Deep & Dark web User Profiling — Bjorka

S2W

Published in

S2W BLOG

7 min readNov 24, 2022

Author: Hotsauce | S2W TALON (Threat Research & Intelligence Center)

Last Modified: Nov 24, 2022

Executive Summary

Bjorka, who has uploaded databases related to the Indonesian government and companies, started his activities by exposing a database of Indonesian gambling sites on Raidforums on November 9, 2020
Bjokra resumed his activities on Breached forum after the RaidFroums was seized.

Notorious hacking forum, Raidforums was taken down

Bjorka has uploaded a total of 12 threads since moving to Breached forum on Aug 09, 2022, and all data have been identified as Indonesia-related data.
Bjorka claimed he developed leaks[.]sh for managing and uploading leaked databases, but the site is no longer accessible, and now databases have been shared through the telegram channel “Bjorka.”
Bjorka explained his ideology through social media Tiktok, claiming that the name “Bjorka” means Indonesian people who do not get justice, and the reasons for carrying out the attacks against Indonesia are as follows.

1. The 5 founding principles of Indonesia, Pancasila 
   (the basic ideology based on democracy), are not properly implemented.
2. Fuel prices in Indonesia are starting to rise, which cannot be controlled 
   through the law.
3. The government doesn't care about poor people like Bjorka himself, 
   only people in big cities.

(October 07, 2022) Bjorka suddenly insisted that he is a girl living in Poland on their Telegram channel, but it has not been confirmed whether it is true.

Detailed Analysis

1. Who is Bjorka?

Bjorka started the activities by exposing a database of Indonesian gambling sites on Raidforums on November 9, 2020, and resumed on the Breached forum after RaidFroums was seized.

Bjorka’s activity on Raidforums and Breached forum

Thread : Post written by user
Post : Comment written by user

2. (November 09, 2020 ~ January 27, 2022) Activities on Raidforums

Bjorka’s activities on Raidforums was concentrated for two months, from January to February 2021. Bjorka uploaded databases including Indonesian data leaked from companies such as Reddoorz, Wattpad, and Tokopedia, during this period.

Reddoorz: Singapore-based hotel company and hospitality brand that operates in Southeast Asia
Wattpad: A web novel company based in Canada, also provided in Indonesia
Tokopedia: Indonesia’s largest e-commerce company

Darkspider of Xarvis (S2W Darkweb Intelligence Solution)

(February 12, 2021) Bjorka claimed he developed leaks[.]sh for managing and uploading leaked databases, but the site is no longer accessible.

At that time, it was confirmed that about 570GB and 1.2 billion data were uploaded to leaks[.]sh.

Bjorka was receiving donations through Bitcoin, Ethereum, and Dogecoin.

Bitcoin : 1LZSbb2UDsSW5KjDTCCTZt3JterAQuVR7b
Ethereum : 0xfe7b099ea7df032f5928783156632202e09176b9
Doge : DNJfwSxJUiUh5n6TrXURtpzciYgEe9iZy8

About 0.0026 BTC was deposited to the Bitcoin address at 08:48 on February 08, 2021 (UTC +9).
A portion of the BTC received was sent to Binance and Coinbase wallets, and the rest was mixed.

3. (Aug 09, 2022 ~ Present) Activities on Breached forum

Bjorka has uploaded a total of 12 threads since moving to Breached forum on Aug 09, 2022, and all data have been identified as Indonesia-related data.

(November 10, 2022) Bjorka uploaded a thread selling databases leaked from Mypertamina, a digital financial service provider located in Indonesia, with the title “MYPERTAMINA INDONESIA 44 MILLION”.
As a result of analyzing the data, it was confirmed that the file was leaked in November 2022.
The sample shared by Bjorka contains the personal data of users using the Mypertamina service.

Thread related to Mypertamina leak on Breached forums

(November 15, 2022) Bjorka uploaded a thread with “INDONESIA COVID-19 APP PEDULILINDUNGI 3,2 BILLION” on Breached forum.
It was confirmed that a total of 157GB of data was leaked from PeduliLindungi, the official COVID-19 contact tracing app in Indonesia. It included sensitive data such as names, emails, mobile phone numbers, and NIK (National ID CARD Number).

Thread related to PeduliLindungi leak on Breached forums

Bjorka showed the most activity on Breached forum between August 2022 and October 2022.

List of victims affected by Bjorka in the meantime:

4. Why Indonesia?

Bjorka explained his ideology through social media Tiktok, claiming that the name “Bjorka” means Indonesian people who do not get justice, and the reasons for carrying out the attacks against Indonesia are as follows.

https://www.tiktok.com/@bjorxanismreal

The five founding principles of Indonesia, Pancasila (the basic ideology based on democracy), are not properly implemented.
Fuel prices in Indonesia are on the rise and cannot be controlled through government supervision.
The government doesn’t care about poor people like Bjorka, only wealthy people in big cities.

5. Activity on social media

Bjorka is sharing information through various social media services such as Twitter, Instagram, and Tiktok.
Bjorka’s social media account has been constantly suspended, but new accounts continue to be created, and his activity is still ongoing.

The current unsuspended Twitter account is @Bjorkanism8_

Bjorka’s unsuspended Twitter account @bjorkanism8_

He has posted opinions about the Indonesian government with criticism to the government and the presidential election.
(September 22, 2022) Bjorka previously announced the release of Mypertamina’s database on Twitter, which wasn’t suspended at the time.
(November 22, 2022) Bjorka mentioned that Mypertamina’s data would be disclosed through Breached forum.

Bjorka announced the release of mypertamina’s database

Bjorka releases videos of what he wanted to say to the Indonesian government, mainly uploading them through Tiktok.
A total of six videos have been uploaded so far, including a video explaining their ideology and the reason for carrying out the attacks against Indonesia.

(October 07, 2022) Bjorka suddenly proclaimed that he was a girl living in Poland on his Telegram channel, but it has not been confirmed whether it is true.

Bjorka mentioned that he would leak something big at the end of September 2022.

6. Bjorka’s accomplice arrested

(September 16, 2022) According to the Indonesian media Independent Observer, the Indonesian National Police arrested Muhammad Agung Hiyatullah on charges of aiding Bjorka.
Allegations of selling the Telegram channel (Bjorkanism) to Bjorka for $100.
He had a connection to Bjorka and acted as a supplier in the Telegram channel operated by Bjorka. He messaged three times on September 8, September 9, and September 10.
The suspect’s motivation was to become famous and help Bjorka be remunerative. The investigators successfully secured several pieces of evidence, including a SIM card, two mobile phones, and an ID card in the suspect’s name.

Arrested Bjorka’s accomplice(source:liputan6)

7. Bjorka Profiling

Bjorka is operating various accounts on Twitter, Telegram, etc.

User profiling graph of Xarvis (S2W Darkweb Intelligence Solution)

Full list of accounts and addresses associated with Bjorka

Accounts and addresses associated with Bjorka

Conclusion

Bjorka is running various accounts on social media and underground forums to express his opinions, so periodic monitoring is required in multiple channels.
Due to various data leakage incidents caused by Bjorka, it is becoming a concerning issue in Indonesia, so government agencies are actively intervening to arrest Bjorka.
To improve Indonesia’s cyber security level in the wake of Bjorka’s data leakage, the Indonesian Parliament proposed a law to strengthen personal information protection, which was finally passed on September 20, 2022