Mar 132016

What does a prolific Romanian hacker have to do to get arrested in Romania? And why would the 24-year old hacker known as GhostShell be willing to risk arrest by doxing himself?  In a wide-ranging interview with and, GhostShell discussed hacking, the scene, and the reasons for his unexpected decision to dox himself.  This article by and provides some background and identifies GhostShell.  

In the Beginning

GhostShell, also known as DeadMellox and numerous other aliases, began his hacktivism on January 1, 2012 with attacks against his own government. The situation in Romania had deteriorated badly and had robbed him of the future he had envisioned for himself, he tells us. He frankly admits that he longer remembers whether he was the one who started #OpRomania, as other Romanian hackers were already active, but he did start the AnonOpsRomania account, and was active in attacking the government.

Not too long after the arrest of the  “official Anonymous branch of Romania”, as the media likes to call it, happened I stopped using my account for active ops and went and started other things. Eventually I came back and took down the Twitter account indefinitely. It’s purpose came to an end.…

Over the next few months, GhostShell participated in a number of operations, attacking various governments and entities. In April, 2012, after being approached by a member of LulzSec, he agreed to team up and they formed MalSec. Their collaboration was brief, and reportedly unsatisfactory. GhostShell tells us he was doing the hacking while the other individual handled the media and timing of announcements. Feeling he didn’t have sufficient control, and having trained up a number of other hackers, GhostShell left to form his own team, Team GhostShell.

TGS issued their first release in April, 2012, dumping tens of thousands of records from the University of Arkansas’s computer store, a fraction of what they claimed they had acquired. The attack was reportedly in retaliation for the arrest of other hackers, with TGS warning, in part:

We are prepared to fight you governments to the death even at the cost of some collateral damage. We learned that in this world you can’t change something with just pretty words. Therefore… This will be a first warning. STOP looking for us or we WILL make you regret it!

Homeland Security took note of the hack, although the university itself did not know about the hack until some time later when it read a report about the hack on Softpedia. Media outlets started picking up the story after that. The U. of Arkansas hack would be only the first of hundreds of attacks on universities by TGS between 2012 and 2015 that reverberated around the world.

In addition to educational institutions, in its first year, TGS hacked countless government and corporate sites, including a firm that recruited IT personnel for Wall Street. In relatively short time, TGS attacked the governments of the United States, China (“Project Dragonfly” and its follow-up attacks), and Russia (“Project BlackStar“). They also attacked Japan, but then turned information on the vulnerable servers over to Japan instead of dumping the data.  Other projects combined a number of different types of targets (e.g., “Project WhiteFox,” “Project HellFire“), or large corporations in South Africa (“Project SunRise“). Analyses of many of these projects and operations can be found in’s contemporaneous posts. The only sector that seemed to escape attacks by TGS was the medical sector, for reasons that GhostShell shared with us in the extended interview that we will be reporting upon soon.

And Then It Stopped – But Not Really

But just as suddenly as the public pastes and dumps started, they stopped in 2013. Sometimes, though, appearances can be deceiving. While the public pastes stopped, the hacking continued, GhostShell tells us. Right after the South African project (Project Sunrise) – a project that stimulated academic researchers to evaluate the value of visualizing such major mapping projects –

the focus shifted towards fingerprinting entire industries. These types of projects were larger than anything done before. Project Seramatis, Project Alkonost, Project Fenveil, Project Entricate, just to name a few. Related to banking, energy, telecom, transport, the top one thousand most active websites online. If the day comes when I get caught the projects that everyone should look into are the ones that were never made public. They’re all at a completely different level. and note that we have not seen any data or proof from any of these non-publicly-disclosed projects. According to Ghostshell, the only project that was public in 2014 was #OpRotherham, an operation announced as being by Anonymous.  When asked why that wasn’t under the TGS banner, GhostShell told us:

I didn’t want TGS to lead the fight against pedophiles in the UK. I didn’t want to act as a “leader” for something so serious. It needed a movement where anyone could get involved without having to look up to any leaders for guidance. Anonymous played that part superbly everytime.

As to favorite projects, GhostShell mentioned projects that, again, we had never heard about in public statements:

If I had to choose a favourite project it would be either Project ScarletHowl or Project FrostOwl. No one from the public sector knows them but they are the largest and longest running campaigns I’ve done throughout these past 4-5 years. Let me put it to you this way, Dark Hacktivism was created from them and the leaks that came along with it, both the around one thousand websites leaked and the private data given to one of my japanese contacts to deliver to the government represent a fraction of data obtained from these projects. One of the campaigns lasted over 8 months non-stop hacking.

We asked GhostShell what these projects were about. GhostShell’s somewhat astonishing answer was:

Project ScarletHowl had one objective, to attack and breach every single website from the top 1 million.

Project FrostOwl’s main purpose was to map out and get as much information out of Asia’s cyberspace. Every single country was targeted.

They’re Baaaack, But Not For Long

In June, 2015 , more than two years after they went quiet in public spaces, TGS re-emerged, issuing a statement and dumping information from 548 databases, including over 270 .edu sites around the world. GhostShell discussed the leaks and dark hacktivism with Ionut Ilascu of Softpedia at the time.

GhostShell tells us that all operations and projects – public and private – stopped completely in August, 2015 and have not resumed since then.

One can only imagine how many more entities would have been hacked by now if it was not for a fried PC, because GhostShell tells us that 99% of the hacking by TGS was by one individual: GhostShell. By his own statements, he was sitting on a ton of data from hacked entities who may still not know that they were hacked. Even if we only consider the publicly disclosed hacks and dumps, that’s an extraordinary amount of data for one hacker to acquire.

And although some (like Symantec and Imperva) had pointed out that many of his hacks involved SQLi, the reality is that GhostShell didn’t need to use sophisticated techniques for most of his hacks because cybersecurity is generally so poor. He expounded on his approach in the extended interview, to be released soon.

Doxing Himself?!

[pullquote] I waited for years to get v&, it’s gotten ridiculous.[/pullquote]

When was first contacted by about the possibility of interviewing GhostShell, it was with the understanding that he intended to dox himself at the end of it. Why on earth would a hacker dox himself and risk jail? Over the extensive interview, we put that question to him in various formats at various times, and the answer always came back the same – he hopes his government will pay attention to him and that it will actually help him get a job in the industry.

Also let it be known for future generations to come that I am literally
the only person in history from my country that has to prove his worth even
after everything that’s happened just so I can get a job in the industry
despite every 10 year old that defaced or ddosed random websites getting
autohired. I am truly a legend of something.

There simply aren’t enough hashtags for our reaction to his willingness to get arrested to get a job.  And it’s not even clear to us that he will get arrested and then rehabilitated with government assistance in getting a job. Inquiries e-mailed to Diicot about whether they had any pending charges against him have gone unanswered.

But when you think about it, GhostShell is a hacker/hacktivist who has already proven himself to be prolific in terms of his patience and willingness to hack. His ambitious goals and approach to mapping entire systems (like his South African project) are simultaneously scary and admirable. What might he accomplish with support and resources?

So who is GhostShell?

Meet Razvan Eugen Gheorghe. He’s 24 years old and he’s from Bucharest. His date of birth is August 16, 1991, and he says his current address is Street Vlaicu-Voda, Number 28, Building V81A, Entrance 3, Sector 3, Level 2, Apartment 39. We’ve also been given his phone number, but are not publishing it.

At the outset of the interview process, GhostShell provided us with a small measure of proof that he was GhostShell by giving us his login credentials to the TGS Pastebin account. Later, at our request and specification, he sent us proof of his identity via picture of an earlier passport:

Earlier passport of “GhostShell” of Team GhostShell.

More recent pictures of  Razvan Eugen Gheorghe, a/k/a “GhostShell.” taken when he was in the U.K. last year:


Razvan Eugen Gheorghe in the U.K. Photo courtesy of “GhostShell.”


Razvan Eugen Gheorghe in the U.K. Photo courtesy of “GhostShell.”
























In the near future, and will be publishing much more from the lengthy interview. In the interim, we will watch to see how law enforcement in Romania reacts to what might seem like his “come and get me” invitation.

  6 Responses to “Taking pity on law enforcement, Romanian hacker “GhostShell” doxes himself”

  1. Isn’t this exactly what an Australian hacker already did.

  2. Project ScarletHowl had one objective, to attack and breach every single website from the top 1 million..

    Only the top 1 million? The last I heard, the ROMANIAN HACKER ALLIANCE and Chippy1337 planned to attack and breach every single website from the top 1 billion. And the attack was planned for March 16th, which would appear to be today.

Sorry, the comment form is closed at this time.