(Update: Kinda thought it might be a nothingburger right from the start, DailyDot did a review and confirmed this. They took a bunch of random stuff already known, pushed it into a pile, stuck an Anonymous sticker on it, and *presto* excitement. As the inventor of the nothingburger torrent, clear back in 2011, imitation is the highest form of flattery.)
This turned up in a Signal chat this morning at 0234 Pacific time. The source for this is someone who always brings in good stuff, so I had a look at it.
Iām not providing the whole link (for reasons) but letās walk through how to handle such a thing.
Attention Conservation Notice:
Iām not really awake, my favorite angry Latina has been chewing my ear since last night, and I am forced to again be a PHP ninja this morning. All bets are off re: accuracy and quality control.
Danger Zone:
As this is not my first rodeo, this downloaded ended up on a VPS well outside U.S. reach. And things like this are why it ends up in Iceland or Outer Elbownia or wherever.
CSAM is strict liability - doesnāt matter if youāre downloading a Russian leak, doesnāt matter if you never looked at it, if there is 250ms of 60 FPS video in there, not only are you going to prison, youāll get an enhanced sentence for having more than fifteen images.
drwxr-xr-x 2 root root 4096 Oct 19 23:30 Leaked Data of pedophiles site
drwxr-xr-x 7 root root 4096 Oct 19 23:31 Leaked Data of pedophile Twitter, Instagram accounts
First Impression:
The use of mediafire[.]com is curious, canāt recall a leak originating there previously. How is an archive of this size still up four hours after being spotted? Curious ā¦ and the page reported the upload region is Ukraine. Now Iāve had Ukrainian VPSes that come and go, there are providers that take Monero and donāt ask stupid questions, but ā¦ *natural scene suspicion kicks in hard*
The MediaFire page for this wants you to sign up, log in, etc, etc. That is SO not Anonymous ā¦ below is how I know that. Why I donāt care is I still have a Chrome instance with ScriptSafe running, and aināt nothing running on MediaFire, till I let āem in one by one. I find the whole thing suspicious. Just looking at it from a U.S. VPN exit, even Proton, makes me a trifle nervous.
I canāt abide skids who leave spaces in folder names, especially at the top level. This is the data Iām examining.
openssl sha256 LeakedDataCorruptOfficials.rar
SHA256(LeakedDataCorruptOfficials.rar)= 3b8eb5a0c020ecd5f9bacdaf81ac35cfed200761835e9c537ccb7fc514b19edc
Further Paranoia:
Nope, not gonna examine this within the U.S. Life is too short, someone authorized, or someone highly skilled somewhere else can do this.
Letās review:
Thereās a suspicious leak
at a very suspicious time
with suspicious characteristics
Thereās a VPS that was rented with Monero
in an uncooperative jurisdiction
and Iāve never logged into the provider without using a fail closed VPN config
The fail closed VPN config was a ProtonVPN secure core
and anything I have ended up there
Even More Paranoia:
This leak is littered with stuff labeled ācredit cardā. Are you familiar with 18 U.S. Code Ā§ 1029 - Fraud and related activity in connection with access devices? I sure am, due to a dope fiend who got raided on live stream back in the day. Donāt end up like this guy ā¦
Potentially Useful Stuff:
I wonder if the U.S. is going to accept Russian extradition requests. Given Trumpās frequent fellation of Putin, thatās not out of the realm of possibility.
Conclusion:
I spent an hour collecting and looking at it, then gave the link to a journalist who can handle such things w/o getting locked up. That VPS will be around for the next day or so, once the reporter gives me the thumbs up indicating theyāve got a copy, itāll get recycled.
My take after this quick ābattlefield triageā is that this is a single source player, perhaps using a Windows system, who collects whatever they see, and they may be trying to work some of it in some fashion. Maybe theyāre trying stuff against sites in a Kali VM, maybe theyāre in a bunch of channels and their role is passing this stuff around to anyone who seems like they might try to use it.
Please read Pitiful Brandfagging for my recent assessment on anon:
Anonymous is, has been, and will remain DEAD.
Another reporter popped up just as I was finishing this. Iād say this one is well in hand ...
