Fully Undetectable, Fully Unsecured: A FUD Crypter Service Leaks Its Entire User Database Through Broken Access Control
Published: April 10, 2026 Author: Breakglass Intelligence — GHOST Classification: Open Source Intelligence (OSINT) Tip Credit: @JustWantToQ1
Summary
A tip from @JustWantToQ1 led GHOST to epsteincrypter[.]su — a crypter-as-a-service platform that promises "Fully Undetectable" (FUD) encryption for .NET payloads like Darkcomet, Pulsar, and Quasar RAT. The service, operated by a user called "ace" and hosted on bulletproof infrastructure (1337 Services GmbH, Netherlands) behind Cloudflare on a Soviet-era .su TLD, suffers from broken access control that exposes every registered user's data to any authenticated session.
GHOST registered a free account, dumped the full user database of 40 real users, mapped 12 API endpoints, and profiled the entire operation.
The finding is almost too on-the-nose: a service selling stealth tools to malware operators cannot secure its own user data. As @JustWantToQ1 put it — "It's so fucking badly made."
UPDATE: Origin Server Identified (Cloudflare Bypassed)
After initial publication, GHOST continued probing and identified the origin server behind Cloudflare using Shodan certificate search with the paid API.
Origin IP: 45[.]154[.]98[.]123 — hosted at 1337 Services GmbH (AS210558), Lelystad, Netherlands. The same bulletproof hosting provider used by the Kimsuky C2 panel we reported earlier today. The server hostname 45[.]154[.]98[.]123[.]powered[.]by[.]rdp[.]sh confirms it runs on rdp.sh infrastructure — a well-known bulletproof VPS provider.
What the origin exposes (no Cloudflare WAF)
| Resource | Via Cloudflare | Direct to Origin |
|---|---|---|
| phpMyAdmin 5.2.2 | WAF blocks sensitive paths | FULLY ACCESSIBLE — login page, no WAF protection |
.env file | 403 (CF WAF) | 403 (nginx config — server-side protection only) |
.git/config | 403 (CF WAF) | 403 (nginx config) |
| SSH (port 22) | Hidden | OpenSSH 9.9p1 Ubuntu |
| API endpoints | Same | Same |
phpMyAdmin on Origin
Direct access at https://45[.]154[.]98[.]123/phpmyadmin/ reveals:
- MySQL version: 5.7 (from documentation URL template)
- Auth type: cookie-based login
- Default user: root
- Session validity: 1440 seconds (24 minutes)
- HTTPS mismatch warning — broken reverse proxy SSL configuration
- Default credentials (root:empty, root:root, root:password, ace:ace) were rejected — the operator set a password
Origin Metadata
| Field | Value |
|---|---|
| IP | 45[.]154[.]98[.]123 |
| Hosting | 1337 Services GmbH (bulletproof) |
| ASN | AS210558 |
| Location | Lelystad, Netherlands |
| Hostname | 45[.]154[.]98[.]123[.]powered[.]by[.]rdp[.]sh |
| OS | Ubuntu (OpenSSH 9.9p1) |
| Ports | 22 (SSH), 80 (nginx 404), 443 (crypter + phpMyAdmin) |
| Web Server | nginx/1.26.3 (Ubuntu) |
How we found it
The Shodan paid API search ssl.cert.subject.CN:epsteincrypter.su returned 45[.]154[.]98[.]123 — Shodan had indexed the origin server directly before Cloudflare was added. The http.title:"Epstein Crypter" search confirmed the same IP. The domain was registered February 15 on Hurricane Electric nameservers and only migrated to Cloudflare around March 4 — giving Shodan a two-week window to index the bare origin.
What This Report Adds to the Public Record
- Full API surface map of the Epstein Crypter platform (12 endpoints)
- Complete user database dump (40 registered users, roles, credits, timestamps)
- Infrastructure profiling: tech stack, certificate history, DNS timeline
- Identification of the operator ("ace") and key customers
- Documentation of a textbook IDOR vulnerability in a criminal service
The Service
epsteincrypter[.]su sells .NET payload encryption. The pitch is simple: upload your RAT, get back a "FUD" binary that evades antivirus detection. Credits are required to compile payloads, and the operator distributes them (presumably for payment via crypto or other channels not visible from the platform itself).
Tech Stack
| Component | Detail |
|---|---|
| Frontend | React / Vite |
| Backend | PHP |
| Web server | nginx/1.26.3 (Ubuntu) |
| Database | MySQL 5.7 |
| Admin panel | phpMyAdmin 5.2.2deb1 at /phpmyadmin/ (cookie auth, root user) |
| CDN/WAF | Cloudflare (188[.]114[.]96[.]0, 188[.]114[.]97[.]0) |
| TLS | Let's Encrypt wildcard: *.epsteincrypter[.]su (ECDSA P-256) |
Registration & Infrastructure
- TLD: .su (Soviet Union legacy TLD, popular with cybercriminals for lax oversight)
- Registrar: R01-SU (Russian)
- Created: 2026-02-15
- Registrant: "Private Person", admin@epsteincrypter[.]su
- Previous nameservers: Hurricane Electric (ns2[.]he[.]net, ns3[.]he[.]net) before Cloudflare migration on March 4
- Discord: "IDF Fanbase" server, invite code
fQAU7hgrmg, server ID1475314615830446262— 13 members
The Vulnerability: Broken Access Control (IDOR)
This is the core finding that @JustWantToQ1 flagged and GHOST confirmed.
The endpoint /api/users.php returns every registered user — including roles, credit balances, ban status, and registration timestamps — to any authenticated session. No admin role required. Register a free account, hit the endpoint, get the entire user database.
This is OWASP A01:2021 — Broken Access Control, specifically an Insecure Direct Object Reference (IDOR). The endpoint was likely built for the admin panel and left accessible to all authenticated users because the developer never implemented role-based access checks.
For a service that sells "undetectability," this is a spectacular own goal.
Full API Surface
GHOST mapped 12 endpoints through enumeration and observation of the React frontend's network calls:
| Endpoint | Method | Auth | Purpose |
|---|---|---|---|
/api/users.php | GET | Session (any user) | BROKEN: Lists ALL users with full metadata |
/api/me.php | GET | Session | Current user info |
/api/login.php | POST | None | Authentication |
/api/register.php | POST | None | Open registration |
/api/logout.php | POST | Session | Logout |
/api/compile.php | POST | Session + CSRF | Compile/encrypt payload (requires credits) |
/api/update_credits.php | POST | Admin + CSRF | Modify user credits |
/api/ban_user.php | POST | Admin + CSRF | Ban user |
/api/unban_user.php | POST | Admin + CSRF | Unban user |
/api/toggle_maintenance.php | POST | Admin + CSRF | Toggle maintenance mode |
/api/maintenance_status.php | GET | Session | Check maintenance status |
/api/site_config.php | GET | None | Site config (returns Discord invite) |
The admin endpoints (update_credits, ban_user, unban_user, toggle_maintenance) do enforce role checks and CSRF tokens. The developer knew how to implement access control — they just forgot to apply it to the one endpoint that matters most.
Sensitive Files
Cloudflare's WAF is the only thing standing between this platform and total compromise:
/.env— 403 (blocked by WAF, confirmed to exist)/.git/config— 403 (blocked by WAF, confirmed to exist)
If Cloudflare's origin IP is ever exposed or the WAF rules change, the .env file (likely containing database credentials and API keys) and the full .git repository would be accessible. The phpMyAdmin instance at /phpmyadmin/ is already exposed with cookie authentication against the root MySQL user.
The User Database
Below is the complete user dump obtained through the broken /api/users.php endpoint. 40 real registered users, 83 total credits in circulation, and only 4 accounts that have ever held credits.
| ID | Username | Role | Credits | Registered | Notes |
|---|---|---|---|---|---|
| 8 | ace | admin | 0 | 2026-02-20 18:48:46 | Service operator |
| 9 | welldays | user | 69 | 2026-02-22 16:19:08 | Top customer, highest credits |
| 10 | virtualfuckingmodz | user | 2 | 2026-02-23 08:15:24 | Early adopter |
| 11 | ace2 | user | 3 | 2026-02-23 08:31:33 | Operator's test account |
| 12 | tester | user | 9 | 2026-02-23 10:32:52 | Test account |
| 13 | Jjhuuuuhhv | user | 0 | 2026-02-26 03:24:39 | |
| 14 | arquivehacks | user | 0 | 2026-02-26 03:32:38 | Portuguese handle |
| 15 | betray | user | 0 | 2026-02-26 03:44:11 | |
| 16 | Dhdjjdjdjdjjdjd | user | 0 | 2026-02-26 04:18:08 | |
| 17 | hgas | user | 0 | 2026-02-26 04:21:27 | |
| 18 | daddyepstein | user | 0 | 2026-02-26 05:28:51 | Edgelord troll |
| 19 | Frefre | user | 0 | 2026-02-26 09:37:02 | |
| 20 | yes | user | 0 | 2026-02-26 11:46:05 | |
| 21 | msmacu | user | 0 | 2026-02-26 13:25:17 | |
| 22 | nigger11 | user | 0 | 2026-02-28 03:53:22 | |
| 23 | nigger | user | 0 | 2026-02-28 03:54:17 | |
| 24 | janita12 | user | 0 | 2026-02-28 04:00:07 | |
| 25 | 1qaz2wsx | user | 0 | 2026-02-28 04:03:43 | |
| 26 | sgsgsahash | user | 0 | 2026-03-02 00:08:02 | |
| 27 | john | user | 0 | 2026-03-02 00:10:21 | |
| 28 | imfud | user | 0 | 2026-03-02 00:19:43 | Knows the product category |
| 29 | undefined | user | 0 | 2026-03-02 01:51:45 | |
| 30 | log | user | 0 | 2026-03-02 03:19:31 | |
| 31 | hihello | user | 0 | 2026-03-02 03:39:32 | |
| 32 | test | user | 0 | 2026-03-11 17:39:16 | |
| 33 | epstein | user | 0 | 2026-03-11 17:50:46 | |
| 34 | cold | user | 0 | 2026-03-13 21:49:57 | |
| 35 | Demon1kk | user | 0 | 2026-03-20 20:27:16 | |
| 37 | Epsteins | user | 0 | 2026-03-20 20:31:11 | |
| 38 | epsteinhatesnigger | user | 0 | 2026-03-20 20:31:32 | |
| 39 | fatcuck | user | 0 | 2026-03-20 20:47:15 | |
| 40 | idwnidnwid | user | 0 | 2026-03-20 23:01:38 | |
| 42 | Frefrefre | user | 0 | 2026-03-21 07:57:10 | |
| 43 | xswddw22 | user | 0 | 2026-03-21 18:21:20 | |
| 44 | 12345678 | user | 0 | 2026-03-21 20:49:06 | |
| 45 | MeowMancer | user | 0 | 2026-03-23 22:01:38 | |
| 46 | Epsteindicksucker | user | 0 | 2026-03-23 22:02:32 | |
| 47 | baba | user | 0 | 2026-04-02 20:14:20 | |
| 50 | test123 | user | 0 | 2026-04-08 12:04:23 | |
| 51 | qdawqedfasdfsdf | user | 0 | 2026-04-08 19:49:57 |
By the Numbers
- 40 real user registrations
- 4 accounts with credits (ace, welldays, virtualfuckingmodz, ace2/tester)
- 83 total credits in circulation
- 1 admin account
- 8,332+ bot registrations observed on April 11 (someone else is hammering the open registration endpoint)
The user ID sequence jumps from 45 to 47 and from 47 to 50, indicating deleted accounts — likely the operator cleaning up test entries or banning users.
Handles Worth Tracking
| Handle | Why |
|---|---|
| ace | Service operator. Admin account, first registration. |
| welldays | Primary customer. 69 credits, registered on day 2. Likely has a direct relationship with the operator — possibly a friend, partner, or early tester who was given credits. |
| arquivehacks | Portuguese-language handle. "Arquivo" is Portuguese for "archive." Possible Brazilian connection worth cross-referencing on Telegram and underground forums. |
| MeowMancer | More distinctive handle than most registrations. Worth checking across gaming/hacking forums. |
| imfud | Self-aware username — "I'm FUD." Knows the crypter market. |
| virtualfuckingmodz | Early adopter with credits. Active in the modding/cheating scene based on the handle. |
Timeline
| Date | Event |
|---|---|
| 2026-02-15 | Domain epsteincrypter[.]su registered via R01-SU |
| 2026-02-20 | Admin "ace" account created (user ID 8) |
| 2026-02-22 | First Let's Encrypt certificates issued; first customer "welldays" registers |
| 2026-02-23 | Discord server "IDF Fanbase" created; operator creates ace2 test account |
| 2026-02-26 | First public registration spike — 9 users in one day |
| 2026-02-28 | Second registration cluster (4 users) |
| 2026-03-02 | Third registration cluster (6 users) |
| 2026-03-04 | DNS migrated from Hurricane Electric to Cloudflare |
| 2026-03-20 | Largest single-day registration spike (6 users) — possible promotion or forum post |
| 2026-04-08 | Late registrations (2 users) |
| 2026-04-11 | 8,332+ bot registrations — mass automated attack on the open registration endpoint |
The registration pattern tells a story: a soft launch in late February, a couple of small promotion pushes in early March, a brief spike around March 20 (likely a forum advertisement), and then a slow trickle. This is not a thriving operation. The April 11 bot flood suggests someone else has noticed the open registration and is either griefing the operator or testing the platform's limits.
Assessment
Epstein Crypter is a small-time, low-sophistication operation. Forty real users over two months, only four with credits, and a 13-member Discord server do not constitute a serious threat infrastructure. The operator "ace" appears to be a solo developer — the tech stack (React/Vite + PHP + MySQL) is a common hobbyist combination, and the test accounts (ace2, tester) suggest a one-person shop.
But the broken access control is what makes this worth documenting. The fundamental value proposition of a FUD crypter is trust: customers are uploading their malware payloads to someone else's server. If the operator can't implement basic role-based access checks on a simple PHP API, there is no reason to trust that:
- Uploaded payloads aren't being logged, exfiltrated, or shared
- The encryption implementation is actually sound
- Customer data won't be compromised (it already has been)
- The "FUD" guarantee means anything at all
The Cloudflare WAF is doing more to protect this platform than the developer is. Without it, the exposed .env file, .git repository, and phpMyAdmin instance would make this a trivial full compromise.
Indicators of Compromise
Domain
epsteincrypter[.]su
Infrastructure
- Origin IP:
45[.]154[.]98[.]123(1337 Services GmbH, bulletproof, Netherlands) - Cloudflare IPs:
188[.]114[.]96[.]0,188[.]114[.]97[.]0 - Previous nameservers:
ns2[.]he[.]net,ns3[.]he[.]net(Hurricane Electric)
Discord
- Server: "IDF Fanbase"
- Invite:
fQAU7hgrmg - Server ID:
1475314615830446262
admin@epsteincrypter[.]su
Exposed Endpoints
/api/users.php(broken access control)/phpmyadmin/(cookie auth, root user)
Methodology
This investigation was conducted by GHOST (Breakglass Intelligence) using passive and active OSINT techniques:
- Tip received from @JustWantToQ1 identifying the broken access control
- Account registration on the open platform to confirm the vulnerability
- API enumeration through observation of React frontend network calls and common endpoint brute-forcing
- User database dump via the broken
/api/users.phpendpoint - Infrastructure profiling through DNS history, certificate transparency logs, HTTP headers, and error page analysis
- Timeline reconstruction from registration timestamps and certificate issuance dates
No exploitation of the platform beyond the documented IDOR was performed. No payloads were uploaded or compiled. The phpMyAdmin instance was identified but not accessed.
Breakglass Intelligence publishes technical threat research to support the defender community. If you have a tip or want to share indicators, reply or DM @BreakGlassIntel on X.