News reports of websites being hacked and data being leaked has become an all too common occurrence. Most of the press focuses on popular or well known sites, rarely touching on leaks from sites that reside in the recesses of the “deep web” or “dark web”, accessible only by means such as TOR network software. While such breaches may happen frequently, they rarely see the light of day.

A few weeks ago, one such dark web site going by the name “Besa Mafia” became victim of a hacker using the handle “bRpsd”, who breached the site’s database and posted the information online where it was accessible to anyone. The information posted is a potential serious concern as the Besa Mafia site has a reputation as being an actual hitman-for-hire service with links to the Albanian mafia.

Leaked Files

Data leaked in this breach contains user accounts, user personal messages, ‘hit’ orders posted to the site, and a folder named ‘victims’ that contains additional documents within it. The leak was uploaded to the files.fm site in a compressed archive format. When extracted, the archive contained two CSV files and one additional ZIP file which contains photos of victims from the ‘hit’ orders on the site. The original leak post also contained 250 accounts with usernames, email addresses, and passwords however this data was not included in the download.

The two CSV files from the leak are named orders.csv and msg.csv that contain 38 ‘hit’ orders and 2,682 personal messages to and from site administrators.

Besa Recruitment

Besa has a unique way of putting users who apply to be a hitman-for-hire to the test by asking them to perform a criminal task. That task generally involves activity such as stealing and crashing a car, setting it on fire along with a unique personal message – all while being filmed for evidence. An actual message from the site administrator to hitman applicants goes like this: (Note – message text sent to applicants varies. The formatting of the below message has been modified for readability, all spelling and wording is as-is from the original message)

127762,11,30651,admin,[email protected],”test order”,active,”2016-04-01 12:03:11″,”

Hello,

Ok, the test order:

You need to get some hooded jacked, and set fire to a car.

Select a car from any place you want, make sure is somehow in a place to avoid the fire extent to other places, we don’t want to burn the hole city down.

Write down on a A4 paper ‘

Gang member for Besa Mafia,

dedication to Pinochet and FOX,

2th April 2016

with big letters and marker, to be visible.

Use a smart phone to make a video of 1 minute, first show the paper to the camera, spill gas on the car and video record while doing so, then get back, throu the cotton thing with fire on it to the car, and video record it, while holding the paper or cartoon up so the car is visible burning behind it

Video it for like 5-6 seconds then run away and hide

throw the fire to it from a 2-3 meters, make sure you don’t burn yourself when doing this. Is very important that you know what you are doing, gasoline burns quickly if you are not able to set a car on fire while being safe don’t do it.

We don’t want our members to be hurt.

Select a car into some remote place from where you can run away and hide after setting fire to it. It is very important that you send us the video as proof after that. The video should clearly see the a4 paper in the frame and with the burning car bihind it, and see while you spill the gas and light up the car

Do it profesionally

Let me know

After you do this, make a fake name youtube account and upload the video there and give us the link. We will download it and consider your test order done, and we will give you orders from customers

Please make sure you don’t speak in the video, as voice can be used to recognize by police, and that no one can recognize you from the video

And is very important that you have the message on the paper seen in the video, you can record the burning car from 3-4-5 meters or more, stay safe and make it look good, spil like 5 or 10 liters of gasoline all over the car to make a good fire

After doing additional research, we discovered a video on YouTube named “Besa mafia burning car” that was uploaded on the 20th of April that included the unique message within the bulk of personal messages leaked.

We discovered there had been an actual task set by Besa administrators on the 1st of April (was this just a joke? Unfortunately, probably not!).

Additional videos of cars burning along with the Besa message can be found here and here.

The Personal Messages

The personal messages exchanged offer amazing insight into the life behind a Deep Web hitman-for-hire. Of specific interest are the type of messages where the administrators express a willingness to help law enforcement and others seeking information on behalf of authorities. In one such example, the administrator was contacted by someone investigating a possible hit order on Texas woman. After a very few short messages, the site administrator handed over all information that had been provided by the individual ordering the hit. The admin also included their information stating they were willing to work with the FBI if needed and granting permission for this person to contact them again should they need additional information about contracted hits within Texas.

Other messages include talk about money transfers, transfers not being completed, checking in on order status, and individuals asking if their targets can just be “really hurt” as they would prefer something sort of actual death. Even more interesting is the talk about fake hitmen!

A fake hitman is mentioned a few times throughout the messages. When reading through them in context it suggests that the site has no real hitmen and its aim is to alert law enforcement around the world to possible hit attempts, people seeking to hire hitmen, or individuals seeking to become hitmen and have found their way to the Besa site. One such example is:

> Hello,

> Yes, that is correct.

> We receive orders

> to kill people from all over the world, however our site is

> fake and we don’t have any hitmen.

We forward the orders

> to police departments where the targets are located.

> [email protected] is one of our emails on google, we

> use it to send notifications of hit orders to police.

Looking into the history of Besa, it is interesting to see posts by users on totally unrelated forums – dating back in December 2015 – making comments about Besa. One user claims that someone was making threats to hire a hitman to kill them from Besa Mafia. There is also a website dedicated to exposing Besa Mafia’s service called hire-a-hitman.com that claims to be figthing to expose sites like Besa.

Despite the administrator writing that the site is fake, the jury is out as to whether Besa is real or something else entirely. There have been posts claiming that a news report of a man found dead in his car was the result of a hired hitman contracted to take out an individual that allegedly sexually abused his girlfriend. Another blog post on an unrelated site has a very similar story of a 27-year old woman who was sexually abused and wanted revenge. She writes in this blog post:

“At late in the night, I received an message on my Besa Mafia account, the job has been done. I received picture as proof, but they also recommended me to go back in my city and check in the neigberhood, I will hear from people that two guys were shot.”

If you are curious what other people think about the legitimacy of the Besa service, there is a reddit post that offers some interesting insight. What we can tell you is that at the end of the day, as we continue to track data breaches, even deepweb sites that offer some apparently shocking services are not immune to their own security issues.

Update: On Saturday, May 14th, Risk Based Security received a comment from someone possibly affiliated with the Besa Mafia site. The message is reproduced without edits here:

I have read your recent article about Besa Mafia potential hack.

Your site is great, however it’s a pitty that does not have a comment feature to allow readers to share their opinions.

I think it would be fair for you to include the other side of the story, more exactly the Besa Mafia admin opinion.

The besa mafia site was not hacked

If a hacker could have got access to it, he would only see that the site is real and the jobs are done by members

The website mafia so called database leack is just plain text that could been edited in notepad by the so called hacker, there are several issues there

– why there are only a few messages where is claimed for admin to share info to an user that is fbi ?

– why not lots of messages where admin share info of customers to fbi? maybe these messages are added by some people who edited a version of this leacked database to make it appear info is sent to fbi but he din’t had too much time to compose or invent too many messages

Besa Mafia is real, people are burning cars, killing people and doing bad stuff

This so called hacker is just some lazy cop trying to scare people off from using besa mafia, however they did a bad job

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Vendor Risk Ratings, and data breaches. Our products, Cyber Risk Analytics (CRA), VulnDB and YourCISO, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner.