updated_at": "2026-04-10T02:00:03.307063Z", "deleted_at": null, "main_name": "RansomHouse", "aliases": [], "source_name": "MISPGALAXY:RansomHouse", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434573, "ts_updated_at": 1775826774, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0062f25dbd1f17a9c6b55e01d2aa1e60be9c5ba.pdf", "text": "https://archive.orkl.eu/b0062f25dbd1f17a9c6b55e01d2aa1e60be9c5ba.txt", "img": "https://archive.orkl.eu/b0062f25dbd1f17a9c6b55e01d2aa1e60be9c5ba.jpg" } }