Press ESC to close

Threat Actor Interview: Spotlighting on 303 – An Exploit Developer & Initial Access Broker Targeting Large Orgs

We recently had the opportunity to have a chat interview with an actor going by the alias “303” who operates on a well-known darknet forum – BreachForums. The actor is an exploit developer, web pentester, and initial access broker (IAB) who has over 875 reputation points on the forum.

The actor has changed the username more than 8 times. The old usernames of the actor were Schutzstaffel, Chronically, Cronically, 303, rootkithun7er, g0d, hithembl0ck, pwnstr, and EvilCorpSyndicate (latest to oldest). The actor has claimed to have targeted large corporations across the world such as Chungwa Telecom, Verizon Business’s SCADA network, Charter Communications Inc, Comcast LLC, Nippon Paint, and Acer China, to name a few.

Sharing private exploits is consistent with the actor’s profile of targeting specific vulnerabilities. During Nov-Dec 2023, the actor published two PoC exploits targeting Siemens’s SIMATIC S7-1500 and SIMATIC S7-1200 Denial of Service (DoS) vulnerabilities. This aligns with the actor’s interview response about the most requested Programmable Logic Controller (PLC) DoS vulnerability exploit targeting SIMATIC S7-1200. In December 2024, the actor posted their private exploit for the Fancy Product Designer plugin for WooCommerce 4.5.1. (Screenshot in Appendix)

Key Takeaways

  • A young hacker skilled in exploit development, web pentesting, and initial access brokering. 303 is the founder of “OG NIGGERS,” an ex-member of “CyberNiggers,” focused on financial gain.
  • Gains network access and sells to operators; occasionally sells databases of high-value companies.
  • Self-taught hacker since 2019, learned from YouTube, active in BreachForums.
  • Runs regularly to maintain focus and reduce stress from computer work.
  • Avoids China, Russia, and CIS countries; targets high-value companies and government organizations in economically strong nations.
  • Collaborated with Monogon, and PlayCat; trust based on reputation and operational security.
  • Delivered DoS exploits for SCADA systems, targeting Siemens S7-1200, U.S., and Europe.
  • Exploited SQL vulnerabilities (BIND SQL Injection) in government sites.
  • Developed wipers, backdoors, and info-stealers for Malware-as-a-Service.
  • Operated DarkStresser, a privacy-focused DDoS tool using Russian servers.Used recon, outdated service exploits, and backdoors for persistence.
  • Developed Python PoC for DirectAdmin 1.561 RCE for BreachForums.
  • Clients include ransomware groups and individual operators.
  • Indifferent to harm caused; targets large companies with weak security.
  • Effective defenses include MySQL firewalls, EDRs, and IDS.
  • Believes AI will enhance exploit development in the future.
  • Predicts more data breaches and anonymization technologies on the dark web.
  • Advises companies to hire skilled personnel to address human errors in security.

Stay Updated with Our Newsletter

  

The Interview

Below we have presented the questions and answers with no modification.

Question: Welcome to the Osint10x interview, 303! As this is our first engagement, can you please tell us about yourself and your work?

303: Well, I am a young hacker with knowledge of various topics in cybersecurity. Like, as exploit development, Web pentesting, and initial access brokering. My work is focused on getting access to networks and selling them to other operators. but sometimes I sell data too (databases.) of high-value companies.


Question: How did you get involved in hacking and the dark web? Was it self-driven, or were you mentored by someone?

303: My path of hacking started in 2019 as a self-driven student, I started getting interested in exploiting networks, and critical infra. so I started learning from YouTube videos. And speaking about the dark web I have been in this since the OG BreachForums.


Question: What does your day look like away from the keyboard? Do you go for a run, surf, yoga, or are you always in the Twilight Zone?

303: My Day away from the keyboard, I do running to maintain focus, after a long day working on the computer. I think doing some type of sport helps you to maintain focus on the target you’re working on. To have less stress.


Question: Do you target specific organizations or regions intentionally, or are they just opportunistic?

303: My targets are everything except, China & Russia. or any CIS country. and yes I target specific organizations.


Question: Can you please tell us about the “OG NIGGERS” group? Who are the members, how does it work, what’s the group’s motivation and your contribution? How did it start?

303: OG Niggers, is a threat actor group made by me for money motivation, and for fun. the members are me, and seraph8. but the group in the past had more members but for some inactivity problems, we disbanded. My contribution to the group is getting access to companies’ networks. my main focus is that. And my contribution to the group was hacking databases.


Question: As you have posted some of your breaches under the CyberNiggers tag, can you tell us this group’s motivation, who are the current members, what’s your contribution and how it started?

303: Yes I’m an ex-former member of CyberNiggers, the group’s motivation was money. (at least for me), and it started in 2023 when I was getting a very good reputation on BreachForums, I asked IntelBroker (current owner of the forum) if I could join and he accepted. And my contribution to the group was hacking databases.


Question: Can you tell us about Evil Corp Syndicate and haxSec? What are these groups and their motivation and who are part of them?

303: Evil Corp Syndicate and Haxsec are the same group, just renamed. The motivation was money and technical challenges. This ransomware group doesn’t exist anymore.


Question: Some of your oldest advertisements are about the SQL vulnerabilities in government websites, can you tell us more about what those vulnerabilities were that you referred to as “0day vulnerabilities”?

303: These vulnerabilities are mostly BIND SQL injections.


Question: Can you tell us about the attack methodologies for targeting Chungwa Telecom and Verizon Business’s SCADA network?

303: The methodologies I used for targetting Chungwa Telecom were simple; active recon, searching for vulnerabilities on the network (such as RCE), and referring to Verizon Scada was just searching for a specific vulnerable ICS model to my exploit. well, answering your question about my general methodologies is doing active and passive recon, searching for subdomains, or any network vulnerability such as RCE, or SQL injection.


Question: We noticed that you started delivering SCADA exploit development services with your team. What kind of exploit development was requested the most, for example, an exploit for a particular SCADA system or vulnerabilities or companies?

303: The most requested exploit for SCADA was DDoS (Denial of service) which allows the attacker to attack the CPU of the ICS to take it down. and the most requested model was the S7-1200. The Most requested country was the United States or any European country. And speaking about Zero Days exploits, to identify it you just need to work on that service, make possible exploits, and test it on live targets, it’s all on fail and error testing.

The SIMATIC S7-1200 is a versatile and compact PLC by Siemens, designed for small to medium-sized automation tasks. It supports extensive communication, advanced technology functions, and safety integration for industries such as manufacturing, processing, and building automation.


Question: How often do you use info-stealers to obtain access to the company’s networks?

303: I don’t use any type of stealer to access company networks.


Question: How did you discover the vulnerability in DirectAdmin 1.561? Was it through manual research, automated tools, or some other means?

303: The Vulnerability in the DirectAdmin 1.561 exploit was based on a PoC of exploit-db.com which was not in Python. So, I “translated” it into Python code. and it was manual research. The main goal for releasing the DirectAdmin RCE PoC was to contribute to the BreachForums community. Not for financial gain or any type of thing.


Question: Do you collaborate with others (e.g., groups like Monogon or PlayCat), or are your operations largely solo? How do you manage trust in collaborative environments?

303: Yes, I collaborated with Monogon as the second leader, and Playcat too. But sometimes I do operations solo, as you can see on my breachforums profile. well to manage trust in a collaborative environment, I just work with people I know for a long time. and with a good reputation + data breaches on the forum. To maintain operational security, and avoid federal.


Question: Can you please tell us about the Malware-as-a-Service (MaaS) you started offering in February 2024?

303: The malware as a service, was when I was developing custom malware such as wipers, backdoors, and info stealers. but at that time it didn’t get much attention or potential buyers. I was new to the forum.


Question: Can you please tell us about DarkStresser and how it’s different from other DDoS tools out there in the market?

303: DarkStresser was a privacy-focused Stresser, aimed to provide anonymous payments, and fast attacks to our clients. and DarkStresser was different because all our servers were based in Russia, for privacy and security. All DarkStresser was thought for security and privacy.


Question: Which geo and sector interests you as a target, and why? Is there a broader motive or philosophy behind target selection?

303: My interests are e-commerce and telecommunications as targets because they are high-value companies. and I don’t have any motive to be honest when I attack. I only target high-profile targets, because I know in the long term it can generate good earnings. And usually, I attack private companies and government organizations. I only attack major economic nations such as the USA, or any Asian/Europe country. I do not attack China or CIS countries.


Question: What kind of buyers are most interested in your offerings—individual criminals, state actors, or corporations?

303: The most interested buyers are from ransomware groups and individual operators.

Question: I noticed a thread that says Colombia Big Telecom Initial Access. How do you gain access to such kinds of companies? Can you please list down the TTP and methodologies used?

303: To gain access to corporations, the easiest way is to attack their servers with outdated services. and the TTP is recon, exploiting, getting access, and installing a backdoor to gain persistence on the target.


Question: How do you rationalize the potential harm your actions cause to individuals or organizations?

303: I don’t care if the actions cause harm to organizations. I do not target persons I target big revenue companies, with a lot of money. and I think they deserve it. if they are not capable of getting better security, why i will not attack them?


Question: I noticed one of your posts where the Ferrari Windows 10 Remote Access Trojan is being sold. Can you explain this?

303: Ferrari RAT was a Python-based RAT, which has features such as keylogging, stealing cookies from browsers, and more.


Question: What measures taken by organizations (if any) have successfully thwarted your attempts or made attacks more difficult?

303: MySQL firewall, when it only can access inside ethe machine. when I had the correct credentials from brute-forcing but you can’t log in because of the firewall. also EDRs and IDs.

303 describes an attempt to gain unauthorized access to a MySQL database. However, robust security measures (firewall restrictions, EDR, and IDS) are preventing further exploitation despite obtaining login credentials.


Question: Are there any specific advancements or trends in technology that you think will make hacking easier or harder in the future?

303: Yes, I think AI will benefit hacking in exploit development or ways to create new exploits to target companies. and it will make it easier.


Question: How do you see the landscape of cybersecurity and dark web activities evolving in the next few years?

303: And I said a lot of future in the dark web activities, and cybersecurity because every day you have a data breach, and new types of technologies are evolving. You have new services such as VPNs, and Tor, and I hope in the future it will create more anonymous services to protect your identity online.


Question: What advice would you give to organizations trying to defend against actors like you?

303: The advice I can give to the companies, is just to get better personnel and skilled persons to get better security on your servers. because every security error is from human error.


Question: Thank you very much for your time. Is there anything you want to say, that we haven’t asked you?

303: Thanks for having me in this interview.


Appendix

Exploit for Fancy Product Designer plugin for WooCommerce 4.5.1
OpenSSH 9.6 RCE Exploit
PoC Exploit for Siemens SIMATIC S7-1500
PoC Exploit for Siemens SIMATIC S7-1200

Disclaimer

This interview is provided for informational purposes only and does not express approval, support or agreement with any actions mentioned in the text. The author of the publication is not related to the activities described in the interview and is not responsible for any consequences of using the information provided.

The interview materials are intended to raise public awareness of modern cyber threats and the methods of cybercriminal groups. The publication of this text does not constitute propaganda of illegal activity and does not encourage violation of laws.

Readers are advised to always observe legal regulations and consult with the appropriate authorities if they have questions about the topics covered in this interview.


Stay Updated with Our Newsletter

  

Leave a Reply

Your email address will not be published. Required fields are marked *