Case Details

  • Title: Indian Government Data Breach (7.6GB) by SukaLebok06
  • Date: July 20, 2025
  • Objective: Investigate the 7.6GB data breach attributed to SukaLebok06, identify the scope, assess impact, and attribute the threat actor.

Summary

On July 16, 2025, at approximately 18:45 IST, a user operating under the alias SukaLebok06 publicly posted a message on the underground forum DarkForums, claiming responsibility for a breach titled: “DOCUMENTS: 7.6GB of Indian Government Data Breach by SukaLebok06”. The post included politically motivated language and advertised the leaked data, which allegedly contained Aadhaar numbers, names, emails, phone numbers, physical addresses, and birth details.

This report documents the OSINT investigation conducted on the actor “SukaLebok06,” including their activities, affiliations, and observed cybercrime infrastructure.

Initial Discovery

  • Date of Detection: July 16, 2025
  • Forum: DarkForums (Underground Hacking Forum)
  • Thread Title: “7.6GB of Indian Government Data Breach by SukaLebok06”
  • Post Content: Included anti-Zionist sentiment and support for Palestine to justify the breach, with hashtags such as:
    • #FreePalestine
    • #BoycottZionism
    • #ByteWhisperers

    Screenshot 2025-07-20 033052.png

Sample data allegedly includes:

Aadhaar Number (UID), Name, Email, Phone Number, Address, Date/Place of Birth

Threat Actor Profile

Alias: SukaLebok06

Known Affiliations:

  • Byte Whisperers (Telegram hacking group)
  • Sunda Cyber Hacktivist
  • Team 7-Ghost (Linked via previous data leak)

Investigation

As part of the technical reconnaissance, StealthMole, a cyber threat intelligence and dark web monitoring platform, was leveraged to map out the extended digital footprint of the threat actor SukaLebok06.

Screenshot 2025-07-20 012509.png

Identify correlated handles across Telegram, Instagram, dark forums, and breached data repositories.

  • Extract and link known hashes, usernames, and alias variants used by the actor.
  • Visualize interconnections with other actors/groups (such as TEAM 7-GHOST) and leaked datasets (e.g., Indian Government 7.6GB dump and Roblox account leaks).
  • Confirm the use of the handle SukaLebok06 across Telegram, Instagram, and dark web forums.
  • Link activity from multiple leaked databases and underground threads involving:
    • Malware (e.g., Pentrazy A, a WormGPT variant)
    • Breached datasets involving government records
    • Roblox credential dumps in collaboration with TEAM 7-GHOST
  • Identify reposts and discussions of leaked data on third-party syndication networks and blogs.
  • Capture key metadata such as image hash traces, timestamps, and syndication indicators.

Digital Footprint & Handles

Platform Handle Description
Instagram @sukalebok06_ Active account selling hacking tools & services
Telegram @SukaLebok06 Admin of multiple hacking channels
DarkForums SukaLebok06 Posted 18 times, first post on 23-06-2025
Link Directory lynk.id/cybersleuth Hacking marketplace listing tools and scripts

The digital footprint of SukaLebok06 has been consistently traced across various platforms using the same

Screenshot 2025-07-19 021422.png

Screenshot 2025-07-20 034626.png

SukaLebok06_6.png

SukaLebok06_4.png

Technical TTPs (Tactics, Techniques, Procedures)

Category Tactics Observed
Data Dumping Large-scale leaks shared on forums and dark web
Recruitment Byte Whisperers Telegram group actively seeks skilled members
Tool Sales Custom DDoS, OSINT, and worm-based tools are advertised for sale
Propaganda Uses political messaging to garner support and justification
Dark Web Links Onion links shared for download and access to tools

Evidences:

Tools & Services Offered

From Instagram and link directories:

  • SilitC2 DDoS Source Code: Free
  • Encrypted Leak Site Code: IDR 300K
  • PentryzaAI (Worm GPT Lite version): IDR 500K
  • OSINT & Doxing Services: IDR 600K

SukaLebok06_2

Telegram Activities

  • Channel: Byte Whisperers (35 members)
    • Recruitment post outlines skill requirements in:
      • DDoS operations
      • Web/Application hacking
      • OSINT & custom scripting

    SukaLebok06_7.png

    • Pinned Message: Links to Indian Government breach
  • Other Groups:
    • DockHackLearn ID – Dev/Tool sharing channel

    SukaLebok06_5.png

    • PentryzaAI – AI-based deception/malware platform

      SukaLebok06_3.png

Conclusion and Attribution Confidence

The investigation into SukaLebok06 reveals a prominent and persistent threat actor actively engaged in politically and ideologically motivated cyber operations, particularly targeting Indian government infrastructure. Through a thorough analysis of digital footprints, forum activity, and identity correlation using OSINT methods and platforms like StealthMole, the actor has been confidently linked to multiple aliases and infrastructure used for leaking sensitive data.

SukaLebok06 appears to be an active member of the Sunda Cyber Hacktivist group, a collective of Indonesian-origin attackers with growing visibility in underground cyber ecosystems. The actor’s involvement in large-scale data breaches, such as the 7.6GB Indian Government data leak, alongside previously leaked assets like Roblox accounts and malware tools, demonstrates a broad spectrum of threat capabilities ranging from basic script deployment to active data exfiltration and public dissemination.

The handles observed (Telegram, Instagram, forum aliases) and repeated branding tactics across platforms indicate a calculated approach toward cyber persona management, likely for recruitment, recognition, or ideological signaling.

Disclaimer

Every effort has been made to ensure the accuracy and integrity of the information presented in this report. However, it is important to acknowledge that cyber attribution is inherently uncertain. The identification of the actor known as SukaLebok06 and the links to the Sunda Cyber hacktivist group are based on available open-source intelligence (OSINT), digital footprint analysis, and correlation through the StealthMole platform.

These connections are assessed as probable but not definitive. Attribution at this level is based primarily on observable alias reuse, behavioral patterns, and infrastructure overlaps across platforms such as Telegram, breach forums, and dark web channels. Further confirmation would require access to closed-source or legal investigative capabilities.

The core purpose of this report is not solely to attribute with absolute certainty, but to demonstrate how tools like StealthMole can empower researchers and security teams to rapidly uncover threat actor infrastructure, cross-reference aliases, and map digital ecosystems using features such as the Dark Web Tracker, Telegram Tracker, ULP Binder, and Leaked Dataset Correlation.

This report is intended to provide actionable insights, inform defensive strategies, and support further investigation, whether by cybersecurity professionals or relevant law enforcement agencies.