Case Details
- Title: Indian Government Data Breach (7.6GB) by SukaLebok06
- Date: July 20, 2025
- Objective: Investigate the 7.6GB data breach attributed to SukaLebok06, identify the scope, assess impact, and attribute the threat actor.
Summary
On July 16, 2025, at approximately 18:45 IST, a user operating under the alias SukaLebok06 publicly posted a message on the underground forum DarkForums, claiming responsibility for a breach titled: “DOCUMENTS: 7.6GB of Indian Government Data Breach by SukaLebok06”. The post included politically motivated language and advertised the leaked data, which allegedly contained Aadhaar numbers, names, emails, phone numbers, physical addresses, and birth details.
This report documents the OSINT investigation conducted on the actor “SukaLebok06,” including their activities, affiliations, and observed cybercrime infrastructure.
Initial Discovery
- Date of Detection: July 16, 2025
- Forum: DarkForums (Underground Hacking Forum)
- Thread Title: “7.6GB of Indian Government Data Breach by SukaLebok06”
- Post Content: Included anti-Zionist sentiment and support for Palestine to justify the breach, with hashtags such as:
#FreePalestine#BoycottZionism#ByteWhisperers

Sample data allegedly includes:
Aadhaar Number (UID), Name, Email, Phone Number, Address, Date/Place of Birth
Threat Actor Profile
Alias: SukaLebok06
Known Affiliations:
- Byte Whisperers (Telegram hacking group)
- Sunda Cyber Hacktivist
- Team 7-Ghost (Linked via previous data leak)
Investigation
As part of the technical reconnaissance, StealthMole, a cyber threat intelligence and dark web monitoring platform, was leveraged to map out the extended digital footprint of the threat actor SukaLebok06.

Identify correlated handles across Telegram, Instagram, dark forums, and breached data repositories.
- Extract and link known hashes, usernames, and alias variants used by the actor.
- Visualize interconnections with other actors/groups (such as TEAM 7-GHOST) and leaked datasets (e.g., Indian Government 7.6GB dump and Roblox account leaks).
- Confirm the use of the handle
SukaLebok06across Telegram, Instagram, and dark web forums. - Link activity from multiple leaked databases and underground threads involving:
- Malware (e.g., Pentrazy A, a WormGPT variant)
- Breached datasets involving government records
- Roblox credential dumps in collaboration with TEAM 7-GHOST
- Identify reposts and discussions of leaked data on third-party syndication networks and blogs.
- Capture key metadata such as image hash traces, timestamps, and syndication indicators.
Digital Footprint & Handles
| Platform | Handle | Description |
|---|---|---|
| @sukalebok06_ | Active account selling hacking tools & services | |
| Telegram | @SukaLebok06 | Admin of multiple hacking channels |
| DarkForums | SukaLebok06 | Posted 18 times, first post on 23-06-2025 |
| Link Directory | lynk.id/cybersleuth | Hacking marketplace listing tools and scripts |
The digital footprint of SukaLebok06 has been consistently traced across various platforms using the same




Technical TTPs (Tactics, Techniques, Procedures)
| Category | Tactics Observed |
|---|---|
| Data Dumping | Large-scale leaks shared on forums and dark web |
| Recruitment | Byte Whisperers Telegram group actively seeks skilled members |
| Tool Sales | Custom DDoS, OSINT, and worm-based tools are advertised for sale |
| Propaganda | Uses political messaging to garner support and justification |
| Dark Web Links | Onion links shared for download and access to tools |
Evidences:
Tools & Services Offered
From Instagram and link directories:
- SilitC2 DDoS Source Code: Free
- Encrypted Leak Site Code: IDR 300K
- PentryzaAI (Worm GPT Lite version): IDR 500K
- OSINT & Doxing Services: IDR 600K

Telegram Activities
- Channel: Byte Whisperers (35 members)
- Recruitment post outlines skill requirements in:
- DDoS operations
- Web/Application hacking
- OSINT & custom scripting

- Pinned Message: Links to Indian Government breach
- Recruitment post outlines skill requirements in:
- Other Groups:
- DockHackLearn ID – Dev/Tool sharing channel

-
PentryzaAI – AI-based deception/malware platform

Conclusion and Attribution Confidence
The investigation into SukaLebok06 reveals a prominent and persistent threat actor actively engaged in politically and ideologically motivated cyber operations, particularly targeting Indian government infrastructure. Through a thorough analysis of digital footprints, forum activity, and identity correlation using OSINT methods and platforms like StealthMole, the actor has been confidently linked to multiple aliases and infrastructure used for leaking sensitive data.
SukaLebok06 appears to be an active member of the Sunda Cyber Hacktivist group, a collective of Indonesian-origin attackers with growing visibility in underground cyber ecosystems. The actor’s involvement in large-scale data breaches, such as the 7.6GB Indian Government data leak, alongside previously leaked assets like Roblox accounts and malware tools, demonstrates a broad spectrum of threat capabilities ranging from basic script deployment to active data exfiltration and public dissemination.
The handles observed (Telegram, Instagram, forum aliases) and repeated branding tactics across platforms indicate a calculated approach toward cyber persona management, likely for recruitment, recognition, or ideological signaling.
Disclaimer
Every effort has been made to ensure the accuracy and integrity of the information presented in this report. However, it is important to acknowledge that cyber attribution is inherently uncertain. The identification of the actor known as SukaLebok06 and the links to the Sunda Cyber hacktivist group are based on available open-source intelligence (OSINT), digital footprint analysis, and correlation through the StealthMole platform.
These connections are assessed as probable but not definitive. Attribution at this level is based primarily on observable alias reuse, behavioral patterns, and infrastructure overlaps across platforms such as Telegram, breach forums, and dark web channels. Further confirmation would require access to closed-source or legal investigative capabilities.
The core purpose of this report is not solely to attribute with absolute certainty, but to demonstrate how tools like StealthMole can empower researchers and security teams to rapidly uncover threat actor infrastructure, cross-reference aliases, and map digital ecosystems using features such as the Dark Web Tracker, Telegram Tracker, ULP Binder, and Leaked Dataset Correlation.
This report is intended to provide actionable insights, inform defensive strategies, and support further investigation, whether by cybersecurity professionals or relevant law enforcement agencies.