KamotsFeb 24
Dio9sys

It's been extremely hard to keep this one under wraps.

I just published a new blog post, where one weird string that looks like a cookie value turned out to be a whole cryptostealer and database wiping operation.

https://www.labs.greynoise.io/grimoire/2026-02-24-whats-that-string/

I spent some late nights on this one, and am a little bit ridiculously proud of the work I did.

What’s That String? That Time a Weird String Revealed a Whole Operation – GreyNoise Labs

One weird payload turned out to be a loose thread on an active hacking operation.

GreyNoise Labs
Feb 24 at 8:49pmWeb
Show threadIan Campbell 🏴Feb 24

@Dio9sys "hey that looks like backwards base64"

i love those moments.

Show threadIan Campbell 🏴Feb 24
@Dio9sys this is such a good post! thanks for writing it.
Show threadDio9sysFeb 24
@neurovagrant Thanks! It was fun!
Show threadfmarlFeb 24
@neurovagrant @Dio9sys "hey that looks like AES-GCM, encrypted with the Key ..." would be very handy.
Show threadThe Orange ThemeFeb 24
@Dio9sys Great work! This was a fun read. :3
Show threadAlda VigdísFeb 24
@Dio9sys Ah yes. I've seen my share of those. Kudos on the writeup.
Show threadDio9sysFeb 24
@alda everything comes down to someone wanting crypto
Show threadInsiderTreatFeb 24
@Dio9sys this is an amazing read! Great work.
Show threadDio9sysFeb 24
@InsiderTreat thanks!
Show threadforest Feb 24

@Dio9sys

Dear reader, I cannot describe the joy I have at working with the type of person who can look at a string and go “ah yeah, backwards base64.”

beautiful sentence

Show threadEpic NullFeb 24

@Dio9sys Not finished reading but

The c2c subdomain is an nginx server on ubuntu on a server in japan, per URLScan. I was curious what the top level domain looked like, so I tried www as well. Turns out their www is in a tencent datacenter in singapore. Neat!

Tencent is that company that buys games from indie developers

That seems forboding...

Show threadDio9sysFeb 24
@Epic_Null
Tencent is a megabrand tho. They are basically the chinese AWS if AWS also had a movies division, blogging platform, and game studio
Show threadEpic NullFeb 24
@Dio9sys Okay so this is more "Someone buying file storage and runtime to run this operation" than "tencent is running cryptominers"
Show threadDio9sysFeb 25
@Epic_Null
yup!
Show threadCarlos SolísFeb 25
So, Amazon (minus the blog platform)
Show threadIntaglio WhitegravenFeb 24

@Dio9sys I'm reminded of the book "The Cuckoo's Egg" by Clifford Stoll, who similarly stumbled upon foreign hacker activity in the computer system at Lawrence Berkeley National Laboratory, because of a $0.75 accounting discrepancy in computer usage.

https://en.wikipedia.org/wiki/The_Cuckoo%27s_Egg_(book)

The Cuckoo's Egg (book) - Wikipedia

Show threadDio9sysFeb 24
@Intaglio_Dragon
oh, I should give that one a read
Show threadCrazypedia⍼ Feb 24
@Dio9sys I love @greynoise 🤓
Show threadmiaFeb 25

@Dio9sys

No immediately visible MX server. I wonder if they’re actually using an email protocol or if it’s a front end for sending log files.this doesn't seem right. your query was for mail.deepgtp.net/health, which is a url, not a domain. querying the domain gives proper mailserver data:
$ dig +short deepgtp.net mx 10 mail.deepgtp.net. $ dig +short mail.deepgtp.net a 43.160.236.90

Show threadabadideaFeb 25
@Dio9sys me at 7:30 am: ahh what a lovely morning to read a hang on let me get my dictionary.
Show threadaburka 🫣Feb 25
@Dio9sys I've never seen cyberchef before! That looks extremely useful
Show threadgrosskopfgamesFeb 25
@Dio9sys that reminds me of the one time my university was attacked by a phishing operation, and the operator of the phishing operation had the stolen auth data publicly visible on their website, got in touch with the university, told them that and they wrote a cron job to see who fell for the phishing site and deactivate their accounts xD
Show threadgrosskopfgamesFeb 25
@Dio9sys Oh and thank you, was a fun read and very impressive deduction sequence, hope you had a good night of sleep afterwards :D
Show threadDr. Dek 👨‍🚀🐧🚀 )Feb 25
@Dio9sys could you please fix the broken cookie banner on the website (or remove tracking cookies entirely). Currently it default to share with everyone all of the cookies, which is illegal according to GDPR.
Show threadDio9sysFeb 25
@portaloffreedom Bringing it up at work right now. Thanks for catching it!
Show threadDavid Schuetz ** looking for work **Feb 25

@Dio9sys Nice! A reversed B64 string is like a big neon sign saying “WARNING — INESCAPABLE SIDE QUEST”.

Great work exploring the rabbit hole!

Show threadDio9sysFeb 25
@darthnull Thanks! This one was a lot of fun
Show threadSapphicSelene Feb 25

@Dio9sys "On the 9th of February, we see Todd Bonzalez send 11.70 bitcoin to Raul Chamberlain. The high price for bitcoin on the 9th was $71,369.97 USD, meaning this transaction was for a whopping $835,028.65.

Later that same day, Mark Smoth sends 4.30 bitcoin to Raul, which amounts to about $306,890.87. Three days later, Raul sends Todd 0.0001000 BTC, or about 7 bucks."

Sports scandal of the year lol this was some cool sleuthing.

Show threadllljFeb 25
@Dio9sys this post is so well written, that I - while not understanding any bit of it - red it until the last letter with great excitement and joy. Thank you! 
Show threadDio9sysFeb 25
@lllj
awww thanks! that means a lot!
Show threadMrGrumpyMonkeyFeb 25
@Dio9sys I have little interest in crypto, but the fact that you can just follow some convoluted breadcrumb all to where the largest sums of money are being transferred to. Are you mad? Do you need a hug? I hope you got paid well for this. 
Show threadDio9sysFeb 26
@mrgrumpymonkey
I lost a bit of sleep on this one 😅
Show threadMrGrumpyMonkeyFeb 26
@Dio9sys I bet.
Show threadDa_GutFeb 26
@Dio9sys this is the modern equivalent of the old novel the cuckoo‘s egg! Which was also non-fiction and about how a guy was tasked to figure out a less than one dollar discrepancy. It led to the FBI and Russian hackers and lots of other tasked to