How I Became a Hydra Developer Without Registration or SMS

By Sydney ColeHardware Hacking

How I Became a Hydra Developer Without Registration or SMS

Let me introduce myself first. My name is Bohdan Kolesnev, known online as Askold Monarkhov. I am the developer of frameworks for creating bots: Telebot and Teletant (Teletant is an improved version of Telebot), as well as the developer of QiwiPanel (a panel for managing Qiwi wallets). This panel is part of my Exchanger project (a ready-made currency exchange platform). I’ve also developed a bunch of Telegram bots: news parsers, crypto signal bots, unfortunately even MLM projects (sorry), bots with meme voice messages, and more. But my main income comes from Exchanger and QiwiPanel—these are the two projects I resell, customize for clients, and spend most of my time on.

Now, to the story…

Yesterday, February 18, sometime after 4:00 PM, I was hanging out with friends at a place called Shashlychny Dvor in my city, Zhytomyr. Suddenly, I started getting a lot of messages from different people. Usually, I get maybe two messages a day from people wanting to buy QiwiPanel or the exchanger, but this time it was way more. The messages were like, “Hey Bohdan,” “What’s up with Hydra?” and so on. I didn’t get it at first, so I replied to one person, and he sent me a link to hydra.expert. I started reading, was shocked at first, then went home and began checking everything step by step.

The Investigation

Let’s start with the first point: someone tried to negotiate with a banned platform about buying out an “investigation” and was refused. Why? Maybe because, why pay for random stuff? It’s funny, but it gets more serious.

countly.z.team and some IP address were on the banned platform’s site. Then, the investigator parsed the subdomains and found a composer.json file on one of them, which listed my name, email, and project name:

  • My nickname is also listed as “mnkv” and the project name is “telebotframework.” I can say this project is over 3 years old, since a GitHub commit from 2018 (link) shows I was already calling the library by a shorter name back then. So, the server has a very old version of my library. To clarify, this isn’t a ready-made bot, but a framework to help write bots. How did this file end up there? It could be easily downloaded without any obstacles or my personal approval.

Next, the “investigation” mentions my domain monarkhov.pro. I’ll add that I used to have gitlab.monarkhov.pro on my domain, where I stored custom development projects. Another “Hydra developer,” Alexander, was registered there, but he never got to use my GitLab server because I sold it soon after at the request of a key client.

After the info about me—various VK links, leaked PrivatBank info, etc.—the most interesting part is the Postman request history with links to aamm.sale and botshop.z.team. I’ll say right away: aamm.sale and botshop.z.team are two domains pointed at the same backend for testing purposes. How do I know about these domains? Here’s the story:

The Client and the Marketplace

One of the QiwiPanel buyers also bought the exchanger from me, then ordered an online store. Like all other clients, he paid me directly to my bank card, so I had no reason to doubt his honesty. The store was supposed to be a marketplace rental service, like prom.ua but in the form of bots. The system was very flexible, and the main goal was to sell Qiwi wallets (which made sense since he had just bought QiwiPanel from me). The system could also sell game keys (pulling data from an external database) and software licenses (subscription products)—a real all-in-one solution. The client haggled over every feature, trying to get a big project for almost nothing, so the project took a long time. Most importantly, he insisted on hosting it on his server. I trusted him because he always paid on time, and I had no doubts. Right before the project was finished, he asked to buy my GitLab server. I reconfigured it for him on a new domain, git.z.team, set everything up, tested it, delivered it, and through TeamViewer he deleted the files from my computer. I no longer had access to the project code or GitLab. I was expecting a $200 payment for the final changes. I ended up waiting forever, because the client messaged me saying I was a scammer, cursed me out, and sent a screenshot supposedly showing I had pushed a backdoor into the exchanger. I was shocked, since I no longer had access. He cursed me out some more and blocked me. I gave up, since there was no way to get the code back from him.

After that, the “investigation” lists some other sites I’ve never seen before, and I still don’t understand how they’re connected to me.

Final Thoughts

In conclusion, I just want to say: if I had known there would be shady stuff involved, I would have charged triple. Thanks to everyone, and to the owners of aamm.sale and the rest who I’ve been linked to: screw you.

Leave a Reply