Bulgarian authorities release CCTV evidence showing tax office hacker Kristian Boykov sending email to media

TAD Group founder Ivan Todorov implicated in audio recordings admitting that the company has hacked 49 entities to drum-up business

Authorities in Bulgaria have released CCTV evidence from the offices of IT security firm TAD Group directly implicating Kristian Boykov in June's tax office hack.

Furthermore, the evidence also suggests that TAD Group was responsible for 49 business-generating cyber attacks in the country, in addition to the hack on Bulgaria's National Revenue Agency (NRA), with CCTV audio recordings capturing TAD Group staff talking about the tax office attack as well as referring to previous attacks.

https://twitter.com/VessOnSecurity/status/1156923488084602880?ref\\_src=twsrc%5Etfw

The CCTV evidence depicts Boykov using Google Translate to put together phrases for the email that he sent to Bulgarian media, in which he suggested that he was a Russian hacker. Authorities also released details of a Telegram app chat with someone at local media group Bivol captured on Boykov's smartphone.

And, according to Bulgarian security specialist Dr Vesselin Vladimirov Bontchev who has followed the case as reported in the local media, BoyKov's office computing contained a file named ‘homework_maths.txt' that contained the names of the folders in the leaked archive of NRA information.

It appears, Vess added in a thread on Twitter, that Boykov exploited a vulnerability - possibly a cross-site scripting security flaw - on the official site of Bulgaria's customs office (ecustoms.bg).

https://twitter.com/VessOnSecurity/status/1156928406170349569?ref\\_src=twsrc%5Etfw

In addition to the CCTV evidence, which also carried audio, Telegram chats over TAD Group office PCs between Boykov and TAD Group founder and CEO Ivan Todorov also pointed to the company carrying out attacks against Bulgarian businesses and organisations in order to drum-up business for itself.

Ivan Todorov: "Give them to Nachev and call them. Yesterday I gave him a list of quite a lot of clients for conditional contracts, for which we know 100 per cent that they've been hacked."

Kristian Boykov: "I gave them to him and a bit of information about the vulnerabilities. I told him not to tell them which particular customers have been hacked, because it's covered by the NDA."

However, one conversation picked up via the office CCTV system indicated that the motive behind the tax office attack might be political. System logs also indicate that the records of several prominent people had been searched.