Hell Forum Closed, Administrator ping arrested. | hell2bjhfxm77htq.onion

Hell forum has been getting a lot of attention recently. Publishers from vice to Brian Krebs have been writing about this onion site that dissipated yesterday.

Hell Forum was a Tor site that facilitated dumps and leaks from various sources with a heavy focus on cyber crime. The site itself had guides on carding, hacks, exploits, and dumps. In the last few days of the forum being online there was a number of releases for sites as recent as May 31st 2015.

Didnt have the skills to be a script kiddie? Hell was also a hub for users to exchange shells and databases the users have collected. This added to the community that had a known reputation among Tor users.
G1

Why am I writing about this?
The main reason is exposure I have only seen one article about this online so far. It seems that the ability collective for users to aggregate and then sell this data seems to be on the rise and Hell forums was the place to go. I also had some observations that were not covered by ThreatStreams post regarding the encryption keys used on the .rar files. And wanted to touch base on the importance of security even over Tor. I highly recommend you read their article once done here.

In brief, Hell ( https://hell2bjhfxm77htq.onion ) administrator ‘ping’ a 33 year old Calgary resident was charged for card skimming today after a extensive six month investigation.  This created an issue for Hell forum users since he was the administrator of the site. During the last month he has been active on the site and still publishing data leaks even after the inital arrest and after the seizure. This would be problematic for users of an underground forum seeing as it could be possible he might have worked with law enforcement in order to attain a reduce the sentence. A daily reminder that even if you use Tor services you need to be security conscious about who you contact, what you do, and the implications it may have just for being associated (or even having an account) with these sites.

After the fourms went down yesterday the repo where the leaks were stored also dissapred into the depths of the deep web. The site ‘ http://agcv47dxxqxqkmw3.onion/Hacked_Data/ ‘ is also gone; as noted by ThreatStream it had a number of data leaks on it some of them encrypted some not. What was overlooked by the article was that a number of the archives that were recently posted were the very public HackingTeam leaks, Wildstar Online (online MMO), Cheap Ass Gamer, and MajorGeeks.com with data as new as March 31st 2015.

G2

Another item that has not yet been reported is that the keys to the archives were actually lines of his PGP Block.

A small collection of the leaks utilize the passwords: `mQINBFUiprYBEADKX+oGpwzjjQ7bUr7XUjfP5C/xCR3dQfdcmflkBf3HdK7ARZ3p`, `58iY0pmkQa6EMlNFXcBt75QW3wUFxSFrfy2aN2D/+UTCz/H08Q6wMNITyvtXy5uc`,

When looking at this I noticed that they are in line with what the current PGP key that ‘ ping ‘ used posted below:

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v2.0.22 (GNU/Linux)

mQINBFUiprYBEADKX+oGpwzjjQ7bUr7XUjfP5C/xCR3dQfdcmflkBf3HdK7ARZ3p
58iY0pmkQa6EMlNFXcBt75QW3wUFxSFrfy2aN2D/+UTCz/H08Q6wMNITyvtXy5uc
7zlhJ3zZlbqNm3szYmw4Np/SzzNzK2YdV/XDUFw7l3igA+7+NHiGfgNcz6zhVf5b
Bggkyji8GZNE3StYK/vZUd4Xis7mE9Kasb8o/785MlKWfX2Z0U75Dm2UuJCFxEiS
FR831pYoc3bd316gDQ5HVGWYmQ01s/ZWygtA1qjeZCBFpuJyLUw/LWHA79YaqW2n
zHOzTBdqzMtUW6RWibqcMLxvi0VfDMiXe6UjeAqYaPpndt24WaVWJQOfvRhNxWX8
P+9NYrjmD9OcEOLAbLzB7EskTIPoU1LgqrHDVCqXk5en/Dkpa9RV0f03qzdPD44H
HsXYbe/Uhi3OKW/6E+j2OS1RQqzD35x5JwFMxr5XbLM10rgtftLJ5VlO97EzlQpf
mDeVBxSCV9fSIeDYXVMl2MViQC8XKkHgDeFhaSENagOcdCU6A6pcDBbBkryoExnR
5XRMaguN43Soi7Ch7LoPiwDy1Z/Njzb1SoU8+8z6u/0Fft3Ff7y5EG8w2J9X6YIB
l3sQpOEWLNbxrba7TB2vtD+IhntURTP9/5NAQxdY/29p3f2K9ElWq1C8TwARAQAB
tBxSZXZvbHQgPHJldm9sdEBtYWlsMnRvci5jb20+iQI5BBMBAgAjBQJVIqa2AhsD
BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ6yUW/mcaP4gbWQ/+M3uCNSxL
LtY3LEcTvWeV/WqKd3zxzIB8tiFWfzx+L3MqxeSR2HwPQHn9QlgNpp/jsskVYKNb
4oaJkSVYb8t/yug3fXsc9M7RxXkYI1j8AQDElb7ZXeAApRr6WwoQKNCLN+mP5qih
arJJVdJv3KB5WXOqpzSuoJ3uEPuy7WwoeziZ6lj4yJD2V3XZUL7oZmLOBDDXOnoq
kFncbYxfN2NMEqa3E4i7yO2tP7thOtgWdlR2FuR5DyKhVjIoTpy7k3KobkTbvJIR
+16dH+QVadtVRiB/IXkc8GvJvNEufDeKYXQ0eTAi84tYv7R5mKjj1i83JMr2mTPx
wQeNUqMLh8VxcLqtciwj8MAZGfaL02MLUijsaCTm+QwNyKjTNj/M8FJwKQrYf3hF
/Un0TlAWKUoHZeHmxXi7WHtjkJ5aXJDt53eS7GpcKeWUCcItcTNxBB7s8X8T6acu
JnrcY52gXyirvurucJU7GICy/KFwlrz9ZkKOFuzSo4uGLOJpJlGpI4Lph9YKrFtA
WSBQnJBFystHcNFx0/2JAwkY7VMJoGws9YGtKga1aX6akmD8YL+P0xZ19GRyBQEq
N9f4M0E7415RI/kkmxU9frADrtiE4gTMWXAVVQiQ28JWlhRAaw+kVebuYzg8Ulk2
E3AwUA/Na28fYB8spCVcQSencdg4HmQKYIe5Ag0EVSKmtgEQALjdv5Oklyeip+aF
//4nlQRgXOb2eKmexfMTsa9O840DKB0Z/yCy5zI0kDryIP00QXnkUJKPp5kKmPvA
Fi1ei+ubGZzW2vh+QIRhkkUVxkxn2ON7eh8RZPk6FNgWck3+TEUelS9I4hdslfKU
F8ZzNqXBrdahZYOOn5qZmJ5LuNWLlC8AFddlnRFrCDbKQuWJsYFP3ILymUlkxTC5
Ltv2eefWCeokwKkRgHOwBd81HyJ8Hni63+mTAVIyFLKxHGiRPoPCZd5sBZoAjxa3
vKTh1+tzjQ4n7uQcJPpCo60ppSFGf6Uh45r/h+eiX5Hxl/kKtyfYqq3naz4z+1P1
9/GBin0y2GYadRtM2HGXzLOfMHzmgZq6Bw/9eIkET5l3EZVISAS/D8/rOACmHHZT
vRt4UFZD0+rxZEmeZxgkAJCLqTNT5qXb/VI2fY6SyhVwpQ+artLuzm1EmIMiuSt0
bOZJ9ZFaTUY4e3V+8Zg3OIh1Ng4yq0MR+bTjVnlMXYHRbsuiY6Q3ugxDnhYdSmEI
aVDKDgemxU5cLDtjbEDZEke3PNss3dMz44Z1K0PQpayzJqjQMJXm02o25EG6Vp23
QuVhakXBn7UNAkpTvaUlkUwt8OBravIs3aSRiifo/+p4TaRFHCPy8z+VmIfH+G4x
nE6iFiGG4QHaN/MplAq3X26rtAtLABEBAAGJAh8EGAECAAkFAlUiprYCGwwACgkQ
6yUW/mcaP4i/kA/9F/YMqKtUd0hW+XkR/umtb+3bpOai+WkFxfyNCdpk1KmOzjkV
B/Iv4sS4euavG4C5InhTHqplcGaIDpzwY9dTCS2w51tUns2C6sNfjxF+lBjGK2BP
oLjO4FBYh8KY144y8yVKnVrK1nZFlpLv4wrD3sHxvsb5X8/UYOw7NrdN/+xJEwjT
8zehaAbYf+/tys3iU93Y+T9b4EtPwxQl/nOCQDEkFqeKigP2IgrabQswDpJxoEEX
v4FuZTkFo6ApAw93Ror+Vf6GoYij2aaD8fRg4xuxcZ0502LVVYikFlfbfFwG33L2
WEIterXHvXQyoCkAP4gD3gRY3KWW3dWnYg0KUcvoZ8KTZ1aoptZRiGqBwlEfHvYL
vTYoVmAFKDV/dH3pmg1+6dUTV4L9gEijCc0U4tNOTTnJa9h3Ou4w2QVDKc71loyO
0rDfP9tRoboYayfNMxXzSNrHvFA1Bs5cSikfEh57D7Pcg63JG7+NRmObZfrd8zpb
7BhGfqrh2Tjd9nyrHLc0Zr0YY2mLhsmfEJ9Kho9OIlqr+PSLJTFxKiHfCMrgP7BY
NPJIshhRYNBCba/4Mxgxj9jJLtRmvOiPDJ1eb70LqGzgtVWU3SR0roLNiBpVuT/f
ksc3yU65b8HEPXXylRQqgPvA/KTri2nKlI07MWHkevUow+1oaqjqF+cwkWw=
=0Cti
—–END PGP PUBLIC KEY BLOCK—–

Its probable that other lines could be the key to unlocking the now gone archives.

Seeing as ‘ ping ‘ is not going to be releasing the keys any time soon for the remaining archives this is the best lead existing Hell users would have had to open the files, one the locked archives was suspected of being  the second batch of the federal leak in 2013.

In closing, there will always be more “Hell” forums that spring up as long as there is a demand for it. Users should always keep in mind that when using Tor you are only as secure the service you use. Once you put identifying data into the service you have removed any barriers it has put up for you.

Leave a Reply

Your email address will not be published. Required fields are marked *