Tag: targeting

Hacks and compromised accounts continue to target journalists and activists in Azerbaijan [updated September 13]

Posted on by aiw_admin

Account compromise, website hacks, DDoS attempts, phishing are just a handful of tactics used to target journalists, rights defenders, and activists in Azerbaijan. 

Here is a list of new cases: 

Earlier in July, Azerbaijan Internet Watch reported a phishing attack that targeted some of the civil society activists. Following a forensic investigation carried out in partnership with Qurium, it was possible to confirm that the email was indeed a virus. According to preliminary conclusions, “the e-mail included a link to malware, with the capability of webcam and Desktop recording, execution of windows commands (WMI) as well as extraction and uploading of selected files from the victim’s computer.

Then the civil society was targeted with another phishing, this time the sender pretended to be the National Endowment for Democracy inviting recipients of the email to apply for a Pegasus Grant. 

Preliminary forensic results indicated that the malware sent around in this email was similar to a phishing campaign from 2017, that was widely covered and reported by Amnesty International: 

The victims and targets identified, as well as the political theme of bait documents, indicate that the campaign is largely targeting human rights activists, journalists, and dissidents. This campaign also aligns with findings by VirtualRoad.org in their report, “News Media Websites Attacked from Governmental Infrastructure in Azerbaijan”, which links some of the same network address blocks with “break-in attempts” and “denial of service attacks” against several independent media websites

The malware that was observed is not sophisticated, and is in some manner extremely crude. However, combined with social engineering attempts and an unprepared public, these tactics can remain effective against many targets.

The same month, Azerbaijan Internet Watch received confirmation that the former political prisoner, Tofig Yagublu’s Facebook profile was subject to numerous hacking attempts. 

In early August, former leader of the opposition Musavat party, Isa Gambar reported that all of his social media accounts were compromised including his Facebook profile, Facebook page, and Instagram account. 

The hackers, who took hold of Gambar’s Facebook profile, changed settings, recovery emails, and an affiliated phone number, and have since then shared irrelevant posts. 

On August 27, the website for popular platform HamamTimes was hacked. The team behind the platform, reported all of its content removed, suspecting that the hackers used the site’s vulnerability as a result of weak security protocols in place. So far, HamamTimes, managed to restore all of the website’s archive of stories however its hosting remains vulnerable to new targeting. 

HamamTimes was targeted before as reported by Azerbaijan Internet Watch in a mass phishing attack. 

On September 4, editor of anews.az news website, Naila Balayeva, reported that her Facebook account was compromised. The hacker switched the email account and the phone number originally registered for the profile. Although Balayeva was able to restore access to her email and change the emails, according to the journalist, the hacker continues to use Facebook as the owner often deleting posts that are critical either of the police or the government institutions.  

Anews.az and Balayeva were targeted before. Last year, several Facebook pages affiliated with the website were hacked. 

While it was possible to provide assistance in some of the cases, the response from platforms like Facebook, especially in the case of Gambar has been slow and at times, comical. So far, twice, the platform requested new emails not associated with the platform or any of its apps and twice, Gambar sent proof of identity.  

[Update] On September 9, political activist Bakhtiyar Hajiyev was reportedly threatened by Baku Police Chief Alekper Ismayilov over a Facebook post, that Hajiyev wrote the same day. The post, Hajiyev wrote on Facebook was addressing the Ministry of the Interior, specifically the Minister of the Interior, Vilayat Eyvazov. The activist alleged the ministry was delaying a response to his complaint submitted 50 days ago over a street hooligan. 

[From Hajiyev’s post on Facebook published on September 9, 2021] Instead of investigating why my Ministry of the Interior cannot question street hooligan, who is refusing to speak to them, humiliating police officers who show up at [the hooligan’s] home, Vilayat Eyvazov is going after me for reminding [the Ministry] of my complaint and is threatening me with arrest, death and blackmailing.  

The activist told Turan News Agency that he was summoned to the police on September 9 where Baku Police Chief, Alekper Ismayilov allegedly told Hajiyev less he removes the Facebook post, the activist would face a greater punishment than arrest. 

On September 12, Gubad Ibadoglu, Azerbaijani academic, and an economist reported that his Facebook profile and page were compromised. In an interview with Turan News Agency, Ibadoglu said despite his attempts to strengthen the security of his accounts, they were compromised anyway. “I got a message this morning that my password was changed using my own computer. This means that the hackers of the Azerbaijani government, even in London,” Ibadoglu told Turan. The fact that he received a notification informing him that his computer was the device from which the passwords were changed, means the device was infected with a virus containing some form of keylogger. It won’t be the first time, this type of information extraction is used to target Azerbaijani civil society. 

[Update] In September, online news platform Toplum TV, reported it lost 16k followers on its Facebook page. 

new report documents a decade of censorship in Azerbaijan

Posted on by aiw_admin

On July 16, Qurium Media Foundation released a report, “A Decade of Efforts To Keep Independent Azerbaijani Media Online”. 

The report highlights the work carried out by Qurium since 2010 assisting targeted independent and opposition online news platforms in Azerbaijan. “For more than a decade, Qurium has monitored and mitigated a wide range of cyberattacks against the websites and since 2016, no less than twenty forensics reports have been released to document our findings,” reads the new report.

Denial of Service attacks

During five years (2010-2015), Qurium mitigated dozens of denial of service attacks against Azerbaijani media, and was forced to invest in mitigation hardware and to increase its Internet capacity. Commercial mitigation of denial of service was not possible for Azeri media organizations as the average cost for such services was close to 1,000 Euro/month for a small website.

During 2014-2016, several corporate efforts made Denial of Service more difficult for the attackers, both Cloudflare (2014) and later Google (2016) started to offer free protection to journalists and human rights groups and many stress testing services (aka “booters”) since then were dismantled by FBI, such as the infamous VDOS Booter and the Mirai botnet.

After three years of research of development (2014-2017), Qurium built its own mitigation hardware and upgraded its Internet capacity by a factor of 200. Although the Denial of service attacks slowly had decreased since 2017, new challenges emerged. Internet Network Interference.

Internet Network Interference

In late 2013, a new type of challenge emerged when we discovered that websites artificially were slowed down. Instead of blocking the websites that clearly would expose the motivations and those responsible for the disruptions, the websites were slowed down by limiting the amount of bandwidth available to reach them. Qurium was forced to develop a method to detect “Internet Congestion” and to keep moving affected websites to other IP addresses to keep them online. Other large providers, such as Akamai, hosting other Azeri media was also slowed down and was unable to respond effectively to the challenge.

Exposing a coordinated cyberwar strategy

Starting from 2017, the cyberwar landscape changed. 

During that year, we received customized denial of service, pen testing and vulnerability scans and the first reports of targeted malware.

A series of diverse attacks and forensics analysis including tracing back the source of a malware sent to journalists helped us to confirm that new Ministry of Transport, Communications and High Technologies and the “hacker community” built around the government, sponsored cybersecurity events were actively targeting our hosted media.

After hosting and protecting Azeri media for almost seven years, we had no doubt about the actors behind the attacks, and could publicly document that a “State Actor” was orchestrating diverse forms of cyber attacks.

Deep Packet Inspection

Also in 2017, a new method used against independent and opposition media was identified by Qurium – the Deep Packet Inspection or shortly DPI. 

In April 2017, we identified that new technical means were implemented in several operators to block some of the websites. The Azeri authorities had invested in Deep Packet Inspection equipment to block the media outlets once and for all.

By the end of April 2017 Qurium learned that there were a court order against some of our hosted media organizations. To our surprise, the websites under Deep Packet Inspection were many more than the ones mentioned in the court order. The court order stated that the listed websites (Azadliq.info, Azadliq.org, Azerbaycansaati.com, Meydan.tv and Turan TV) were “creating threats to the legitimate interests of the state and society” and must therefore be blocked.

After two years of research between 2017-2019, Qurium identified the use of DPI hardware from Allot Communications and Sandvine inside several operators in Azerbaijan.

Website flooding, phishing, and more

By 2018, many of the “stress testing services” often used to launch the Denial of Service attacks had been dismantled world wide. The attackers were forced to find new alternatives to conduct their traffic floods aiming to take the websites offline. During another forensic investigation we traced back this new source of denial of service to Russian Fineproxy (Region40). By identifying the service provider used to conduct the attacks, we could not only expose their business practices but also their management that kindly disabled the account of the attacker.

In late 2018, Denial of Service became a second priority in the strategy to harass Azeri media and once again other means were needed.

By April 2020, Qurium could finally link the denial of service attacks launched using Fineproxy service with the very same threat actor from the Ministry of Internal Affairs: sandman. Access to sandman github account provided us with a good insight of the toolset that was being used against online media and journalists in Azerbaijan.

A final report of our findings showed even more advanced capabilities, like the ability to create fake SMS or hijack SMS sent to the journalists giving the attackers the ability to take control over their social media accounts.

Phishing remains a major attack vector against journalists and human right activists, the latest phishing campaign in early July 2021 impersonated human rights watch so as to implant a malware capable of recording the desktop and webcam or exfiltrate all important documents of the victims.

Conclusion

What started in 2010 and went on for years with Denial of service attacks using third party stress testing services was extended with more sophisticated attacks in 2017 including targeted phishing and the introduction of dedicated hardware to block the websites using technologies as DART from Allot and PCEF from Sandvine.

The national blocking of many websites, not always supported by legal court orders, has been weaponized to limit visibility of the media in the country. Despite our multiple efforts to provide alternatives to make the content available, the blocking has had a huge impact in the revenue creation of the alternative media and the growth of readership.

After the introduction of Internet blocking by means of more sophisticated deep packet inspection against alternative websites in 2018, many of the blocked media opted to increase their presence in Facebook but that has proven to be an advantageous situation for the Azeri government and their secret cyber operations as Facebook has showed a bad track record in dealing with “coordinated inauthentic behavior” in the country.

You can read the full report here.

inauthentic pages target independent news platform – will Facebook take notice [part 2, the case of Mikroskop Media]

Posted on by aiw_admin

This month, a series of articles published by The Guardian newspaper revealed how leaders across the world, used Facebook loopholes to harass their critics at home. And how despite having information about these violations, the platform lets these cases sit sometimes for months on end if not more, instead choosing to deal with more high profile cases. “The investigation shows how Facebook has allowed major abuses of its platform in poor, small and non-western countries in order to prioritize addressing abuses that attract media attention or affect the US and other wealthy countries. The company acted quickly to address political manipulation affecting countries such as the US, Taiwan, South Korea, and Poland, while moving slowly or not at all on cases in Afghanistan, Iraq, Mongolia, Mexico and much of Latin America.”

The Guardian investigations show that Azerbaijan was on the list of neglected countries. If it wasn’t for Facebook’s former employee Sophie Zhang memo published in September of last year, those inauthentic pages that Facebook removed 14 months later (once the memo was out) likely would have stayed. 

But even though those pages have been reportedly removed, hundreds if not thousands more continue to target independent media in Azerbaijan. AIW covered the story of Meydan TV here and The Guardian uncovered a similar pattern of targeting in the case of Azad Soz. AIW now presents its findings on targeting Mikroskop Media, a Riga-based online news platform that covers Azerbaijan. 

Mikroskop Media shared with AIW the list of Facebook posts where the platform received a high volume of comments. The preliminary investigation indicates that the Facebook page of Mikroskop Media was also targeted by hundreds of inauthentic Facebook pages set up to look like personal accounts flooding the posts with comments supportive of the ruling government and its relevant decisions. 

On March 24, Mikroskop Media shared the following post on its Facebook page. The post looks at the total number of citizens who have received vaccination so far in Azerbaijan as well as the total number of vaccines on March 23. This post received over 1.6k comments. AIW looked at 550 comments and almost all of these comments were posted by owners of pages that posed as users on the platform. 

Another post investigated by AIW was one posted on March 11, indicating the total number of businesses who have applied to the authorities to launch their businesses in Karabakh. The post receives over 400 comments. Having analyzed 200 of them, AIW was again, discovered that all of them were pages. 

On April 5, Mikroskop Media shared a link to a story they published about this investigation that was first originally published by VICE on March 29, exposing how little known Berlin-based television channel was part of a “lobbying strategy to polish Azerbaijan’s image in Germany” thanks to large sums of money paid through bribery of certain politicians. The story shared by Mikroskop Media on its Facebook page received almost 400 comments. AIW analyzed these comments, and once again, with an exception of a few profiles (although these too were suspicious given the lack of any recent activity on their profiles) that almost all of the comments were posted by inauthentic Facebook pages. 

At other times, Mikroskop Media’s Facebook page was targeted by troll accounts. This was especially the case in this example – on November 12, 2020, Mikroskop Media shared an infographic, about the number of times, Azerbaijan’s national constitution was amended. Among the 385 comments that were analyzed, a relatively high number of these comments were posted by Facebook profiles. A closer look at these profiles showed while some of the owners were employees at the state universities and government institutions, some were not authentic accounts at all. The majority of the comments once again were in favor of these changes, expressed pride in the country and the president’s decisions as well as accused the media platform of bias and unfair reporting. 

AIW would be happy to assist Facebook’s threat intelligence team in investigating the “coordinated inauthentic behavior” that AIW has observed and has shared in its reporting so far, but the main question still lingers, will it take notice? 

Facebook looks the other way when it comes to Azerbaijan and others – The Guardian investigations show

Posted on by aiw_admin

Almost a month after AIW published this story about how some 500 inauthentic Facebook pages targeted Berlin-based independent online news platform Meydan TV, little has changed. While all of the pages that targeted Meydan TV remain active, someone else has taken notice. 

On April 13, The Guardian published this story explaining how Facebook allowed state-backed harassment campaigns, target independent news outlets, and opposition politicians on its platform.  

The story mentions the case of Azad Soz (Free Speech) and how the post shared on March 4 about two men sentenced to eight months received over 1.5k comments. It analyzes the top 300 comments and discovers that 294 out of 300 comments were inauthentic Facebook pages.  

Just like in the case of Meydan TV. 

The Guardian cites Sophie Zang’s work during her time at Facebook, working for the team tasked with “combating fake engagement, which includes likes, shares, and comments from inauthentic accounts.” During her research, Zhang uncovered “thousands of Facebook pages- profiles for businesses, organizations, and public figures – that had been set up to look like user accounts and were being used to inundate the Pages of Azerbaijan’s few independent news outlets and opposition politicians on a strict schedule: the comments were almost exclusively made on weekdays between 9am and 6pm, with an hour break at lunch,” writes The Guardian journalists Julia Carrie Wong and Luke Harding. 

Wong and Harding also mention the platform’s response mechanism. “The company’s vast workforce includes subject matter experts who specialize in understanding the political context in nations around the world, as well as policy staff who liaise with government officials. But Azerbaijan fell into a gap: neither the eastern European nor the Middle Eastern policy teams claimed responsibility for it, and no operations staff – either full-time or contract – spoke Azerbaijani.”

But the story of Facebook and Azerbaijan is not the only one that The Guardian identified loopholes with. “The Guardian has seen extensive internal documentation showing how Facebook handled more than 30 cases across 25 countries of politically manipulative behavior that was proactively detected by company staff. The investigation shows how Facebook has allowed major abuses of its platform in poor, small, and non-western countries in order to prioritize addressing abuses that attract media attention or affect the US and other wealthy countries. The company acted quickly to address political manipulation affecting countries such as the US, Taiwan, South Korea, and Poland, while moving slowly or not at all on cases in Afghanistan, Iraq, Mongolia, Mexico, and much of Latin America.”

Honduras 

The administration in Honduras relied on astroturfing to attack government critics. Sophie Zang discovered how Juan Orlando Hernandez – the authoritarian leader – “received hundreds of thousands of fake likes from more than a thousand inauthentic Facebook pages” that were set up to look like Facebook user accounts. Very similar to what happened in Azerbaijan, in the case of Azad Soz and Myedan TV. And just like it was in the case of Azerbaijan, in the case of Honduras, the platform took nearly a year to respond.

Russia 

During 2016 US election, Russia’s Internet Research Agency set up Facebook pages to “manipulate individuals and influence political debates” pretending to be Americans.

Facebook’s intervention was much faster in the case of Russia targeting US elections, likely the result of “Facebook’s prioirty system for protecting political discourse and elections,” wrote Wong, in another story in The Guardian.   

As a result of this kind of cherry picking, Facebook’s response mechanism worked faster in the Taiwan, India, Indonesia, Ukraine and Poland but not in countries where similar inauthentic behavior was spotted such as Azerbaijan, Mexico, Honduras, Paraguay, Argentina and others. The difference in response rate was as quick as 1 day in the case of Poland and as long as 426 days in the case of Azerbaijan. 

Many others were left uninvestigated at all. Among them, Tunisia, Mongolia, Bolivia, and Albania. 

Back in Azerbaijan, at the time of writing this post, pages that targeted Meydan TV remain, and even if they are removed, nobody knows how long it will take Facebook to respond, next time, such behavior is spotted. 

in Azerbaijan a telegram channel mobilising a movement, to target LGBTQI

Posted on by aiw_admin

According to Minority Magazine reporting, a new movement calling itself “Pure Blood” is mobilizing via the Telegram channel to target members of the LTBTQI community in Azerbaijan.

The magazine, sharing screenshots from the channel called on the relevant government institutions in Azerbaijan to investigate. 

“Hurray, they should be burned,” wrote one user in the chat. Another user wrote the fight against people with “untraditional sexual orientation” must be carried out on the government level, just like in Poland and Hungary. 

The last time someone shared a text in the group was March 19, at least according telemetr.io. 

While it is the first time, news of such a “movement” are making headlines in Azerbaijan, it is certainly not the first time, the community is targeted. 

Since 2000s, Azerbaijani government has been deploying spyware purchased from Israeli Verint. Verint supplied Azerbaijan with a system that allowed the government to collect information from social media. One of Verint’s former employees who traveled to Azerbaijan to train the client was asked how to use the system, “to check sexual inclinations via Facebook.” This technology was likely to be used in 2017, when the government of Azerbaijan went on a witch hunt on gay and transgender people.  

police “visits” writer’s home during his live stream

Posted on by aiw_admin

Writer Keramet Boyukchol was briefly taken to the police for questioning after an alleged complaint to the police made by his neighbors. Police claimed neighbors complained he was making too much noise. 

Boyukchol is known for his criticism of the authorities on social media and in the numerous interviews, he has done with the media. 

The day he was taken in for questioning, Boyukchol was live on Facebook, raising yet again, the issue of economic difficulties faced by the general public in the country. He was still streaming live when the doorbell rang and he got up to open the door. Seeing the police the writer asked what was the purpose of their visit, to which one of the officers responded, saying his neighbors complained he was making too much noise. 

At some point, one of the officers entered the flat, without Boyukcol’s permission and in the absence of an arrest warrant and stopped Boyukchol from filming the scene. 

According to Boyukchol’s father, in an interview with Azadliq Radio, his son was taken to the police and released the next day without any charges. 

Boyukchol was also targeted online. In June, his Facebook account was compromised. All of his posts (over the last ten years) were deleted. 

news platform targeted online

Posted on by aiw_admin

On June 18, a popular online news platform, Meydan TV was targeted online. Its social media accounts on Facebook and Instagram were subject to a digital attack.

According to Meydan TV, the platform lost two years of content on its Azerbaijani language Facebook page while on Instagram it lost at least two months of posts. 

Previously, the platform lost all of its content on its Russian language Facebook page including some, on its Azerbaijani language Facebook page. Meydan TV’s website was also subject to DDoS attacks in May shortly after the country’s top independent news agency Turan was targeted in a similar manner.

Targeting accounts and pages of independent news platforms, organizations, initiatives, activists, and journalists are common in Azerbaijan. AIW has documented some of these and they are available on this platform.  

mass phishing attack against Azerbaijan civil society [updated]

Posted on by aiw_admin

On January 6, veteran human rights lawyer Intigam Aliyev received an email from another human rights lawyer Rasul Jafarov. Aliyev, spotted something was not right and forwarded the email he received to Javarov’s real email.  This is not the first time, Jafarov is targeted. In 2017, the case was captured in detail by Amnesty International.  Unlike Jafarov’s first experience, this time, the email was sent only to a handful of people (at least from what Jafarov was able to collect).

Based on the contents of the phishing email, together with Qurium , it was possible to identify the following information:

  • malware inside the WeTransfer link is written in python and compiled for windows;
  • the malware has been built using a software called technowlogger (more here);
  • The malware records keystrokes, passwords and sends them to a Gmail account after deactivating the antivirus program on your device;
  • In their forensic investigation, Qurium team was able to identify the email address: man474019 [ @ ] gmail.com. This user, has expressed interest in pen-testing tools, penetration testing and other forms of attacks in hacking forums. Including one attack against criminal.az (website currently blocked and it’s editor facing criminal prosecution).
The picture in the avatar displayed belongs to Alibay Mammadov. Together with Qurium, Azerbaijan Internet Watch suspects the attacker has stolen the identity of Mammadov.

According to this TEDx bio, Alibay Mammadov is based in Japan. He is the head of the Azerbaijan Japan Collaboration Association founded in Tokyo in 2016. The association aims to promote bilateral business relations between Japan and Azerbaijan. He is also the President of Azepro Co., Ltd. Azerbaijan Internet Watch has reached out to Mammadov, warning him of the situation however received no response in return.

The attacker seems to continue his research, as his most recent appearance in the forum was on January 14, 2020:

This, however, was not the last phishing attack.

On January 10, an independent online news platform HamamTimes was targeted with a similar phishing attack. The email came through a Gmail account that belongs to journalist Aziz Karimov.

A similar phishing attack was carried out against Azadliq Radio, Azerbaijan Service for Radio Free Europe Radio Liberty team.

On January 11, a larger group of civil society representatives received another WeTransfer link from Roberto Fasino. Fasino is the Head of the Secretariat, PACE Committee on Culture, Science, Education, and Media.

WeTransfer does not verify emails for validity when inserted in the sender or recipient box – you can insert anyone’s email. As a result, any email can be used, including that of Roberto Fasino in the sender box [see below].  

According to Qurium forensics, the virus sent to HamamTimes and from Roberto Fasino is “powershell” exploit that can gain full access to a windows machine. It connects to an intermediary server where the attacker can connect to control the victim’s device. This is how the attack looks when broken down into steps:

  • The attacker prepared the “powershell” attack;
  •  Obfuscate the code using HTML Guardian (HTA file);
  • Upload the file to We-transfer and mail to several victims [how the contact list has been obtained is still unclear – one scenario is that the sender’s email, in this case, roberto.fasino@coe.int was compromised;
  • Once the victim’s device is infected the attacker then continues to perform the attack performing “Reflective DLL” injection into the infected device and uploads the “merterpreter” code;
  • The final step, allows the attacker to have full access to a victim’s device, running commands remotely;

The forensics report also identified that the attacker has set up an account in ngrok.com service to hide his computer.

Once the virus is inside the infected device, it connects to the ngrok.com address 3.17.202.129 and port number 16885.

So far, attempts to reach ngrok.com founder Alan Shreve for a comment and assistance yield no results:

On January 14, new evidence showed the attacker was also using Facebook messenger to infect devices. The new evidence, as well as further investigations of the IP address of the attacker, revealed man474019 to be connected to the government of Azerbaijan and that this was the same location from where DDoS attacks against several independent and opposition websites were coordinated in 2017. The new report also shows that this network includes several ministries, as well as the presence of several firewalls with digital certificates signed by the national cert (cert.az)

Orkhan Shabanov, whose name and email appear in Hacking Team leaks indicated in Qurium’s report, is an employee at the Ministry of the Interior. In his capacity, Shabanov was among participants at the Open-ended intergovernmental expert group meeting to conduct a comprehensive study of the problem of cybercrime that took place in Vienna in March 2019.

What is phishing:

It is when you receive an email from someone who pretends to be someone you know, and phishes for your private information by asking you to download the attachment, or click on a link that would take you to a different page where you are prompted to enter some of your personal sensitive information, including passwords.

In 2019, Amnesty Tech released a detailed report on common phishing attacks used against journalists and rights defenders in MENA. Many of these conclusions apply to other countries as well.

The report describes the following most common types of phishing attempts:

  1. “Reset your password” email – attacker impersonating Google alerts the owner of the account of an alleged unsuccessful login attempt. It then offers to secure the account. Once clicked on the provided link, it redirects you to a page that may look like your Gmail login page, but in fact, it is a fake;
  2. “OAuth Phishing” – is a Web standard used to allow authentication over third-party services without the need of sharing passwords. It is used by companies like Google, Facebook, and Microsoft. According to Amnesty report, this type of phishing allows “attackers use the same architecture but in order to create malicious third-party applications and attempt to lure the targets into granting the applications access to their accounts (such as emails)”;
  3. Google phishing abusing legitimate third-party applications – using the method, attackers abuse the authentication procedure employed by legitimate and verified third-party applications;

This post is based on the research of Azerbaijan Internet Watch and Qurium Media Foundation. A full forensic report by Quriu is available here.

Since the release of this and Qurium’s forensic report, man474019 seem to have removed some of the information from https://forum.antichat.ru/

You can see the difference from how the user profile looks now and from Wayback machine capture (July 2019). The picture is gone too.

How profile looks now.
How profile looked July 2019