Draft:Dancho Danchev



Danchev Danchev (Данчо Данчев) (born November 22, 1983) is a Bulgarian cyber security researcher, journalist and blogger. Born in Sofia, he now lives in Troyan.

Biography
Danchev is an influential figure in the world of cybersecurity. With his extensive knowledge and experience he has made significant contributions to this field. One of his key contributions to cyber security is his role in uncovering and analyzing new cyber threats. He has a keen ability to identify emerging trends and techniques used by threat actors, which has helped organizations stay one step ahead in protecting their systems and data.

Dancho Danchev has pioneered his own methodology for processing threat intelligence leading to a successful set of hundreds of high-quality analysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld and H+Magazine.

He's been active on Twitter, LinkedIn and Facebook and has made all of his research throughout the years publicly accessible on the Internet Archive.

He has presented at RSA Europe 2012, CyberCamp 2016 in Spain , InfoSec 2012 in London, GCHQ in Cheltenham and Interpol in Lyon, France.

Danchev has been an active security blogger since 2007. He is a cybersecurity researcher and a WhoisXML API threat researcher. He is known for reporting on the Chinese hacktivist attack on CNN in 2008, with additional reports on the Operation Ababil attack on Wells Fargo U.S. Bank and PNC Bank and the New York Times advertisement attack in 2009.

At ZDNet’s Zero Day blog, he co-wrote articles and analyses on East European criminal activity and online scams. Danchev’s research often focused on cyber terrorism activities of terrorist groups and monitoring the activities of the Koobface worm which targeted users of social networking sites, including Facebook.

He then started working for Webroot. In 2021 he started working for CyberNews.

Danchev went missing in 2011, according to reports, after his blog post on the collection of his research on terrorist organizations' use of the internet for jihad. With help from the security community and security professionals he then resurfaced in January 2011.

Key career points

 * Presented at the GCHQ with the Honeynet Project
 * SCMagazine Who to Follow on Twitter for 2011
 * Participated in a Top Secret GCHQ Program called "Lovely Horse"
 * Identified a major victim of the SolarWinds Attack - PaloAltoNetworks
 * Found malware on the Web Site of Flashpoint
 * Tracked monitored and profiled the Koobface Botnet and exposed one botnet operator
 * Made it to Slashdot two times
 * His personal blog got 5.6M page views since December, 2005
 * His old Twitter Account got 11,000 followers
 * He had an average of 7,000 RSS readers on my blog
 * He had his own vinyl "Blue Sabbath Black Cheer / Griefer – We Hate You / Dancho Danchev Suck My Dick" made by a Canadian artist
 * He's currently running Astalavista.box.sk
 * Listed as a major competitor by Jeffrey Carr's Taia Global

Early teenage hacker years
His first teenage hacker group which he created and worked alone was called S1F (Sekurity is Futile). He is also known to have been moderating Blackcode Security Raver's newsletter. He originally began writing security and hacking articles which were published on NewOrder. During that time he was also writing articles for Frame4 Security Systems where he wrote the infamous "The Complete Windows Trojans Paper" including WindowSecurity.com and was running an information security section at HiComm Bulgaria a popular technology magazine. He also contributed an article for CIO.bg. He was also a member of different H/C/P/A (Hacking/Cracking/Phreaking/Anarchy) groups at the time. His first commercial position was at the anti-trojan vendor DiamondCS's Trojan Defense Suite where he assisted in the building of the Trojan Information Database. He later bought the software copyright and sold it to LockDownCorp which was a competing anti-trojans vendor where he started working at on his way to collect malicious software releases and improve the vendor's market position as a leading anti-trojans vendor. He continued his work on the Trojan Database and began producing detailed information on various malicious software releases that he was collecting as part of his work.

Education
Danchev studied in Vasil Levski Secondary School in Troyan, Bulgaria and later in The Netherlands at Hogschool Zuyd in Sittard, and Hogeschool In Holland in Rotterdam.

Work career
Danchev is known to have been moderating DiamondCS's Trojan Defense Suite newsletter in 1999. He then joined the Netherlands-based company Frame4 Security Systems where he wrote the infamous "The Complete Windows Trojans Paper". He then worked for TechGenix's WindowSecurity.com where he wrote "Building and Implementing a Successful Information Security Policy" paper. Danchev is known to have been running Astalavista Security Group's Astalavista.com in 2003 Web site and Astalavista.box.sk Web site in 2021. He presently works at WhoisXML API as a DNS Threat Researcher.

He is known to have worked at the following companies and organizations:


 * 1999 - DiamondCS
 * 2000 - LockDownCorp
 * 2002 - Frame4 Security Systems


 * 2003 - TechGenix
 * 2003 - ASTALAVISTA IT Engineering GmbH
 * 2008 - ZDNet
 * 2012 - Webroot
 * 2014 - Wandera
 * 2017 - GroupSense
 * 2018 - KCS GROUP EUROPE LIMITED
 * 2019 - Treadstone 71
 * 2019 - Armadillo Phone
 * 2020 - Astalavista.box.sk
 * 2021 - WhoisXML API

He has also contributed to ITSecurity.com's Security Clinic and was a newsletter moderator at Blackcode Ravers.

Disappearance
In September 2010, Danchev went missing under mysterious circumstances amid concerns about his safety. Prior to his disappearance, he had expressed concerns about surveillance by Bulgarian law enforcement and intelligence services. Despite efforts to contact him through various means, including phone and email, he could not be reached. ZDNet published a letter and photos he had sent, seeking information on his whereabouts. While anonymous sources indicated he was alive but facing difficulties, the exact details of his disappearance remain unknown.

According to Internet Anthropologist who tried to track him and find out using his law enforcement contacts his legal contact in Sofia Bulgaria told him that he was in a psychiatric clinic as his mother requested the hospitalization due to his belief that he was under surveillance. The same information was confirmed by Krypt3ia and Threatpost who approached a press officer at the U.S. Embassy in Sofia, Bulgaria who told him that they were unaware of his case, but would look into reports of his arrest. The hospital where Danchev was held confirmed that he will be released within four or six weeks but declined to comment. He sent an email letter describing the situation to a colleague prior to his disappearance just in case something might happen including a photo of a supposed surveillance device in his bathroom.

In 2013 the infamous Darkode forum got breached and based on public information by the ones who breached it there was a Hitman request for Danchev Danchev in the forum.

This was covered by Slashdot, ZDNet, CSO Online, SC Magazine, Gizmodo, Gawker, PC Mag, Techdirt and TG Daily.

Cybercrime Underground
The numerous occasions Danchev's work and research has been quoted and referenced by Russia based cybercriminals and cybercrime gangs.


 * Dancho Danchev and Brian Krebs got married message
 * Koobface Botnet C&C channel referencing him in the network communication
 * SpyEye blog post referencing him
 * Darkode Leak mentioning his kidnapping and Ivan Kaspersky's kidnapping
 * U.S Treasure Department web site redirected to his personal Blogger profile
 * Scareware serving campaign using a message referencing him

Astalavista.com
Danchev is known to have been running Astalavista Security Group's Astalavista.com in since 2003. He was responsible for producing the monthly security newsletter.

He has interviewed the following people from the security industry and the Scene.


 * Proge — http://www.progenic.com/
 * Jason Scott — http://www.textfiles.com/
 * Kevin Townsend — http://www.Itsecurity.com/
 * Richard Menta — http://www.bankinfosecurity.com
 * MrYowler — http://www.cyberarmy.net/
 * Prozac — http://www.astalavista.com/
 * Candid Wuest — http://www.trojan.ch/
 * Anthony Aykut — http://www.frame4.com/
 * Dave Wreski — http://www.linuxsecurity.com/
 * Mitchell Rowtow — http://www.securitydocs.com/
 * Eric (SnakeByte) — http://www.snake-basket.de/
 * Björn Andreasson — http://www.warindustries.com/
 * Bruce — http://www.dallascon.com/
 * Nikolay Nedyalkov — http://www.iseca.org/
 * Roman Polesek — http://www.hakin9.org/en/
 * John Young — http://www.cryptome.org/
 * Eric Goldman — http://www.ericgoldman.org/
 * Robert — http://www.cgisecurity.com/
 * Johannes B. Ullrich — http://isc.sans.org/
 * Daniel Brandt — http://google-watch.org/
 * David Endler — http://www.tippingpoint.com/
 * Vladimir, 3APA3A — http://security.nnov.ru/

Astalavista.box.sk
In 2020 Danchev announced the official re-launch of the infamous Astalavista.box.sk hacking search engine web site with a forum community targeting security experts and hackers.

On April 7, 2021, an article was published on Medium.com by Dancho Danchev stating that the site is back up and running. Danchev has released several versions of the web site.

Koobface botnet
In October 2009 the gang redirected Facebook's Internet Protocol (IP) netspace to his blog.

In February 2010 Danchev posted an article called "10 things you didn't know about the Koobface gang" where he discussed some of the key aspects of the Koobface botnet. In May 2010 the group responded to his article in a step by step fashion response within the source code of all the malware-infected hosts that were distributing the malicious software.

In January The Register released an article stating that five Koobface gang suspects were named by The New Times following Danchev's investigation.

In January 2012 Danchev gave an interview to DW where he discussed his findings into the Koobface botnet.

In February 2012 Danchev posted an OSINT (Open Source Intelligence) analysis called "Who's Behind the Koobface Gang?" where he provided personally identifiable information on one of the botnet masters behind the Koobface botnet.

2008 Developments
In 2006 he released his Malware Future Trends paper where he also presented his findings on the current and future trends of malicious software. He also elaborated on the fact that TrendMicro's web site got infected with malware including the fact that the United Nations web site was susceptible to a SQL injection flaw.

He also offered in-depth coverage on the rise of the Storm Worm botnet. He also found that the Whitehouse.org web site was serving malware. He also found a malware campaign that's exploiting a Flash zero day flaw. He also did some research on the GPCode malicious software. He also offered insights into the DNS hijacking of PhotoBucket by Turkish hacktivists. He also uncovered that the infamous ZeuS crimeware kit was vulnerable to a zero day flaw. He also provided an analysis into the mass web site defacement by Russian hackers of over three hundred Lithuanian web sites.

He was also featured in Computerworld on Russia's cyber militia mobilizing itself to attack Georgia. His research into a Facebook themed phishing campaign also got featured on Wired. His research on a fake Microsoft Patch Tuesday email spam campaign delivering malware was also featured in CNET. He was also among the first security researchers to raise awareness on a mass cyber attack involving abuse of input validation flaws on thousands of legitimate Web sites which was featured in Computerworld.

He also offered an insight into how hackers took Comcast.net offline which was featured in InfoWorld.

His research on a recently exploited Adobe Flash zero day vulnerability was also featured in Securityfocus. He also offered insights into the U.S Air Force efforts to build an offensive botnet and was featured in CNET. His research into the Storm Worm botnet was also featured in CNET. His research into India's CAPTCHA solving economy was also featured on BoingBoing.

2009 Developments
In 2009 Dancho Danchev was referenced three times in Foreignpolicy on his findings of a fake Russia based gas company that was facilitating cybercrime activities including a reference on his research into ransomware using mobile payments and a reference for his research into DDoS attacks. He was also featured in The Register with his research on what he described as the "Ukrainian Fan Club" with his research emphasizing on the connection between the scareware attack campaign on the web site of the NYTimes and the click fraud botnet known as the Bahama botnet. He was also featured in a separate article in InfoWorld on the topic of the "Ukrainian Fan Club" where his research established a connection between the cybercrime gang and an active scareware distributing campaign. His research on Iran's cyber attack campaigns was also featured in PCWorld.

Interviews
Danchev is known to have given an interview to Russian OSINT. Danchev is also known to have given an interview to LinuxSecurity.com.

Research achievements

 * Danchev is known to have participated in a Top Secret GCHQ Program to monitor hackers online based on a document part of Edward Snowden's archive.
 * Danchev is known to have discovered a major SolarWinds supply chain attack victim which is PaloAlto Networks.
 * Danchev is also known to have contributed to research involving the Avalanche and the Mumba botnets.
 * Danchev is known to have contributed to the use of search engines by Cyber Criminals in the context of blackhat SEO (search engine optimization) and malicious search engine results poisoning research.
 * Danchev is known to have contributed research on the Luthuanian cyber attacks and the Russia vs Georgia cyber attacks.
 * Danchev is known to have been running and maintaining the "Diverse Portfolio of Fake Security Software" blog posts on scareware blog posts series.

Awards

 * Jessy H. Neal Award for Best Blog for ZDNet's Zero Day Blog in 2010
 * SCMagazine Social Media Award for "Five to Follow on Twitter" in 2011