A Threat Actor Revealed
ByteToBreach is a well-known cyber threat actor active, known primarily for carrying out opportunistic but high-impact breaches against financial institutions, airlines, and corporations across multiple regions. His attacks have been documented against Uzbekistan Airways, where he leaked passenger data, including records of U.S. government employees; Seychelles Commercial Bank, where he exfiltrated customer banking data and attempted extortion by decrypting files, and BTS Group Holdings. In this major Thai conglomerate, they stole internal LMS (Learning Management System) data and advertised ongoing network access. Additional chatter links them to breaches of academic institutions in the United States, though attribution in those cases remains less certain.
The following research sheds light on this individual and reveals connections between the threat actor and the persona behind it.
*The personal details (PII & usernames) are blurred for security and privacy*.
So, Who Are You, ByteToBreach?
A recent post in a known hacking forum by him offers reverse shell access to 2 huge corporations (Nokia & Atos), while he publishes contact methods to reach him.
Session: 05c2db4775cb46350f16814dfe3bfa856664f315585653e4c368af08ce50b0Signalc31b
Signal: Bytetobreach
Email: Bytetobreach@tuta.com
All are very secure and known to be in use by cybercriminals, terrorists, investigators, and super privacy-oriented individuals.
The Investigation Starts
The user “Bytetobreach” leads to an active Telegram user with this alias. By search manipulations, the current username revealed 2 other usernames: CvHNWwEG, and iηeѕslopеz (the ‘η’ is a Latino/Greek letter).
The user Bytetobreach leads to an active Instagram account, which publishes evidence of hacking and breaches he performs (SQL Injection, ransomware, and phishing scams, including live recording from the victim’s screen).
While the users “CvHNWwEG” and “iηeѕslopеz” did not yield any results as themselves but the letter ‘η’ suggests a hint regarding the source of the language, thus the source of the individual behind the operation.
Through searching the Tuta mail, TOX address, and username provided by the attacker, a website called “bytetobreach.com” was revealed, where these contact methods are posted. He claims to “protect” others’ data from hackers, while he is the de facto attacker. A known method by criminals.
The website is full of victims that he has already attacked, and even reviews by those “clients”, saying how aggressive he was in his attacks, but after he rented his services for protecting them, he became a whole different person.
Among his victims are well-known organizations, such as banks, airways, and universities across the globe. He is well proud of his achievements, claiming to hack over 200 clients in 26 different countries.
The contact methods he provided were already mentioned, but he chose to add another revealing sentence that can hint at his way of thinking, a thing that represents him potentially in other places and can be used to cross-reference to locate the individual.
He specifically says, “Do not contact me if you are a t3rr0r!st3, or if you are into ch!ldr3n$”, meaning he owns a very straightforward mindset about child sexual abusers (CSAM) and terror-related entities.
Also, the website he operates is using WordPress as a host, another clue that may reveal useful associations.
The Domain As a Pivot Point
The domain itself wasn’t part of any data breaches or mentions around the web, and no WHOIS records were found associated with it.
When checking the IP address of the website, it led to Frankfurt, Germany, where the WordPress servers are. But… What if one of the interacting users with the IP address is associated with it?
After researching the IP address in data breaches, and an automated script with a dictionary of relevant words (such as ‘hack’, ‘dark’, ‘tuta’ [the anonymous mail provider], and others), one user came up. This is the lead.
Also, important to add - this IP address is used to host over 300+ different websites, none of them was found in the history of the following suspected user, which backs the claim that the only reason for associating with this IP address is directly related to “ByteToBreach”.
While going deeper into this user’s data, I found other relevant associations to hacking skills, privacy software, and operating systems, and of course, many usages with the letter ‘η’, as he is located in Greece.
By this data, we can understand that he is well familiar with privacy-oriented solutions (Tails OS, Tuta mail, Kali Linux, etc), that he speaks Greek, is involved with hacking tools and associated GitHub repos (such as Wi-Fi stealers), and even searched for guidance on hosting his own Darkweb site.
Also, a lot of mentions for WordPress services were found, including https://***di*.staging.wpengine.com, a staging site (private test version of WP, like a SandBox that is designed to be private and hidden from the public’s site).
New Clue Sheds Light
After reviewing thousands of lines of data, one username repeated again and again, “**uru_gr” (username blurred for privacy matters), which opened a whole new door for this investigation.
The username is directly associated with a website called “**uru.gr”, where the owner posts dozens of materials on stealers, exploits, privacy-oriented tools, and hacking materials.
Also, by the username “**uru”, in his associated data found, an ONION url was found (Darknet) with his name, meaning he used to be the admin of a website on the Darknet.
The server has already been deleted, and no archives were found.
When using the Wayback Archive Machine to check the past versions of the website, I found it was part of a Mashable leak that occurred in 2020 and revealed personal information, including usernames. His username is to be more straightforward.
In the archived version of his website, he claims to be part of Anonymous hackers, and expressed direct against child abusers, exactly as the official hacker’s website.
The http://t[.]co/HaIX**** is a direct link to **uru.GR website.
Username To Social Life
With this username revealed, tons of other data came out. From email addresses to passwords, associated accounts, and a lot more.
The Twitter (X) account with this name appears to be in direct association with cybersecurity and technology, and refers to the website with this username, Facebook account, and approves the location of Greece.
On this Twitter account, there are a lot of old posts about individuals who got arrested for child abuse and child pornography (again, repeating the strong mindset and agenda against CSAM users), and references to Anonymous hackers, a user named “TheAnon0ne”, a known hacker with a strong agenda against child abusers.
As shown previously in the archived version of his website **uru.GR, the hashtags #Anonymous, #OpPedoChat, and the user @TheAnon0ne, repeated on his Twitter as well.
Let’s understand who this **uru
More than 20 different emails were found with his nickname, including tuta email provider, but none of them yielded any significant results.
Though the nick by itself didn’t help, the website “**uRu.gr”, based on that very same nick, gave the official LinkedIn page of this entity.
The most interesting result here is the fact that there is only one employee in this company.
When checking the page to see who is the person involved with it, one name came up – Anastasis ******, from Thessaloníki, Greece.
Checking on this individual led to phone numbers and email addresses associated directly with him, and from there, to a Facebook page with 121K likes and 3.8K followers.
By the account, it appears that this individual is well familiar with hacking materials. He claims to be a cybersecurity expert (penetration testing, malware analysis, developer, red teamer), and is associated directly with **uRu.
Also, the first post his on his Facebook page includes a manual of FlipperZero, a known hacking tool that can read, copy, and emulate RFID and NFC tags, radio remotes, iButtons, and digital access keys.
In this Facebook page, older posts, one specific post came up, regarding child safety on the internet, directly connected to the “anti-pedophile” mindset, appears on the official website of the threat actor “Bytetobreach”. This post is tagged with another Facebook account under his name, with the same photo and nickname (Cyber***).
When exploring this second Facebook page's posts, more relevant posts on child safety strengthen the claim of his mindset, similar to the threat actor “Bytetobreach” that spoke directly against pedophiles on his official website.
On top of that, the username he uses on his official Facebook pages (Cyber***) is the username for **uru.news website on his behalf.
With a deeper dive into his profiles and mentions, his appearence in a freelancers website came out, specifiying his email address, phone number and some details about him owning the relevant skills that “Byetobreach” owns, that he have 16 years of expirience (which perfectly alligns with the fact that in the official website of the threat actor, that created 1 year ago, it says “15 years of expirience”), and the fact he mentions WorPress (the infrastracture of “Bytetobreach’s” website) as main skill.
A Complete Intelligence Review - Digital Footprints
Profiling the person behind the website reveals contact methods and their social accounts, a thing that may assist the authorities and other intelligence agencies to engage with them when needed.
For this purpose and to maintain his privacy, all PIIs (personal identification information) and associated online accounts are blurred.
