Durov’s visit to Azerbaijan

When Pavel Durov, Telegram’s founder, was detained in France, the first thing I noticed was that he had arrived in France from Azerbaijan. Naturally, the first question that came to mind was what Durov was doing in Azerbaijan. Thanks to his assistant Julia Vavilova or Juli Maletc, as she is known on Instagram, that question was answered in a few stories in Vavilova’s highlights titled “Azeri.”

Instagram screenshot

Durov did appear to visit the Cyber Security Center at the Ministry of Digital Development and Transport. As per the center’s website, it claims: 

The center, established with the support of PASHA Holding group of companies to strengthen the country’s cyber security capabilities, will play the role of the main center for training highly qualified professionals and trainers in this field. It is planned to train more than 1000 people within three years at the Azerbaijan Cyber Security Center, which started its activity on 28 March 2023. At the same time, thanks to the training of 15 trainers at the center, the training of cyber security specialists will be expanded in our country in the future.

Professional teaching staff from Israel, which is considered one of the world’s leading countries in the region in the field of cyber security, will arrive in Azerbaijan and provide trainees with knowledge and skills covering the latest cyber security threats, trends and best practices.

The center has classrooms, training rooms, simulation rooms and laboratories equipped with state-of-the-art technology and equipment. Students will be able to conduct research in these labs and develop various cyber security products.

There are a few interesting points about this text. First, the PASHA holding group of companies, which, in the words of the Organized Crime and Corruption Reporting Project (OCCRP), is “a conglomerate with interests in banking, as well as construction, insurance, travel, and investments,” owned by Arif Pashayev, the father of the first lady Mehriban Aliyeva. Indeed, with all the baking and other relevant businesses, the PASHA group must ensure none of its user data or transactions are compromised. Unless, of course, it’s the opposite – to cover what OCCRP and others have exposed in various investigations as the lucrative financial schemes that benefit the first family. The answer to this question is a topic for another story. 

The second interesting point was mentioning Israel and its “teaching staff.”  For pundits following Azerbaijan’s path towards digital authoritarianism, seeing Israel’s name mentioned as “the world’s leading” country in “the field of cyber security” is no surprise. After all, the Azerbaijani government has long benefited from Israel’s surveillance technology, about which I have written at first here and then more at length here.  

Finally, regarding students working in the lab, could part of their skill development also include hacking accounts, DDoSing independent news platforms, phishing, and engaging in targeted harassment online, as well as trolling? In 2023, AzNet Watch published this legal overview of the lack of remedies in Azerbaijan to protect targets in cases of online harassment: 

There is another body of review within the Ministry of Digital Development and Transport concerning cyberattacks – the Cyber Security Service. While the cyber security service does not possess sanctions against authorities, it does have the authority to review the cyberattack claims and issue general warnings concerning cyberattacks. Furthermore, this body may inform other investigative authorities if the problem concerns these authorities […] In addition, the Cyber Security Center is not an adequate remedy in practice. This body is also not independent and has no relevant investigative legal powers. Consequently, criminal law and administrative law remedies are not effective. In such cases, civil law remedies also cannot be effective due to the burden of proof issues

So what is the point of financing a center when it is not even independent and its use is rather dubious? In any case, perhaps a topic for yet another AzNet Watch investigation. 

Finally, knowing all that is known about the Telegram app, especially regarding the platform’s poor track record regarding safety, privacy, data storage, lax standards, and lack of content moderation, combined with his visit to the center that lacks independence and whose purpose remains dubious, what was this visit about? AzNet Watch will continue exploring answers to this question, but in the meantime, Az-Net Watch has documented numerous examples of civic activists being targeted via Telegram channels in the past. Here are just a few of them: 

another telegram channel, another public targeting campaign March 2023

exiled blogger continues to receive threats June 2022

in Azerbaijan a telegram channel mobilising a movement, to target LGBTQI March 2021

Facebook page, advertising telegram channel, targeting a woman activist March 2021

targeted harassment via telegram channels and hacked Facebook accounts March 2021

Amnesty International statement calls to stop gender-based reprisals in Azerbaijan May 2021

political activist targeted online

For almost a month now, political activist, Bakhtiyar Hajiyev has been the target of multiple forms of online attacks. In an interview with AIW, Hajiyev said, from being impersonated online and fake social media accounts in his name, calling for protests, to on-going attempts to break into his social media accounts, it is a comprehensive list, the attacks are well-coordinated and they originate from the law enforcement agency. 

Hajiyev explains that he can get, at least ten passwords reset requests a day for messaging services like Whatsapp, his social media accounts on Twitter, Instagram and Facebook as well as applications like Paypal and Uber. “I have been getting password reset requests on platforms and accounts I never visited before or never set up. And in addition to all the social media accounts, there is the e-government portals that too inform me, of password reset requests.” 

In one screenshot Hajiyev shared with AIW, there is evidence of countless incoming missed calls from numbers registered to the US and UK. These happen during certain hours of the day explains Hajiyev. Similar phone calls have been reported by other political activists too.   

“I also receive calls from people who have been humiliated and called names online and then given my mobile number by the perpetrators, telling them to call me, since it is my doing. So I end up explaining to people that it was not me and that I would never do anything like this to anyone,” explained Hajiyev. 

The offensive language is also being used against government officials and the ruling family explains Hajiyev. 

Hajiyev believes it is his activism and outspokenness online that triggers these attacks. Whenever he has posted something that is clear evidence of an act of corruption, or a cover-up of government dealings, has been subject to similar forms of attacks and harassment. Taking into account, that it is not just him, but many other activists who are facing similar attacks, the intensity and the wide range of the attacks are indicative that they are coordinated and originate from one source – the law enforcement. 

“These things are being done, in order to avoid any sort of political mobilizing once the quarantine period is over,” Hajiyev told Azadliq Radio in an interview on May 24.

“I have informed the State Security Service about these attacks and I have shared all the necessary information. And although I have been promised an investigation and answers, I am yet to see anything,” Hajiyev told to AIW.  Hajiyev also told AIW that his name appears in message exchange among police officers [whoever has access to these numbers, must be affiliated with the authorities because these are personal numbers of police explains Hajiyev] attempting to incriminate Hajiyev.

Most recently, Hajiyev was harassed in a post written by the ruling party’s youth branch.

AIW continues to document this and other digital attacks and threats against representatives of Azerbaijan Civil Society. 

mass phishing attack against Azerbaijan civil society [updated]

On January 6, veteran human rights lawyer Intigam Aliyev received an email from another human rights lawyer Rasul Jafarov. Aliyev, spotted something was not right and forwarded the email he received to Javarov’s real email.  This is not the first time, Jafarov is targeted. In 2017, the case was captured in detail by Amnesty International.  Unlike Jafarov’s first experience, this time, the email was sent only to a handful of people (at least from what Jafarov was able to collect).

Based on the contents of the phishing email, together with Qurium , it was possible to identify the following information:

  • malware inside the WeTransfer link is written in python and compiled for windows;
  • the malware has been built using a software called technowlogger (more here);
  • The malware records keystrokes, passwords and sends them to a Gmail account after deactivating the antivirus program on your device;
  • In their forensic investigation, Qurium team was able to identify the email address: man474019 [ @ ] gmail.com. This user, has expressed interest in pen-testing tools, penetration testing and other forms of attacks in hacking forums. Including one attack against criminal.az (website currently blocked and it’s editor facing criminal prosecution).
The picture in the avatar displayed belongs to Alibay Mammadov. Together with Qurium, Azerbaijan Internet Watch suspects the attacker has stolen the identity of Mammadov.

According to this TEDx bio, Alibay Mammadov is based in Japan. He is the head of the Azerbaijan Japan Collaboration Association founded in Tokyo in 2016. The association aims to promote bilateral business relations between Japan and Azerbaijan. He is also the President of Azepro Co., Ltd. Azerbaijan Internet Watch has reached out to Mammadov, warning him of the situation however received no response in return.

The attacker seems to continue his research, as his most recent appearance in the forum was on January 14, 2020:


This, however, was not the last phishing attack.

On January 10, an independent online news platform HamamTimes was targeted with a similar phishing attack. The email came through a Gmail account that belongs to journalist Aziz Karimov.

A similar phishing attack was carried out against Azadliq Radio, Azerbaijan Service for Radio Free Europe Radio Liberty team.


On January 11, a larger group of civil society representatives received another WeTransfer link from Roberto Fasino. Fasino is the Head of the Secretariat, PACE Committee on Culture, Science, Education, and Media.

WeTransfer does not verify emails for validity when inserted in the sender or recipient box – you can insert anyone’s email. As a result, any email can be used, including that of Roberto Fasino in the sender box [see below].  


According to Qurium forensics, the virus sent to HamamTimes and from Roberto Fasino is “powershell” exploit that can gain full access to a windows machine. It connects to an intermediary server where the attacker can connect to control the victim’s device. This is how the attack looks when broken down into steps:

  • The attacker prepared the “powershell” attack;
  •  Obfuscate the code using HTML Guardian (HTA file);
  • Upload the file to We-transfer and mail to several victims [how the contact list has been obtained is still unclear – one scenario is that the sender’s email, in this case, roberto.fasino@coe.int was compromised;
  • Once the victim’s device is infected the attacker then continues to perform the attack performing “Reflective DLL” injection into the infected device and uploads the “merterpreter” code;
  • The final step, allows the attacker to have full access to a victim’s device, running commands remotely;

The forensics report also identified that the attacker has set up an account in ngrok.com service to hide his computer.

Once the virus is inside the infected device, it connects to the ngrok.com address 3.17.202.129 and port number 16885.

So far, attempts to reach ngrok.com founder Alan Shreve for a comment and assistance yield no results:

On January 14, new evidence showed the attacker was also using Facebook messenger to infect devices. The new evidence, as well as further investigations of the IP address of the attacker, revealed man474019 to be connected to the government of Azerbaijan and that this was the same location from where DDoS attacks against several independent and opposition websites were coordinated in 2017. The new report also shows that this network includes several ministries, as well as the presence of several firewalls with digital certificates signed by the national cert (cert.az)

Orkhan Shabanov, whose name and email appear in Hacking Team leaks indicated in Qurium’s report, is an employee at the Ministry of the Interior. In his capacity, Shabanov was among participants at the Open-ended intergovernmental expert group meeting to conduct a comprehensive study of the problem of cybercrime that took place in Vienna in March 2019.

What is phishing:

It is when you receive an email from someone who pretends to be someone you know, and phishes for your private information by asking you to download the attachment, or click on a link that would take you to a different page where you are prompted to enter some of your personal sensitive information, including passwords.

In 2019, Amnesty Tech released a detailed report on common phishing attacks used against journalists and rights defenders in MENA. Many of these conclusions apply to other countries as well.

The report describes the following most common types of phishing attempts:

  1. “Reset your password” email – attacker impersonating Google alerts the owner of the account of an alleged unsuccessful login attempt. It then offers to secure the account. Once clicked on the provided link, it redirects you to a page that may look like your Gmail login page, but in fact, it is a fake;
  2. “OAuth Phishing” – is a Web standard used to allow authentication over third-party services without the need of sharing passwords. It is used by companies like Google, Facebook, and Microsoft. According to Amnesty report, this type of phishing allows “attackers use the same architecture but in order to create malicious third-party applications and attempt to lure the targets into granting the applications access to their accounts (such as emails)”;
  3. Google phishing abusing legitimate third-party applications – using the method, attackers abuse the authentication procedure employed by legitimate and verified third-party applications;

This post is based on the research of Azerbaijan Internet Watch and Qurium Media Foundation. A full forensic report by Quriu is available here.


Since the release of this and Qurium’s forensic report, man474019 seem to have removed some of the information from https://forum.antichat.ru/

You can see the difference from how the user profile looks now and from Wayback machine capture (July 2019). The picture is gone too.

How profile looks now.
How profile looked July 2019