“Imma make u dig ur own grave,” one of the messages read. “Kids like you i will kidnap and keep in my storage to die,” said another. “Its funny when we encrypt the hospitals. I hope when you have a baby he dies just like this,” a third read, before linking to a media report about how a baby’s death was believed to be linked to a case of ransomware.
“Im proud of this,” the message added, referring to the hospital hack.
These death threats and other messages from suspected criminals were sent to Pancak3, a pseudonymous security researcher who has taken it upon himself to publicly post the names, addresses, dates of birth, and other personal information of hackers, and especially those that are linked to high profile ransomware gangs that have attacked hospitals, businesses, and even companies that have catered to the Saudi Royal family. Pancak3’s Twitter account, where he mostly posts his findings along with photos of the alleged hackers, is a stark reminder that there are people behind ransomware attacks, and a jolting unmasking for the hackers themselves.
“They don’t want their information out there (obviously). Which is a pretty good indicator it’s legitimate,” Pancak3 told Motherboard in an online chat. “They usually come via Telegram. They will typically ask how much to remove the tweet. Then when I give them some ridiculous number they get mad and start with the threats.” Cyberscoop also spoke to Pancak3.
Do you have any more information on these ransomware actors? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Pancak3 has posted the personal information of who they say are members of infamous groups such as Conti, TrickBot, REvil, and EvilCorp, as well as independent alleged hackers.
“I just want these guys to know they’re not invisible,” Pancak3 said.
Pancak3, who declined to provide their real name due to the threats they face, said they work in the threat intelligence industry. This is a now wide spanning collection of companies that source all kinds of information from underground forums, commercial datasets, or undercover work to, say, identify a hack in progress or when a client may have been targeted.
Others jump to the conclusion that he is being financed by higher powers. “I am also getting inquiries from other threat groups who know these people IRL and they are under the impression I’m being paid to do this by some government entity.” Pancak3 says they have passed on information to law enforcement agencies and “received positive feedback.”
In March, another Twitter account called trickleaks started to post internal communications from hacking crew called TrickBot, a financially-motivated group which eventually linked up with the ransomware organization Conti. Cybersecurity firms have since dug through those messages to gain a better understanding of how cybercrime organizations function. Pancak3, meanwhile, has used some of the material posted by trickleaks as a springboard to more discoveries. Specifically, Pancak3 pointed to a list of usernames that the trickleaks account previously posted. “I’m kind of just working my way down the list,” Pancak3 said. He takes that list and then works to find more information on each person and then post it publicly. “Some of them are bogus or fake info though, so verification is definitely a key piece. There’s always the potential for false names and info.” Some of the leads do require work to chase down.
Pancak3’s research might include identifying the target’s Telegram handle and examining what Telegram groups the person is in. Often, the activity inside those groups is then criminal in nature, signaling that Pancak3 is on the right track. Pancak3 may then also find their old forum posts, or advertisements selling high-end computing equipment, he said. One mistake some targets make is linking their personal phone numbers and email addresses to those online accounts, he added.
“Once I have a name and DOB, or phone number, it’s pretty much game over,” Pancak3 said.
Allan Liska, a researcher at cybersecurity firm RecordedFuture, told Motherboard in an online chat that “While not every researcher is accurate in their doxing ‘Pancake’ has been spot on with his releases, at least the ones we can verify (and I have heard from other researchers that the ones we can't verify are also accurate).”
John Fokker, head of cyber investigations and principal engineer at cybersecurity firm Trellix, told Motherboard in an email that “We don’t have complete visibility on the complete Conti/TrickBot Threat group members, but we can confirm we saw some familiar faces in the posted tweets.”
Pancak3’s actions raises another question: is publicly doxing ransomware actors like this useful? This is not a straightforward problem. When Motherboard asked Liska this question, he said “I just rubbed my eyes and sighed heavily for 2 minutes before responding.”
“On the one hand, it lets ransomware actors know that they aren’t above being tracked and it can certainly be cathartic. But, as long as Russia and some other countries are going to continue to look the other way it is like shouting into the void,” he said.
Fokker also had mixed feelings. “As much as I support the unmasking and apprehension of ruthless cyber criminals, this practice done without context and an ability to reproduce the findings can make it less trustworthy and create risk of trial by media, regardless of the credibility of the source providing the information.”
Pancak3’s Twitter account may not stay up forever either. Earlier this month Twitter temporarily locked Pancak3’s account for violating the site’s rules against posting private information. An automated message told Pancak3 to delete the offending tweet, which included the date of birth, passport number, and location of a cheat developer.
“I made another post just with a little less info,” Pancak3 told Motherboard. In response to the potential for Twitter takedowns, Pancak3 has started posting some of their content on Substack as well. “I decided I needed another place to post things so Twitter couldn’t give me the full boot.”
Sometimes, the threats against Pancak3 work.
“Just stay tuned,” the hacker who said they were proud of hacking the hospital continued. “For tweeting my convo with you we are hurting those close to you. Involving innocent people. This is your fault. They will begging u delete those tweets. And you will.”
Pancak3 told Motherboard they did ultimately delete those tweets. “There was potential for the threats to escalate. Just wasn’t worth it.”