BreakglassIntelligence
Back to reports

Mapping a Ransomware-as-a-Service Panel Without Logging In: How CSS Comments in Chinese Exposed HYFLOCKs Entire Architecture

A previously unreported RaaS platform on Tor with Chinese developer comments, Russian marketing, open affiliate registration, and a victim negotiation workflow

PublishedApril 3, 2026

We didn't need credentials. We didn't need an exploit. We needed the developer to leave 94 lines of Simplified Chinese comments in an 8,112-line CSS file that described every component of their ransomware platform.

HYFLOCK is a previously unreported Ransomware-as-a-Service operation running exclusively on Tor at e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion. It does not appear in ThreatFox, MalwareBazaar, RansomLook, Ransomware.live, or any vendor reporting we checked. This is the first public documentation.

The CSS Tells All

The panel's login page serves a monolithic CSS file -- 8,112 lines of styling for a UI we couldn't see behind the authentication wall. But CSS class names and the developer's comments told us everything.

The comments are in Simplified Chinese. They describe:

  • The ransom negotiation interface layout
  • Payment tracking dashboard components
  • Chat room styling for victim communications
  • Payload generator form elements
  • Data leak site preview cards

CSS class enumeration -- mapping every .class-name in the stylesheet -- revealed the complete platform architecture without ever authenticating. The developer styled components that only authenticated users should see, but served the stylesheet to everyone.

The Architecture

HYFLOCK implements the full RaaS lifecycle:

Payload Builder

Affiliates generate custom ransomware builds through the panel. CSS classes reference a generator form with configuration options, a deploy button for one-click deployment, and build status tracking. The builder suggests affiliates can customize encryption parameters, ransom note content, and target selection.

Victim Negotiation

A dual-portal system separates affiliates from victims:

  • Affiliate login: Username/password authentication (login_type=attacker)
  • Victim portal: Room code entry (target_id) via an "ENTER ROOM" button

Once inside, victims negotiate with affiliates through real-time chat rooms. The CSS reveals a structured offer workflow:

  1. Affiliate sends initial ransom demand
  2. Victim can accept or counter-offer
  3. Counter-offers require admin approval before the affiliate sees them
  4. Status tracking: pending acceptance, rejected, admin review, completed

The admin approval gate on counter-offers is a business control -- the RaaS operators ensure affiliates don't accept lowball offers that would reduce the platform's revenue share.

Data Leak Site

The panel includes a leak site with:

  • Screenshot previews of stolen data
  • ZoomInfo enrichment for victim company intelligence (employee count, revenue, industry)
  • File listings organized by category
  • Public/private toggle for selective disclosure (pressure escalation)

Cryptocurrency Payments

Three payment options: Bitcoin (BTC), Zcash (ZEC), and Monero (XMR). The inclusion of both ZEC and XMR -- privacy-focused cryptocurrencies -- alongside BTC gives victims options while maintaining the operator's financial privacy.

Chinese Development, Russian Marketing

The 94 Chinese comments describe UI components with technical precision -- this is a developer documenting their own code, not a translation. The panel UI itself renders in English and Russian, with Russian being the primary interface language based on button text and navigation elements.

This Chinese-developer, Russian-operator nexus is noteworthy. The RaaS ecosystem has historically been dominated by Russian-speaking groups (LockBit, BlackCat/ALPHV, RansomHub, Akira). A Chinese development team building tooling for Russian-speaking affiliates suggests either a contract development arrangement or a cross-border criminal partnership.

Open Registration

The panel's login page includes registration functionality -- HYFLOCK is actively recruiting new affiliates. The registration form and affiliate onboarding flow are styled in the CSS, indicating a mature sign-up process rather than an invite-only operation.

Security Posture

Unlike many criminal panels we investigate, HYFLOCK demonstrates professional security practices:

  • Strict Content Security Policy headers
  • X-Frame-Options DENY (prevents clickjacking)
  • CSRF tokens on all forms
  • Catch-all authentication redirects (no unauthenticated page leaks except the CSS)
  • Custom CAPTCHA-based DDoS protection on the Tor entry point

The irony is that their operational security is undermined by a single CSS file that their developer commented too thoroughly.

What We Don't Know

Without authentication, we cannot determine:

  • The number of active affiliates
  • Current or past victims
  • Ransom amounts demanded or paid
  • The specific ransomware binary used
  • Whether any victims have been listed on the leak site

These details exist behind the login wall. The CSS tells us the containers exist -- it doesn't fill them with data.

Indicators of Compromise

Network Indicators

  • e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion (Tor hidden service)

Fingerprinting

  • 8,112-line CSS with Simplified Chinese developer comments
  • Dual-portal login (attacker/victim)
  • "ENTER ROOM" victim portal with target_id parameter
  • BTC/ZEC/XMR payment options

Detection

Two YARA rules (HTML fingerprint and CSS Chinese comment detection) and four Suricata signatures are available on our GitHub:

h/t @fbgwls245 (Bitshadow) for the initial identification of the HYFLOCK panel.

Share