My Involvement in the Top Secret GCHQ “Lovely Horse” Program and the Existence of the Karma Police

Following a series of News Articles including publicly leaked information regarding the existence of a Top Secret GCHQ-sponsored program whose aim is to monitor public Twitter conversations of prominent hackers an Security Researchers including vendors and is a part of related legal surveillance and eavesdropping of various other Security Researchers and related Security Resources online including the actual owners of the Security Projects such as — HAPPY TRIGGER/Zool/TWO FACE eventually feeding data and information into another Top Secret Program known as the Karma Police including a possible involvement in what the U.S Intelligence Community is currently describing as “4th Party Exfiltration” or “outsourcing SIGINT” which basically describes a huge portion of today’s modern Security Industry in particular the Threat Intelligence market segment though the INTOLERANT program which basically aims to raise awareness on the process of raising awareness of new current and emerging Cyber Threats globally courtesy of the Security Industry.

I decided to post the following article detailing my involvement in the program using my old Twitter account — in particular the active legal measures taken to eavesdrop and put my account and Twitter activity under U.S Government surveillance next to a huge portion of my friends and colleagues at the time up to present day.

Want to find out how the GCHQ actually issues legal warrants and seeks legal authorization for people and communities of notice? Check out this document.

Sample Open-Source Modification of GCHQ’s Lovely Horse Open Source for Cyber Defense Program Referencing my Old Twitter Account

It shouldn’t be surprising that prior to vising the GCHQ back in 2008 with the help of the Honeynet Project I was pleasantly surprised to have made an important presentation on my way to properly secure the Internet’s infrastructure from rogue and malicious actors successfully communicating my expertise experience and knowledge to a closed-group of knowledgeable people and Security People. It’s been a decade following my disappearance and possible kidnapping attempt courtesy of local Bulgarian Law Enforcement with no clear clue as to what exactly happened at that time.

GCHQ’s Top Secret “Lovely Horse” Program Twitter Account Participants Including My Old Twitter Account User ID @danchodanchev

Who was really involved in my kidnapping attempt? Who really knew about it and who managed to actually track me down and find me? Long story short — I suspect a rogue operation courtesy of people that I know in an attempt to incriminate and undermine my reputation with an indirect help of people that I don’t know that also includes high-profile cybercriminal take-down attempts — Koobface was my primary take-down and research priority at the time — including an active Hitman request for me posted on a high-profile cybercrime forum community worth $10,000 which appear to have successfully tracked me down while I was busy working in another town and successfully managed to kidnap and launch an discrimination and incrimination campaign including an attempt to damage my work and reputation which basically resulted in a major slow down of my research activities and actual working process with a high degree of probability that the campaign launched against me was Koobface and possibly Hillary Kneber-botnet related including a possible leak and potential OPSEC compromise in the context of working directly with a colleague — Xylitol including a possible search for me courtesy of an unknown set of individuals.

Sample Tweet Courtesy of Hilary Kneber — a Prominent Cybercrime-Friendly Enterprise Circa 2010

It should be worth pointing out that at the time I was also approached by a prominent U.S based company known as HBGary — and it seems that the actual communication made it to Wikileaks.

You can catch up with some of my latest research and analysis here.

Was I kidnapped and actually disappeared under the guidance of cybercriminals looking for ways to track me down and undermine my reputation and basically destroy and ruin my research activities or was I victim of a bigger operation courtesy of a foreign entity in this particular context a vendor or an organization who’s not been so pleasantly and happy with some of my research? Back in the day the only campaign that I was actually busy monitoring and working on was the Koobface botnet in particular the active tracking down of one of its main operators including the actual take-down of the Koobface botnet courtesy of my active research at the time. Based on publicly obtained screenshots from the flagship Cybercrime Forum Community at the time — Darkode — I was able to portray a bigger picture in the context of having another researcher approach me at the time in this particular case Xylitol who offered direct access to the Darkode Cybercrime Forum Community which I basically used to take a peek for research purposes on a variety of occasions which at the time was parked on hxxp://

Sample Google Search Results For My Name Citing Possible Illegal Lawsuit Courtesy of Unknown Individuals

What really took place at the time? It appears that besides the usual “link love” courtesy of various cybercriminals whose activities I specialize in profiling — for instance the following C&C and client-side exploits serving URL circa 2010 — hxxp:// — indirectly working with a variety of researchers and basically spending most of my time researching the Koobface botnet including an active campaign against at the time including a prominent colleague of mine — Brian Krebs — following a series of typosquatted domains targeting him and a researcher colleague known as Xylitol including the active redirection of Facebook IP netspace to my personal blog the personal greeting referencing me and my personal including the active response to my “10 Things You Didn’t Know About the Koobface Gang” article at the time within the actual C&C infrastructure of the botnet at the time a prominent “Top Ten Sexy InfoSec Geeks of 2009” award including a prominent SCMagazine “Who to Follow on Twitter” award circa 2010. Did I somehow manage to attract the wrong attention through my research or did a become a prime target for the U.S Intelligence Community putting my old Twitter account — under legal surveillance? Long story short — I’d rather end up with having my name referenced in a major C&C infrastructure campaign courtesy of an unknown group rather than having most of my Intellectual Property (IP) and well-being robbed and stolen citing potential National Security issues courtesy of the U.S Intelligence Community.

The Scene the way we know it at the time was basically a variety of publicly accessible Hacking and Cyber Security Forum Communities including several other prominent invite-only fraud and illegal activity themed online communities to which I never really bothered obtaining access to citing potential OPSEC (Operational Security) violations and my passive OSINT processing methodology of cyber threats at the time

Sample Screenshots of Cybercrime Underground Forum Chatter Prior to my Disappearance circa 2010 Directly Referencing me and Commenting on my Disappearance:

Dancho Danchev Disappearance and Possible Kidnapping Attempt Circa 2010 — Cybercrime Underground Forum Chatter on the Actual Events that Took Place at the Time
Dancho Danchev Disappearance and Possible Kidnapping Attempt Circa 2010 — Cybercrime Underground Forum Chatter on the Actual Events that Took Place at the Time
Dancho Danchev Disappearance and Possible Kidnapping Attempt Circa 2010 — Cybercrime Underground Forum Chatter on the Actual Events that Took Place at the Time
Dancho Danchev Disappearance and Possible Kidnapping Attempt Circa 2010 — Cybercrime Underground Forum Chatter on the Actual Events that Took Place at the Time

Go through a chronological order of the events including people that I know and used to work with at the time here.

In conclusion — I’m positive that I’ll continue doing the research that I’ve been doing for over a decade now and that I’ll continue publishing it at my extremely popular Security Blog with the idea to raise awareness on current and emerging Cyber Threats offer novel advice and new methodologies for processing and responding to current and emerging Cyber Threats and basically offer the big picture to thousands of loyal users across the globe including the necessary extra OPSEC (Operational Security) measures that I’ve recently implemented for the purpose of preserving my Intellectual Property and with the idea to continue conducting the type of research that everyone who’s been reading my Security Blog since 2005 is familiar with.

Independent Security Consultant OSINT Analyst Threat Intelligence Analyst Security Blogger

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store