Two Decades in the UndergroundIndependent CTI Analyst. Offensive Security Expert. I have spent nearly two decades in the digital shadows. This is where technical innovation starts, often pioneered by people operating outside the law. My focus is the Deep-Dive Analysis of German and Russian-speaking crime scenes across the Darknet and Clearweb.
Phase I: Binary Obfuscation and The PE-VoidI started in 2007. Back then, Signature-Based AV was the only standard that mattered. I did not care about the dry theory of Cryptography. I wanted the practical side, specifically the targeted manipulation of File Signatures. I wanted to know how to make code invisible to Security Solutions.
That curiosity led to building Crypters in .NET. I spent nights optimizing External Stubs and implementing XOR-Based Obfuscation for both Run-Time and Scan-Time execution. It was an obsession with PE Structures to hit FUD status. I was building the exact tools that define the foundation of modern Malware today.
2008 was the pivot point. I got a dump from the Zeus Banking Trojan. Seeing those Web-Injects manipulate banking sessions in real-time was a revelation. To understand the logic, I went straight to the source. I infiltrated Russian underground boards and tracked the developers' debates. By 2009, I moved to scaling. I analyzed Botnet growth and RAT distribution via Torrent platforms. It was the era when Malware Campaigns first reached global speed.
Phase II: The Eastern Front – Logic and MaliceIn 2010, I went deep into the German scene. This was the peak of boards like CARDERS and later CNW. I learned that tech is only half of the game. The real factors are the human Power Structures, the Hierarchies, and the gatekept trust within Elite Circles.
In 2015, my Russian roots changed the game. Being a native speaker allowed me to bridge a gap that technical tools can't reach. The Russian scene was and still is miles ahead of the German one. It is more coordinated, more professional, and structured like a corporation. I analyzed the rise of giants like RAMP and the technical dominance of Hydra. Because I speak the language natively, I don't just read the boards. I understand the nuance, the slang, and the unspoken hierarchies. This deep cultural and linguistic access let me spot Threat Patterns and operational shifts long before they ever hit the Western mainstream.
Phase III: Weaponizing IntelligenceI got tired of watching companies get hunted. In 2019, I co-founded NEXGAP. The mission was simple. I wanted to use Offensive Security experience to make CTI actually useful. I saw that most defense strategies were too slow. They were collecting data while the adversary was already moving. My goal was to process intelligence fast enough to kill a threat before the first Payload ever executes.
We proved the model in 2025. Working with Canadian partners, we aggregated over 1.5 billion records from 200+ closed forums, Telegram, and Signal channels in just three months. That is a level of Underground Visibility that was previously thought impossible.
The Mission: Protecting the European ShieldEurope, especially the DACH region, is currently a prime target. Many European companies are technologically advanced but culturally blind to the threats from the East. There is a massive linguistic barrier that prevents them from understanding who is attacking them and why. I want to close this gap. I use my background to protect European innovation from being drained by professional syndicates who think we are an easy target.
Why CTI.SH?This is where I share my personal analysis of threats, technical Malware shifts, and the evolution of Darknet markets. My philosophy is simple. To fight an adversary, you have to speak their language, know their tools, and understand their history. I have spent my career doing exactly that.
Two Decades in the UndergroundIndependent CTI Analyst. Offensive Security Expert. I have spent nearly two decades in the digital shadows. This is where technical innovation starts, often pioneered by people operating outside the law. My focus is the Deep-Dive Analysis of German and Russian-speaking crime scenes across the Darknet and Clearweb.
Phase I: Binary Obfuscation and The PE-VoidI started in 2007. Back then, Signature-Based AV was the only standard that mattered. I did not care about the dry theory of Cryptography. I wanted the practical side, specifically the targeted manipulation of File Signatures. I wanted to know how to make code invisible to Security Solutions.
That curiosity led to building Crypters in .NET. I spent nights optimizing External Stubs and implementing XOR-Based Obfuscation for both Run-Time and Scan-Time execution. It was an obsession with PE Structures to hit FUD status. I was building the exact tools that define the foundation of modern Malware today.
2008 was the pivot point. I got a dump from the Zeus Banking Trojan. Seeing those Web-Injects manipulate banking sessions in real-time was a revelation. To understand the logic, I went straight to the source. I infiltrated Russian underground boards and tracked the developers' debates. By 2009, I moved to scaling. I analyzed Botnet growth and RAT distribution via Torrent platforms. It was the era when Malware Campaigns first reached global speed.
Phase II: The Eastern Front – Logic and MaliceIn 2010, I went deep into the German scene. This was the peak of boards like CARDERS and later CNW. I learned that tech is only half of the game. The real factors are the human Power Structures, the Hierarchies, and the gatekept trust within Elite Circles.
In 2015, my Russian roots changed the game. Being a native speaker allowed me to bridge a gap that technical tools can't reach. The Russian scene was and still is miles ahead of the German one. It is more coordinated, more professional, and structured like a corporation. I analyzed the rise of giants like RAMP and the technical dominance of Hydra. Because I speak the language natively, I don't just read the boards. I understand the nuance, the slang, and the unspoken hierarchies. This deep cultural and linguistic access let me spot Threat Patterns and operational shifts long before they ever hit the Western mainstream.
Phase III: Weaponizing IntelligenceI got tired of watching companies get hunted. In 2019, I co-founded NEXGAP. The mission was simple. I wanted to use Offensive Security experience to make CTI actually useful. I saw that most defense strategies were too slow. They were collecting data while the adversary was already moving. My goal was to process intelligence fast enough to kill a threat before the first Payload ever executes.
We proved the model in 2025. Working with Canadian partners, we aggregated over 1.5 billion records from 200+ closed forums, Telegram, and Signal channels in just three months. That is a level of Underground Visibility that was previously thought impossible.
The Mission: Protecting the European ShieldEurope, especially the DACH region, is currently a prime target. Many European companies are technologically advanced but culturally blind to the threats from the East. There is a massive linguistic barrier that prevents them from understanding who is attacking them and why. I want to close this gap. I use my background to protect European innovation from being drained by professional syndicates who think we are an easy target.
Why CTI.SH?This is where I share my personal analysis of threats, technical Malware shifts, and the evolution of Darknet markets. My philosophy is simple. To fight an adversary, you have to speak their language, know their tools, and understand their history. I have spent my career doing exactly that.