Have you ever wanted to take an in-depth peek inside Box.sk’s primary project operator Dancho Danchev’s experience in running and managing the latest Box.sk project including a detailed Q&A on his experience in fighting cybercrime and threat intelligence gathering which led him to pursue a career as one of the World’s leading experts in the field of cybercrime research and threat intelligence gathering?
In this Q&A I’ve decided to feature an exclusive one-on-one Q&A with the primary Box.sk project operator Dancho Danchev where we discuss cybercrime research threat intelligence gathering cyber warfare the U.S Intelligence Community and U.S National Security in the context of today’s modern Internet-connected world.
- Dear Dancho – can you please introduce yourself and the latest Box.sk project? Can you please elaborate more on your experience in fighting cybercrime including your contributions to the threat intelligence gathering community and the U.S Security Industry?
My name is Dancho Danchev. I’ve been an independent contractor doing OSINT cybercrime fighting and threat intelligence gathering for over a decade and I’m currently running one of the security industry’s leading security publications which is my personal blog where I’ve established the foundations for an efficient and relevant OSINT and law enforcement methodology in terms of fighting and disrupting cybercrime internationally which led me to pursue a successful career with several high-profile U.S based companies and organizations throughout the past decade following a successful career as an ex-hacker throughout the 90’s. My daily routine consists of digging deep inside the cyber warfare realm in the context of responding to and tracking down high-profile nation-state sponsored or targeted malware campaigns and cybercrime incidents and keeping track of the bad guys as usual with the idea to contribute to the overall demise of cybercrime internationally and to actually contribute to the U.S Intelligence Community with operational and tactical intelligence including to actively support U.S Law Enforcement on its way to track down and respond to cybercrime events globally.
My primary motivation for re-lauching a project on the original Astalavista.box.sk is to “show them how it’s done” in the context of reaching out to a broader audience in the context of offering practical tactical and operational advice in the World of cyber warfare information warfare operations and to present hardcore and never-published before potentially classified and sensitive material in the world of the U.S Intelligence Community and U.S Law Enforcement and to actually find a constructive and relevant way to say “hi” and “we’re back” to a loyal base of users globally and to actually find a way to “keep the spirit” of the Scene the way we know it. I’ve planned a set of new high-profile projects which I intend to communicate to our audience to a systematic and periodic basis with the idea to offer an insightful and unique peek inside the Scene the way we know it.
- What are some of the currently running Box.sk projects and what do you have planned for the future?
We’re currenty running a high-profile and extremely popular WordPress blog including a cyber security and hacking forum community and we’ve recently launched an extremely popular Call for Papers and Call for Innovation part of the WHGDG (World Hacker Global Domination Group) franchise where we’re currently soliciting content in a variery of areas and on a variety of topics including a recently launched IRC server including an extremely popular search engine for hackers and security experts including the upcoming launch of our flagship publicly accessible product called Project Cybertronics VR for Hackers and Security Experts including an upcoming high-profile YouTube broadcast featuring folks and experts from the security industry and the Scene.
We’ve also lined up a variety of high-profile and upcoming community-driven and publicly accessible products and services and we’ll be definitely looking forward to issuing periodic updates on their public and proprietary availability. “If it’s going to be massive it better be good” in the context of re-surrecting and re-launching the Scene’s and the security industry’s most popular Web site for hackers and security experts internationally.
Among the key features of the portal include a flagship search engine for hackers and security experts which can be accesses at – and is currently indexing over 3M web sites for hackers and security experts.
- What do you think about U.S National Security in a post-Snowden world?
I’m a firm believer that building communities around leaked and classified data might not be the best way to actually communicate its value and actually reach out to a wider audience potentially blowing the whistle on currently active and sensitive and classified cyber surveillance and cyber intelligence type of programs part of the portfolio of services courtesy of the U.S Intelligence Community. I’m also positive that a new set of copy-cats will eventually emerge trying to potentially steal operational and tactical know-how from the leaked data potentially setting the foundations for their own private and proprietary cyber surveillance and cyber intelligence products.
In terms of U.S National Security in a post-Snowden world I believe that a specific set of international fan-base or actual clusters of supporters cannot really do much harm besides raising awareness on the actual state of cyber surveillance and cyber intelligence programs and their scale and reach internationally and can actually assist in building a more sophisticated internal security systems in place.
The current state of U.S National Security has to do with a specific set of post 9/11 contractor base which are truly making an impact globally by launching new companies actually hiring people to work for them and actually are fully capable of disrupting and undermining today’s modern and sophisticated cybercrime-driven online activity that also includes various cyber jihad sentiments globally. Case in point would be ISIS which the U.S Cyber Command has specifically targeted and could be possibly used as the most relevant and recent example of fraudulent online cyber jihad activity up to present day in the context of a large scale international campaign which basically attracted the U.S attention which resulted in a variety of campaigns targeting pro-ISIS infrastructure and its supporters.
- How can you best describe your experience in tracking down and monitoring of the Koobface botnet?
It took me two and a half years of active daily monitoring of the Koobface botnet to actually come up and properly provide the necessary technical research and analysis behind the actual working of the botnet and actually allow me to track down and publicly distribute a variety of personally identifiable information on one of the key members of the group which at some point resulted in having Facebook’s net-space IP block redirected to my personal blog including to actually have a personal message embedded on tens of thousands of infected hosts globally personally greeting me for my research into the Koobface botnet. At some point my research into the group’s whereabouts became the primary information source on the group’s activities internationally which resulted in a series of blog posts on the topic and greatly motivated me to continue my research into the way the botnet worked at the time through the systematic and daily publication of high-profile and never-published before technical analysis and research on the botnet’s la
- What’s the current state of the fight against cybercrime globally?
While we’re currently observing a lot of newly popping-up vendors and organizations who are actually good at tracking down and responding to cybercrime incidents and activities it should be clearly noted that high-profile think-tanks including independent researchers organizations and vendors who have been tracking down cybercrime incidents and profiling cybercrime activities for decades should be easily considered a recommended reading in terms of their recently and historical published research in this area.
It should be also clearly noted that wide-spread cooperation campaigns between the academic commercial and private sector are already taking place potentially undermining and contributing to the overall lowering down of cybercrime activity globally.
What should be done in the broader context of fighting cybercrime internationally is a currently ongoing OSINT and Law Enforcement operation similar to my recently launched crowd-sourced OSINT and Law Enforcement operation called “Uncle George” including my most recently published high-profile and available online for free Cybercrime Forum Data Set for 2019 which you can download and process and potentially reach out to me in terms of the actual enrichment and tracking and shutting down process.
- How can you best describe the ongoing intersection between law enforcement and the U.S Intelligence Community in the context of launching offensive lawful surveillance campaigns? Case in point is the recent take down and hijacking of the primary domain for Encrochat a proprietary encrypted mobile solution? Do you think Dutch law enforcement basically abused its technological “know-how” and expertise to target a commercial encrypted mobile solutions provider?
This is something that’s extremely important in the context of fighting cybercrime but can definitely raise someone’s eyebrows across the World in the context of preventing and responding to cybercrime and cyber jihad incidents globally in particular the intersection between U.S Law Enforcement and the U.S Intelligence Community. Case in point is the Dutch Intelligence Service which is quite experienced in fighting tracking down and actually responding to cybercrime and cyber jihad incidents globally which is a great example of the intersection between law enforcement and a country’s Intelligence Agencies globally. Case in point is Encrochat which is basically a commercial enterprise which was successfully taken offline thanks to a cooperation between the Dutch Intelligence Service and Law Enforcement internationally which eventually led to the direct compromise of the primary command and control infrastructure of the company and the actual interception of ongoing messages and communication.
- Do you think that the launch of U.S Cyber Command is a step in the right direction? Do you think that publicly sharing proprietary malware releases on VirusTotal is an OPSEC violation? How do you think the U.S Cyber Command can better perform in the context of today’s modern offensive cyber warfare arms race?
Successfully positioning a major U.S based and publicly accessible organization for the purpose of fighting to and responding to cybercrime and cyber attack incidents is a step in the right direction. It should be clearly evident that with the U.S Cyber Command looking to expand and extend its industry outreach campaigns and is actually bothering to share proprietary releases which can be clearly found in a huge number of public and private malware repositories thanks to third-party researchers and vendors this is definitely a step in the right direction. In the broader context of fighting cybercrime and responding to cyber jihad and cyber warfare campaigns and incidents globally.
- You used to work on Astalavista.com one of Box.sk’s primary competitors throughout 2003-2006? What’s your impression for running and managing the portal? What really took place when it got hacked?
I used to run and manage Astalavista.com which was the primary competitor of the original Astalavista.box.sk throughout 2003-2006 while I was studying in the Netherlands which greatly helped me make impact internationally and actually helped me pay the bills at the time. My primary responsibilities were to manage and issue daily updates to the security directory including the security news section including the production of a highly popular and high-traffic volume Security Newsletter where I was also responsible for interviewing people from the Scene and the Security Industry.
My other responsibilities included the overall look of the portal including the introduction of new sections including to actually manage and run advertising inventory where I was responsible for bringing more advertisers on board.
- Is it true that you’re running one of the security industry’s most popular security publications? How did you originally launched the project? What’s the current state of the project?
I’ve been been running my personal Dancho Danchev’s Blog since December, 2005 while I was still working or https://astalavista.com acting as a Managing Director of the portal where I was busy responsible for the daily updates of the Security Directory including the Security News section including the introduction of new
- What’s your attitude towards “4th party collection?
As this has been my primary area of occupation throughout the last couple of years with the results of my research published at my personal blog I believe that 4th party collection is largely driven by a specific set of folks and experts who are actually capable of making an impact and causing widespread damage across the cybercrime ecosystem internationally. Case in point is my most recently launched Law Enforcement and OSINT operation called “Uncle George” where I’ve managed to publicly process approximately 1M web sites from major and leading online cybercrime-friendly forum communities with the idea to assist U.S Law Enforcement and the U.S Intelligence Community on its way to enrich and actually process the data set potentially disrupting the cybercrime-friendly forum communities behind the campaign including to actually track down and prosecute the cybercriminals behind these campaigns.
- Do you believe that an over-populated security industry means lower OPSEC for high-profile operations?
I think that as we’re continuing to witness the emergence and the existence of new cybercrime and OSINT researchers and analysts joining the security industry which could actually make the fight against cybercrime ever easier in case these researchers get invited into private mailing lists and private invite-only communities. I don’t necessarily think that an over-populated security industry means lower OPSEC for high-profile operations in case everyone involved in a specific campaign or operation is keeping track of its sources and sources of information.
- Who’s running the show in 2020? What can best describe a successful “4th party collection” or virtual SIGINT operation? Who’s running the show in terms of fighting cybercrime online?
I’m currently observing the usual deal of research done by high-profile and well-known cybercrime researchers and security experts that also includes vendors including a great deal of research done by novice researchers entering the cybercrime research ecosystem. In terms of a successful “4th party collection” I can best describe the process as a combination of Technical Collection OSINT analysis and actual enrichment and actual U.S Law Enforcement and U.S Intelligence Community outreach where the ultimate goal would be to track down the prosecute the cybercriminals behind these campaigns.
- Is it true that we live in an utopian World where North Korea and Iran-originating cyber attacks are basically launched by anything but nation-state actors namely Generation Y individuals who’re online starting to embrace new technologies meaning that “everything’s in order”?
I can confirm an evident trend where the mainstream news media is over-hyping the use of remote access tools which in reality are good old fashioned trojan horses circa the 90’s in terms of launching targeted or widespread malicious software serving campaigns. Based on my research and analysis it should be clearly evident that both North Korea and Iran are lacking the necessary technical and operational “know-how” to launch or participate in high-profile campaigns making it easier for these parties to outsource their cyber warfare or malicious software research and development needs to a third-party which could be for instance Russia.
- Do you believe that corrupt and potentially compromised North Korean online agents are actually doing more harm than good by participation in cyber warfare campaigns using techniques and methodologies that were common in use throughout the 90’s namely trojan horses and various other lawful surveillance tools?
I’m clearly observing an increase in such type of “rogue agent” type of activity where North Korea or Iran-based hackers are actually directly undermining the OPSEC of their country’s offensive or defensive cyber warfare operations in terms of actually signaling trends and various other indicators which could prove crucial in a possible attribution campaign or actual assessment of a specific country’s understanding of offensive and defensive cyber warfare.
- Were you surprised that you participated in a Top Secret GCHQ program monitoring hackers on Twitter called “Lovely Horse”? How do you think you made the list?
This was quite a surprise and it was in fact a privilege and an honor to have made the list with my old Twitter account where I was busy contributing with research and various other type of activity announcements on a daily basis while working for my previous empower which is Webroot. I think I made the list based on my research and it would be definitely a privilege and an honor to learn more and actually find out more about related Top Secret or Classified program where I’ve participated with my research.
- What’s the current state of your currently ongoing law enforcement and OSINT operation “Uncle George”?
The current state of my currently ongoing Law Enforcement and OSINT operation called “Uncle George” is an active cooperation between several researchers who approached me including a vendor in terms of enriching the actual data set potentially helping me reach out to U.S Law Enforcement on my way to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns. Users interested in joining my currently ongoing Law Enforcement and OSINT operation “Uncle George” can do it here.