May 15, 2016 • RBS

Categories: Security News

A few months ago, an established hacker known at the time only as GhostShell proceeded to dox himself. The move was done in what appeared to be the hope of obtaining legitimate work and ending the run of data breaches that he committed over the years. GhostShell, also now known as 24 year old Razvan Eugen Gheorghe,today announced a new leak of data under the title of Light Hacktivism.


He makes the statement that this leak is an appetizer and that there is much more to come in the near future. Light Hacktivism in his view is an attempt to raise awareness of older FTP directories that are left open on Internet, containing credentials and confidential documents. The leaked data and a short message, reproduced below, was posted to Pastebin:

This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry. I’ve comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others. Since I wanted to clear and taken serious about this I have leaked some credit cards information, however it is recently expired, however I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there. Never underestimate the most simple vulnerabilities out there as they often time end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.Millions of people at risk everyday due to sheer laziness and incompetence.

Shortly before the leak was posted, Razvan hinted that something was about to happen because “local and US feds” handling his case have the weekend off.  At time of this post, RBS was not aware of a confirmed case against Razvan.


The Light Hacktivism leak is a similar style and format as to what we we have seen in the past from Razvan.  It is comprised of data collected from 30 unique sites and contains varying types of data including credit card details, user name and email combinations some with and without encryption. All together, we have detected 1,181 unique email addresses from 521 different providers. A large portion of the affected sites appear to be data from educational institutions which have been open on the Internet for some time. One part of Razvan’s message that caught our eye, was the mention of a potential larger impact of compromised medical data.  Razvan states:

“Medical data is also present but it has been censored, the sensitive stuff.”

It’s has been well documented over the past couple years that medical data and devices are becoming more of a target for cyber criminals.   The problem is already so much of an issue that, in many cases, confidential medical data is being left wide open on the Internet, resulting in a situation where the impact is potentially much greater than a typical data breach. While it seemed that Razvan was “retired”, this new leak appears to show that he is back as he mentions that we should expect the usual leaks from him in the near future.  If past experience is any indication of what to expect, then we will most likely see a large amount of data being posted in bulk affecting many, many more sites.

Our products
The Platform
Risk Based Intelligence
Learn more
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more