We are entirely apolitical, and our sole focus is financial gain. We constantly seek new affiliates, with room for every skilled professional. Your nationality, language, age, or religion is irrelevant; we are open for collaboration with anyone, anywhere, at any time.

Primarily, we seek cohesive and professional pentest teams. Secondly, we are open to collaboration with access providers: whether you sell access or work on a percentage of the ransom, absolute trust is required. We ensure a fully transparent process—you can monitor all victim communication. If an encrypted company refuses to pay, you will see their exfiltrated data published on our blog. We also collaborate with those who prefer not to deploy encryption, offering a platform to sell stolen data on the most high-traffic blog available.

Core Feature Set

• Admin panel accessible via the Tor network
• Victim communication over Tor, featuring a live chat with notifications and file transfer capabilities
• Capacity to create private chats for confidential negotiations with victims
• Automated test file decryption
• One-click generation of decrypters directly from the panel
• Maximum security options for decrypters, including storage on removable media
• Autonomous data upload to the blog, managed by you without our intervention
• Image upload functionality for the blog
• Capability to publish full victim negotiation histories to the blog
• Generation of builds with varied configurations, all tied to a single encryption key for a target network
• Two distinct Windows encryption lockers within one panel, developed independently, allowing for dual encryption for those with heightened security concerns
• Customizable lists for process and service termination
• Customizable exclusion lists—by computer name, file name, or extension—to prevent encryption of specific targets
• Rapid and thorough sanitization of free disk space post-encryption, preventing data recovery
• Filename encryption to hinder partial file reconstruction
• Neutralization and removal of Windows Defender
• Privilege escalation impersonation for local system access
• SafeMode operation to evade antivirus detection and enhance encryption strength
• Local subnet port scanner for identifying shared DFS, SMB, and WebDav resources
• Automated propagation within domain networks, eliminating the need for scripts, GPO, or psexec
• Secure deletion of volume shadow copies
• Removal of forensic artifacts from system logs
• Post-execution system shutdown to prevent RAM dump analysis
• Unlimited printing of ransom notes via network printers
• Compatibility with all Windows versions, offering flexible deployment methods (exe, dll, ReflectiveDll, ps1)
• Operation on all ESXi versions (excluding 4.0), with adaptable configurations
• Support for multiple Linux distributions and architectures (including 14 for NAS devices, RedHat, KVM)

This, and much more, is available when you join our team. If a specific feature you require is missing, inform us; we may implement it for you.

Affiliate Program Rules

• You must maintain activity to utilize our software.
• Sharing panel access is strictly prohibited. If collaborating with a partner, a sub-account with read-only chat permissions can be issued. Remember, your partner could be an informant or be apprehended.
• You must honor all commitments made to the victim during negotiations. For example, if you promise to provide a file tree, you must deliver.
• Exfiltration of valuable data from every target is mandatory.
• Collaboration with competitors is permitted, but you must disclose this and explain what features you appreciate elsewhere; we are committed to progress and will implement valuable suggestions.

Target Categories

• Encryption is prohibited against critical infrastructure: nuclear power plants, thermal power stations, hydroelectric plants, and similar entities. Data theft without encryption is permitted. If uncertain about an organization's status, consult our helpdesk.
• The oil and gas sector—including pipelines, refineries, and extraction sites—is off-limits for encryption. Data theft without encryption is allowed.
• Attacks against post-Soviet states are forbidden: Armenia, Belarus, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, Uzbekistan. This policy respects the origins of our core developers and partners.
• Non-profit organizations are permissible targets. If an organization uses computers, it is responsible for its network security.
• Private, revenue-generating educational institutions are allowed targets.
• Attacks on certain medical entities—such as pharmaceutical firms, dental clinics, plastic surgery centers—are permitted with extreme caution, provided they are private and profitable. Encryption is forbidden at institutions where file loss could cause fatalities (e.g., cardiology centers, neurosurgery departments, maternity hospitals). Data theft from any medical facility is allowed, as this data is often highly sensitive. Consult the helpdesk if you are unsure.
• We encourage attacks on police stations and law enforcement agencies. They often fail to appreciate our post-paid pentesting services, deeming them illegal. We must demonstrate the importance of robust network security and issue fines for digital incompetence.
• Government organizations are valid targets, provided they generate revenue.

Payment Structure

Our affiliate commission is 20% of the total ransom. If you believe this is excessive and it deters you from working with us, simply adjust your ransom demand upwards by 20% and proceed happily.

You receive victim payments directly to your personal wallets in any currency, and then transfer our share. For ransoms exceeding $500,000, you will provide the victim with two wallets: one for your 80%, and one for our 20%. This protects us from potential fraud.

You conduct all negotiations and independently determine the value of your pentesting services, which deserves generous compensation.

Application Process

For any questions, concerns, or complaints, contact our TOX support. Anonymity is respected; you may create a disposable TOX ID. Your feedback on our strengths and weaknesses is vital for our continuous improvement.

We scrutinize all applicants thoroughly, as we are constant targets of hacking attempts. Your forum reputation, team composition, proof of work with other programs, wallet balance, and payment history are all considered. Admission can also be secured via a guarantee from established, trusted partners.

Our most effective vetting method is a deposit. Upon joining, you deposit 1 bitcoin as an advance, which will be deducted from your future commission payments. This one-time requirement filters out inexperienced newcomers, law enforcement, journalists, competitors, and other pests.

Recommended Application Form

• Links to your profiles on hacker forums—older accounts are preferred.
• Description of your experience with other affiliate programs, with evidence such as screenshots or transaction histories.
• Proof of your current cryptocurrency balance.
• Explanation for leaving your previous affiliate program and wanting to join us.
• Details of current network accesses you are prepared to attack immediately after joining. Immediate action after accession is recommended to build trust.
• Preferably, have already exfiltrated data from a prospective target, ready for the blog, with evidence such as screenshots, file trees, or access to the files.
• A voucher from friends or associates already working within our program.
• A request for our bitcoin or monero wallet address to make your deposit, demonstrating your confidence and readiness to earn.