Interview with a hacker: Gh0s7, leader of Shad0wS3c

One of the world's top hackers reveals how attackers own corporate and government networks, how stolen data is sold, which exploit markets are exploding, and why hackers are excited about Android and IoT.


Image: Shad0wS3c

The hacker's fingers fly across a mechanical keyboard, filling the dark and quiet room with the clatter of keystrokes punching code into a command line interface. He needs the environment to be quiet, so he can concentrate. Tonight, he's in a private room. Tomorrow he might be in a hotel or cafe. He's always on the move, and he's always hacking. His name is Gh0s7, and if you piss him off he'll own your system.

In an encrypted email interview, Gh0s7 claimed to never black-hat hack for profit. Instead, he and his comrades swipe and leak data from corporations and governments using custom-built remote exploit tools, DDoS and phishing attacks, and common social engineering tactics.

Gh0s7 is the leader of Shad0wS3c, one of the world's most conspicuous and notorious hacktivist collectives. Shad0wS3c has been publicly active since June 2016 and operated privately for "quite a long time," Gh0s7 said. The group is a small, tight-knit team of A-list hackers. Some self-identify as hacktivists. Some do not. They target large corporations and government agencies and are best known for hacking certificate authority EJBCA, the Ethiopian Government, and Paraguay's Secretary of National Emergency.

Like many hacker groups, Shad0wS3c members operate independently and communicate in forums on the Dark Web, with secure mobile messaging apps like Telegram, and openly on Twitter. Some are wanted by the U.S. and other world governments. They're paid in Bitcoin and operate anonymously.

SEE: Quick glossary: Malware (Tech Pro Research report)

Gh0s7 stated that "for personal reasons" the collective recently pivoted from hacktivism to "security work" that involves network stress testing and penetration testing for companies and private clients. Distributed denial of service, or DDoS, tools are often used as a weapon to bring down corporate servers. Corporate IT departments also use DDoS software to test the strength of a network. "Denial of Service is actually one of the ways u can check your system is safe [sic]," said Gh0s7.

Gh0s7 explained what motivates him and his hacker colleagues, how he attacks and invades systems, and how stolen data is sold. His quotes are provided unedited.

Who are you?

let's just say im former hacktivist and currently just a hacker

on self teaching you have to do your best to know what every other person on that field knows so, i thought my self basic hacking, programming and networking.

the reason of change is personal as i said but currently iam learning software engineering for a vaster view of what i do.

When did you start hacking and how did you learn?

when i start it was for hacktivism reasons

i started hacking 3 years ago, i studied hacking alone and a year after a while i meet a powerful hacker "Netor". after i meet him he thought me a lot.

I meet Netor online. to be honest he is one of the most skilled hackers i know. and he guided in a lot of ways,mostlt by giving me tools, and telling me what the essential things are in what i do and

what should learn to become like him (one tip here to readers; Dont trust every one you meet on the cyber world). Netor actually gave me something tangible to trust him and we also meet in person.

Is what you do legal?

No what we do is not legal but since we are not known by person we can walk into a cyber security firm and ask for a job.

What motivates you?

well, from now on what i want to do is security research, and my motives, those changed, if it was a month ago i would say basic things what a hacktivist would say but now it changed (Personal reasons).

what im doing afterwards is greyhat hacking. and yeah i think about profit but not for fun.

what i mean by saying security research is, to learn as much as i can then i'll work for company who knows we might even open one with my friends. but one thing i promised to my self i that i'll never work for government not only because they want to arrest me but the way

they hide information and take privacy of people is not my kind of thing.

Explain Shad0wS3c's history and goals.

the teams goals are just to be a security team but we will leak documents or other corporation files if we come across any.

as the public knows Shad0wS3C started 2 or 3 months ago but Shad0w Security was around for long time, and Netor is also part of it he is a hacker not a hacktivist, they stayed under the radar for long time, after i left GSH i joined them and made some public news. but trsut me when i say they got some pretty big hacks they made that's not publicized.

Are you friendly with other hacker groups?

yeah, i communicate with hackers in the dark web and with those around me.

i know some hacktivists and also activists, the reason most hacktivists hack is for a cause that really the government doesnt really support for example asking for privacy and freedom of

information, the 2 things any government would never allow. plus they even take activism to hacktivism, let's take israel for example there are pro-palestain hackers i know, what they do is brought the fight from the real world to the cyber world.

mostly we talk about new things, you can call it a forum. and most like to stay anonymous.

How do you make money?

that's a bit secret but the other way that me and my friends at Shad0w Security make money is by doing security work.

i don't sell exploits but my friends at Shad0wS3C, they sell them at the dark web.

Explain how you find zero-day exploits.

simply zero day or 0 day exploits are exploits that the public or the vendor of the software that got exploited, doesnt know about.

SEE: How Russian hackers could disrupt the U.S. election (CBS News)

Static and dynamic analysis always come in handy. Reading the source code for open-sourced softwares was always a good way to go. Else binary analysis and fuzzing usually work.

as i said the public doesnt know they even exist until they are official. but it's ethical for whitehats since they notify the vendor and non ethical for blackhats cause they sell it.

How do hackers profit from selling zero-day and other exploits on the Dark Web?

well first thing is first you need access tor browser then there are like thousands of websites there as the normal internet have. just for a tip (the normal access you have using search engines and the known part of the internet is like 10% the rest is the underground part also known as Dark web) well once you open tor and know where your going to it's easy, using the online currency systems like bitcoin you sell and buy stuff.

Who buys zero-day exploits and how big is the market?

it's the dark web, you dont know anything about the guy who is exchanging stuff with you, i mean that's why people love tor it's completely anonymous, until recent times, the FBI and NSA are scruing things up for everyone.

depends on the 0day and the system it exploits. but this business is fastly growing.

What can companies do to protect themselves from hackers selling zero-days?

that's hard to say since they dont know what the 0day exploits, they cant do nothing, but if the hacker make a mistake once he is inside their system after that if they catch him IF, they might know it and get it patched.

Governments and corporations, they have a very tight security but it's not that tight, but for starters they can hire security companies to check their systems, but let's face the fact that every time a virus gets out an anti-virus for it will b released and after that a virus that's capable of bypassing the current anti-virus will be created, that is just how things go, so it's hard to say when is safe.

Explain your penetration tactics.

Mostly i use exploits that gain me RCE but there's no easy way to do that, social engineering is also a good way to go.

first you need to have an RCE exploit, it's usually safer to use remote exploit since it doesn't require physical presence, but it's bad if the server your trying to hack have a honeypot (trap for


sometimes it's a bit fun to [spearfish] a politician.

Most memory corruption bugs are being mitigated (although they still

exist and sometimes are exploitable), also most publicly exposed vulnerabilities are patched fast. The tactics that are currently en vogue depend on the hacker using them, some prefer old school remote exploitation exploits while others go for (spear)phising and client side exploits

there are many methods of talking to people around the web but we use costome made tools.

you need to gather as much as information as you can, reconnaissance is first there are couple of ways you could do that what i would do will be use a reconnaissance method known as active reconnaissance, it requires i interact with system to gain more details about it, why most hackers like this method is it's very accurate and useful but the main point here is "dont get detected" if a sys admin know your doing a reconnaissance against their system they might block your ip (use proxy or vpn, easy way to pass that) but also you might leave things about you that shouldn't be there. after reconnaissance try exploiting it, as i told u there are still some old bugs that work.

Let's say you get access to a system: What do you hope to find?

most hackers including me would look for user-names and passwords or emails, simply we look for things that no one should have access to except the owner.

What trends are emerging?

the one thing that's growing faster than anything is the technology, but also the more things get vulnerable to attacks, and experts, they are doing their best but the more of us emerge the less thy have a chance to fight us.

hackers love IOT to build thei botnets and the major problem with iot devices is not their vulnerability but the poor authentication. Poor authentication = user.admin password.admin

Phones, well they are good but when it comes to android there are dozens of malwares around that can easily control it. That's why people like iphones they are a bit hardcore.

SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research report)

TechRepublic communicated with Gh0s7 using encrypted applications that allowed the hacker to remain anonymous. We have taken steps to validate the general nature of Gh0s7's statements, but of course cannot verify his claims. As always, TechRepublic does not condone illegal or unethical activity. Novices and experts alike should exercise care and caution when visiting the Dark Web. Offensive material can sometimes be just a click away. Browse at your own risk. Never break the law. Use the Dark Web and encryption safely and for legal purposes only.

Read more