Shortly after the news of the Equifax mega breach, press and researchers scrambled to find out who could have been behind it and what their motivations might be.

In the absence of tangible attribution, popular articles on hackernoon and Mashable and the like mixed breach analysis with a new site that had sprung up at badtouchyonqysm3.onion from the ‘PastHole Hacking Team’, a history-less group which has done nothing but set up this breach micro site and responded to inquires with a Russian signature.

I set about digging into the site, suspecting it of being a scam immediately. Alas I was only able find that their contact forms had no validation and simply presented you with a static Bitcoin address of 17vkHnkXwYaSRiLipEWNWvNqPvC51ZBswy which at the time of writing had collected all of $5. Their their novelty email address [email protected] was hosted by popular secure mail service cock.li, though this too has been disabled within the last few hours.

It was dark web sex robot pioneer Sarah Jamie Lewis follow up identifying that the site was hosted on danwin1210 via a simple SMTP request to the web host from OnionScan:

Still, it was cyber security researcher Jonathan Nichols who got the scoop identifying the web host:

Following deanonymising the hosting, I sent an email to the Daniel at danwin2012 asking what was to done about the site given it breaks his hosting rules, this morning he replied:

Voila:

And thus, this spells the end for these Equifax scammers — until next time!