Will T
@bushidotoken.net
🇬🇧 | Senior Threat Intelligence Advisor at Team Cymru | Co-author SANS FOR589 | Co-founder Curated Intel
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
October 30, 2025 at 10:42 PM
New Blog 👀
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
This blog discusses the topic of cybercrime counterintelligence to highlight the growing threat toward the cyber threat intelligence (CTI) and law enforcement (LE) communities ⚠️
🔗 www.sans.org/blog/for589-...
Spotted a rather Team Cymru looking fountain here in the Netherlands 🇳🇱 this week! 📸
October 22, 2025 at 5:18 AM
Spotted a rather Team Cymru looking fountain here in the Netherlands 🇳🇱 this week! 📸
New Blog! 👀
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
October 6, 2025 at 6:04 PM
New Blog! 👀
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
In this research, I take a look at the Qilin RaaS in-depth, which has emerged as one of the leading and most innovative ransomware gangs following the takedown of LockBit, the exit scam by ALPHV/BlackCat, and the shutdown of RansomHub.
🔗 www.sans.org/blog/evoluti...
New Blog! 👀
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
October 1, 2025 at 5:56 PM
New Blog! 👀
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
After the last few large breaches, I discuss several cases in which the customers of major SaaS providers, such as Salesloft, Salesforce, and Snowflake have been extorted by adversaries from the English-speaking #cybercrime communities.
🔗 www.sans.org/blog/hunting...
Pleased to share I’ll be speaking at Adversary Village in DEFCON33!
July 22, 2025 at 4:26 PM
Pleased to share I’ll be speaking at Adversary Village in DEFCON33!
⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition.
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
June 27, 2025 at 9:11 AM
⚠️ IntelBroker was arrested in France 🇫🇷 in February 2025, and the US 🇺🇸 is seeking his extradition.
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
How did Law Enforcement Deanonymize IntelBroker? 🔍
TL;DR: He messed up on the Bitcoin opsec after an undercover officer made a controlled buy 💰
www.justice.gov/usao-sdny/me...
#opendir 🇨🇳
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
June 9, 2025 at 8:34 AM
#opendir 🇨🇳
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
1.94.184[.]17:8000
Huawei Cloud AS55990
.jsp Godzilla Web Shell
6d403c3fc246d6d493a6f4acc18c1c292f710db6ad9c3ea2ff065595c5ad3c5b
/poc.xml contents
wqtzskzmtp[.]zaza[.]eu[.]org
101.33.34[.]170
Tencent AS132203
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
February 15, 2025 at 5:39 PM
New Blog! Investigating Anonymous VPS services used by Ransomware Gangs
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
h/t to @drb_ra for lending me some of their C2 data! Made my life a lot easier 🫡
🔗 blog.bushidotoken.net/2025/02/inve...
Podcast version: www.youtube.com/watch?v=xX25...
Bournemouth2600 Challenge Coins arrived 😎
January 8, 2025 at 5:32 PM
Bournemouth2600 Challenge Coins arrived 😎
Ransomware Zero Days 2024
January 4, 2025 at 10:11 AM
Ransomware Zero Days 2024
Very interesting screenshot in the latest FBI arrest of the main LockBit developer “Rostislav Panev”
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
December 22, 2024 at 11:58 PM
Very interesting screenshot in the latest FBI arrest of the main LockBit developer “Rostislav Panev”
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
Source code for LockBit builders for #Proxmox and #Nutanix, which have not been observed in the wild AFAIK 🧐
www.justice.gov/opa/media/13...
Bluesky now has over 10 million users, and I was #119,222!
September 22, 2024 at 9:02 PM
Bluesky now has over 10 million users, and I was #119,222!
Great year of 2023 UK Infosec conferences and public speaking
December 12, 2023 at 12:06 AM
Great year of 2023 UK Infosec conferences and public speaking
Tonight was firey cheese tagliatelle night 🔥🇮🇹
December 2, 2023 at 10:49 PM
Tonight was firey cheese tagliatelle night 🔥🇮🇹
MrBeast is doing what?!
November 7, 2023 at 3:59 PM
MrBeast is doing what?!
Good day at BSides Bristol today, many informative talks on Cloud, AI, Cybercrime, and Red Teaming
November 5, 2023 at 9:03 AM
Good day at BSides Bristol today, many informative talks on Cloud, AI, Cybercrime, and Red Teaming
Happy with this! Thanks to the BSides London team for accepting my workshop and I shall see you all in December for some threat actor tracking 🔍
October 18, 2023 at 9:17 AM
Happy with this! Thanks to the BSides London team for accepting my workshop and I shall see you all in December for some threat actor tracking 🔍
Pleased to announce I'll be speaking at CyberThreat23 presenting on Practical Cybercrime Intelligence 🔍 related to FOR589
September 1, 2023 at 8:04 AM
Pleased to announce I'll be speaking at CyberThreat23 presenting on Practical Cybercrime Intelligence 🔍 related to FOR589
The fact a ransomware operator on the FBI Most Wanted list is flaunting his wedding in Russia publicly on Twitter is all you need to know when it comes to wondering how well the fight against Russian ransomware threat is going
August 15, 2023 at 8:36 AM
The fact a ransomware operator on the FBI Most Wanted list is flaunting his wedding in Russia publicly on Twitter is all you need to know when it comes to wondering how well the fight against Russian ransomware threat is going
Thanks to Thomas for this book and stickers!! A perfect CTI book, it’s got everything you could want 💯
July 28, 2023 at 10:11 AM
Thanks to Thomas for this book and stickers!! A perfect CTI book, it’s got everything you could want 💯
Great time at BSides Basingstoke today!
July 22, 2023 at 12:51 AM
Great time at BSides Basingstoke today!
Best bit of ‘swag’ I got from SteelCon 😎
July 10, 2023 at 10:34 AM
Best bit of ‘swag’ I got from SteelCon 😎
2nd SteelCon under my belt. Easily one of the best UK Infosec conferences. Worth every penny.
July 9, 2023 at 11:13 PM
2nd SteelCon under my belt. Easily one of the best UK Infosec conferences. Worth every penny.
A leaky kayak in shark infested waters
July 4, 2023 at 7:50 AM
A leaky kayak in shark infested waters