From 'Hello Honeypot' to Real Name: Deanonymizing the Masjesu Botnet Operator Through GitHub Commit Emails

Full deanonymization of the Masjesu/XorBot botnet operator through GitHub commit emails, linking IoT DDoS, Minecraft stealing, and Discord token theft to a single Turkish national.

PublishedApril 11, 2026

masjesuxorbotmiraiddosbotnetiotdeanonymizationattributionturkeyeasyfor-meminecraft-stealerdiscord-stealer

TL;DR

On April 11, 2026, we deanonymized the operator behind the Masjesu/XorBot botnet — a Mirai-derivative IoT DDoS botnet capable of ~290 Gbps floods across UDP, TCP, VSE, GRE, RDP, OSPF, and ICMP protocols. The actor is Seyit Girgin, a Turkish national operating from at least two GitHub accounts, multiple Telegram channels, and a constellation of criminal infrastructure spanning DDoS-for-hire, game credential theft, and Discord token stealing with credit card hooks.

The attribution chain started with a taunt embedded in a honeypot-targeting script — "Looks like you are a honeypot, this tool was made by t.me/flylegit!" — and ended at a real name, email address, and cross-linked criminal operations. Here's how:

The C2 at 85[.]11[.]167[.]182 serves XorBot payloads for 17 CPU architectures
A neighboring IP in the same /24 (85[.]11[.]167[.]194) hosts easyfor[.]me — a Minecraft account stealer site
easyfor[.]me traces to GitHub repo SeyitGit/EasyforMe (a Java stealer, blocked by GitHub TOS in April 2025)
The SeyitGit profile lists "Seyit Girgin" as the real name, Turkey as the location, and @IseyitThe as a linked Twitter handle
The IseyitThe GitHub account contains commits signed with iseyitthe@gmail[.]com
SeyitGit also hosts SeyitGit/xo — a Discord token stealer (XO v4.1.5) with a Stripe credit card harvesting hook and "Seyit" hardcoded as the author

The same individual operates a DDoS botnet, a Minecraft stealer service, and a Discord token stealer with financial fraud capabilities — all linked through shared infrastructure and a single GitHub identity.

What this report adds to the public record

Trellix published "Masjesu Rising" in April 2026, documenting the botnet's DDoS capabilities, protocol support, and self-propagation mechanisms. NSFOCUS first documented XorBot in December 2023, and Akamai provided additional technical analysis of the variant family. SecurityWeek, Hacker News, SecurityAffairs, and GBHackers all covered the Trellix findings.

What our investigation adds:

First public real-name attribution of the Masjesu/XorBot operator — Seyit Girgin, Turkey — derived entirely from open-source pivots
GitHub commit email chain linking the botnet C2 infrastructure to named accounts (SeyitGit, IseyitThe) via shared /24 hosting and domain registration
Dual-operation discovery connecting the DDoS botnet to a completely separate criminal enterprise: Minecraft account stealing (easyfor[.]me) and Discord token theft with Stripe CC hooks (XO v4.1.5)
Full infrastructure map including relay nodes, typosquatted domains (hotemail[.]asia), and external C2 addresses not previously reported
Telegram channel correlation linking @flylegit (249 subscribers), @EasyforMeAnnouncements (259 subscribers), and @synmaestr0 to the same operator

None of the existing public reporting — Trellix, NSFOCUS, Akamai, or media coverage — includes the real name, the GitHub attribution chain, the dual-operation connection, or the XO Discord stealer. These IOCs are not yet in ThreatFox or MalwareBazaar.

If you've already published reporting on Masjesu/XorBot attribution, the easyfor[.]me stealer, or the XO Discord token stealer, please reply or DM — we'll update and credit.

The Attribution Chain

Step 1: The Honeypot Taunt

Analysis of iran.sh4, a payload delivery script served by the botnet infrastructure, revealed an embedded binary string:

Looks like you are a honeypot, this tool was made by t.me/flylegit!

The Telegram channel t.me/flylegit (249 subscribers) advertises DDoS tools, botnet access, and related services. This was the first thread to pull.

Step 2: C2 Infrastructure Mapping

The primary C2 server at 85[.]11[.]167[.]182 runs a Go-based SSH service on port 1337 and Apache on port 80. The HTTP service hosts compiled XorBot payloads for 17 CPU architectures — the standard Mirai-lineage approach to maximizing IoT device coverage across ARM, MIPS, x86, PowerPC, SPARC, Motorola 68k, and other embedded platforms.

The C2 sits in AS213438 (ColocaTel / SOFCOMPANY, Sofia, Bulgaria).

Step 3: The /24 Pivot — easyfor[.]me

Scanning the surrounding /24 netblock revealed that 85[.]11[.]167[.]194 — just 12 addresses away from the botnet C2 — hosts easyfor[.]me and log[.]easyfor[.]me. The site operates as a Minecraft account stealer service, distributing a Java-based credential harvester targeting Minecraft players.

Same /24, same ASN, same operator.

Step 4: GitHub — SeyitGit/EasyforMe

The domain easyfor[.]me maps directly to the GitHub repository SeyitGit/EasyforMe — a Java stealer project that was blocked by GitHub for TOS violations in April 2025. The repository description and functionality match the stealer service hosted at the domain.

Step 5: Real Name Extraction

The SeyitGit GitHub profile (user ID 114294892) provides:

Name: Seyit Girgin
Location: Turkey
Twitter/X: @IseyitThe

Step 6: Commit Email Recovery

The linked Twitter handle led to a second GitHub account: IseyitThe (user ID 69308754). Git commits on this account are signed with the email address iseyitthe@gmail[.]com. The Discord handle iseyitthe was also recovered from profile metadata.

Step 7: The Discord Stealer — XO v4.1.5

The SeyitGit account also hosts SeyitGit/xo — a Discord token stealer branded as XO v4.1.5. This is not a simple token grabber. The tool includes:

Discord token extraction from browser local storage and LevelDB databases
Stripe credit card harvesting hook — intercepts payment card data entered through Discord Nitro purchases and billing flows
"Seyit" hardcoded as author in the source code

This connects the botnet operator to a third criminal operation: financial fraud via intercepted payment card data.

Actor Profile

Attribute	Value
Real Name	Seyit Girgin
Country	Turkey
Email	iseyitthe@gmail[.]com
Telegram (current)	@synmaestr0
Telegram (botnet)	t.me/flylegit (249 subscribers)
Telegram (stealer)	t.me/EasyforMeAnnouncements (259 subscribers)
Discord	iseyitthe
GitHub (primary)	SeyitGit (ID 114294892)
GitHub (secondary)	IseyitThe (ID 69308754)

Criminal Operations

Operation	Description
Masjesu/XorBot Botnet	Mirai-derivative IoT DDoS botnet, ~290 Gbps capacity, 17 architectures
EasyforMe	Java-based Minecraft account stealer (easyfor[.]me)
XO v4.1.5	Discord token stealer with Stripe CC harvesting hook
Login Grabber	Credential harvesting tools
Game Cheats	Cheat tool distribution
Free RDP Abuse	Leveraging free RDP services for infrastructure
Exploit Hosting	havocnodes[.]lol (suspended)

Botnet Technical Capabilities

Based on Trellix's "Masjesu Rising" report and our independent analysis:

DDoS Methods

Method	Protocol	Notes
UDP Flood	UDP	Standard volumetric
TCP Flood	TCP	SYN/ACK variants
VSE Flood	UDP	Valve Source Engine query amplification
GRE Flood	GRE	Generic Routing Encapsulation
RDP Flood	UDP/TCP	Remote Desktop Protocol
OSPF Flood	OSPF	Routing protocol disruption
ICMP Flood	ICMP	Ping flood

Propagation

The botnet self-propagates by exploiting known vulnerabilities in consumer and SOHO networking equipment:

D-Link routers (multiple CVEs)
GPON fiber terminals
Huawei home gateways
Netgear routers
TP-Link routers

Evasion

XOR-based encryption for C2 communications (the "Xor" in XorBot)
Government IP avoidance — the bot explicitly skips Department of Defense and other US government IP ranges
Honeypot detection — the iran.sh4 taunt string indicates active honeypot fingerprinting

Victim Geography

Traffic observed from compromised devices in:

Vietnam (~50% of bot traffic)
Ukraine
Iran
Brazil
Kenya
India

Infrastructure

Primary Infrastructure

IP	Service	Role	Details
`85[.]11[.]167[.]182`	Go SSH (1337), Apache (80)	Botnet C2	LIVE — serves payloads for 17 architectures
`85[.]11[.]167[.]194`	HTTP	Stealer infrastructure	Hosts easyfor[.]me + log[.]easyfor[.]me
`85[.]11[.]167[.]180`	HTTP	Relay node	relay[.]hotemail[.]asia

All three IPs are in AS213438 (ColocaTel / SOFCOMPANY, Sofia, Bulgaria).

External Infrastructure

IP	Service	Role	Details
`45[.]153[.]34[.]252`	HTTP	External C2	blackmirror[.]hotemail[.]asia (12/94 VT detections)

Domains

Domain	Purpose	Notes
`easyfor[.]me`	Minecraft stealer	Links to SeyitGit/EasyforMe GitHub repo
`hotemail[.]asia`	C2 relay	Typosquat of hotmail — relay and blackmirror subdomains
`shopanatolia[.]com`	Unknown	rDNS across the /24 — "Anatolia" consistent with Turkish operator
`havocnodes[.]lol`	Exploit hosting	Suspended

The domain shopanatolia[.]com appearing in reverse DNS records across the /24 is notable — "Anatolia" is the historical name for the Asian portion of Turkey, consistent with the operator's documented Turkish origin.

Detection Guidance

Network Signatures

SSH connections to port 1337 on 85[.]11[.]167[.]182
HTTP requests fetching ELF binaries for multiple architectures from a single host
DNS queries for hotemail[.]asia subdomains (typosquat indicator)
DNS queries for easyfor[.]me or log[.]easyfor[.]me
Traffic to 45[.]153[.]34[.]252 (blackmirror[.]hotemail[.]asia, 12/94 VT)

Host Indicators

Binary strings containing "Looks like you are a honeypot, this tool was made by t.me/flylegit!"
XOR-encrypted C2 beacon traffic
ELF binaries compiled for 17+ architectures dropped in /tmp/ or writable directories
Process names mimicking system services on embedded Linux devices

YARA

rule Masjesu_XorBot_Honeypot_Taunt {
    meta:
        description = "Masjesu/XorBot botnet payload with honeypot detection taunt"
        author = "GHOST - Breakglass Intelligence"
        date = "2026-04-11"
        reference = "https://intel.breakglass.tech"
    strings:
        $taunt = "Looks like you are a honeypot" ascii
        $tg = "t.me/flylegit" ascii
        $xor_1 = "xorbot" ascii nocase
        $xor_2 = "masjesu" ascii nocase
    condition:
        uint32(0) == 0x464C457F and (any of ($taunt, $tg) or any of ($xor_*))
}

rule XO_Discord_Stealer_Seyit {
    meta:
        description = "XO Discord token stealer with Stripe CC hook - Seyit Girgin"
        author = "GHOST - Breakglass Intelligence"
        date = "2026-04-11"
        reference = "https://intel.breakglass.tech"
    strings:
        $author = "Seyit" ascii wide
        $stripe = "stripe" ascii wide nocase
        $discord_1 = "discord" ascii wide nocase
        $discord_2 = "token" ascii wide nocase
        $xo = "XO v4" ascii wide
    condition:
        3 of them
}

IOC Summary

Network IOCs

Type	Value	Context
IP	`85[.]11[.]167[.]182`	Botnet C2 — Go SSH on 1337, Apache on 80
IP	`85[.]11[.]167[.]194`	Stealer infra — easyfor[.]me + log[.]easyfor[.]me
IP	`85[.]11[.]167[.]180`	Relay — relay[.]hotemail[.]asia
IP	`45[.]153[.]34[.]252`	External C2 — blackmirror[.]hotemail[.]asia (12/94 VT)
Domain	`easyfor[.]me`	Minecraft account stealer
Domain	`log[.]easyfor[.]me`	Stealer exfil endpoint
Domain	`hotemail[.]asia`	C2 relay domain (hotmail typosquat)
Domain	`relay[.]hotemail[.]asia`	Relay node
Domain	`blackmirror[.]hotemail[.]asia`	External C2 node
Domain	`shopanatolia[.]com`	rDNS across /24, Turkish operator
Domain	`havocnodes[.]lol`	Exploit hosting (suspended)
ASN	AS213438	ColocaTel / SOFCOMPANY, Sofia, Bulgaria

Actor IOCs

Type	Value
Real Name	Seyit Girgin
Email	iseyitthe@gmail[.]com
Telegram	@synmaestr0
Telegram	t.me/flylegit (249 subs)
Telegram	t.me/EasyforMeAnnouncements (259 subs)
Discord	iseyitthe
GitHub	SeyitGit (ID 114294892)
GitHub	IseyitThe (ID 69308754)
Twitter/X	@IseyitThe
Country	Turkey

MITRE ATT&CK

ID	Technique	Evidence
T1583.003	Acquire Infrastructure: Virtual Private Server	Bulgarian VPS (AS213438) for C2 and stealer hosting
T1583.001	Acquire Infrastructure: Domains	hotemail[.]asia (typosquat), easyfor[.]me, shopanatolia[.]com
T1584.005	Compromise Infrastructure: Botnet	~290 Gbps IoT DDoS botnet across 17 architectures
T1190	Exploit Public-Facing Application	D-Link, GPON, Huawei, Netgear, TP-Link exploit propagation
T1059.004	Command and Scripting: Unix Shell	iran.sh4 payload delivery script
T1573.001	Encrypted Channel: Symmetric Cryptography	XOR-based C2 encryption
T1498.001	Network Denial of Service: Direct Network Flood	UDP, TCP, ICMP, GRE, OSPF floods
T1498.002	Network Denial of Service: Reflection Amplification	VSE (Valve Source Engine) amplification
T1021.004	Remote Services: SSH	Go SSH service on port 1337 for bot management
T1036.005	Masquerading	Botnet binaries mimicking system process names
T1082	System Information Discovery	Honeypot fingerprinting in payloads
T1528	Steal Application Access Token	XO Discord token stealer
T1555.003	Credentials from Web Browsers	EasyforMe Minecraft credential theft
T1056	Input Capture	XO Stripe CC hook intercepting payment data

Prior Art & References

Source	Contribution
Trellix	"Masjesu Rising" (April 2026) — botnet capabilities, DDoS methods, propagation analysis
NSFOCUS	Original XorBot documentation (December 2023) — first public identification of the variant family
Akamai	Additional XorBot variant analysis
BlinkzSec	MalwareBazaar sample reporter (h/t)
SecurityWeek, Hacker News, SecurityAffairs, GBHackers	Media coverage of Trellix findings

Attribution

Seyit Girgin — Turkey — HIGH confidence

Binary taunt string in botnet payload references t.me/flylegit
C2 IP 85[.]11[.]167[.]182 shares /24 with stealer IP 85[.]11[.]167[.]194 (easyfor[.]me)
easyfor[.]me maps to GitHub repository SeyitGit/EasyforMe (TOS-blocked April 2025)
SeyitGit profile: real name "Seyit Girgin", location "Turkey", Twitter @IseyitThe
IseyitThe GitHub commits signed with iseyitthe@gmail[.]com
SeyitGit/xo Discord stealer has "Seyit" hardcoded as author
rDNS shopanatolia[.]com across the /24 — "Anatolia" consistent with Turkish origin
Infrastructure pattern: single /24 block hosting botnet C2, stealer service, and relay nodes

Methodology Disclaimer

This investigation employed passive intelligence collection (VirusTotal, GitHub, Shodan InternetDB, DNS, WHOIS, reverse DNS, Telegram channel metadata, MalwareBazaar, certificate transparency) and active inspection of services publicly accessible without authentication. Where the C2 server and associated infrastructure returned content in response to unauthenticated HTTP requests, that content was collected and analyzed. The /24 network scan examined only publicly exposed services. GitHub profiles and commit metadata are public by design. No destructive actions were taken. No customer data was exfiltrated. No services were disrupted.

GHOST — Breakglass Intelligence "One indicator. Total infrastructure."