Crazyhunter: The Ransomware with the Three-Dimensional Data Annihilation System That Redefines Data Destruction

Pietro Melillo : 10 March 2025 15:04

In the reconnaissance of the world of the underground and criminal groups carried out by Red Hot Cyber’s DarkLab threat intelligence lab, we came across a Data Leak Site of a cyber gang that had never been monitored before: Crazyhunter.

With a distinct identity and a manifesto that sets it apart from other cybercriminal actors, Crazyhunter presents itself as a sophisticated operation that focuses on attack speed, data destruction, and a highly structured criminal branding system.

From the information gathered on their Data Leak Site (DLS), accessible through the Tor network, the group appears to adopt a methodical and aggressive approach, aimed at compromising corporate security in the shortest time possible. With a ransom negotiation and management system that includes “demonstrations” of their destructive capabilities, Crazyhunter distinguishes itself through a business model that emphasizes mathematics, advanced encryption, and even blockchain technology to record their decryption “promises.”

Structure of Crazyhunter’s DLS

Vorresti toccare con mano la Cybersecurity e la tecnologia? Iscriviti GRATIS ai WorkShop Hands-On della RHC Conference 2025 (Giovedì 8 maggio 2025)

Se sei un ragazzo delle scuole medie, superiori o frequenti l'università, oppure se solamente un curioso, il giorno giovedì 8 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terranno i workshop "hands-on", creati per far avvicinare i ragazzi alla sicurezza informatica e alla tecnologia. Questo anno i workshop saranno:

Creare Un Sistema Ai Di Visual Object Tracking (Hands on)

Social Engineering 2.0: Alla Scoperta Delle Minacce DeepFake

Doxing Con Langflow: Stiamo Costruendo La Fine Della Privacy?

Come Hackerare Un Sito WordPress (Hands on)

Il Cyberbullismo Tra Virtuale E Reale

Come Entrare Nel Dark Web In Sicurezza (Hands on)

Potete iscrivervi gratuitamente all'evento, che è stato creato per poter ispirare i ragazzi verso la sicurezza informatica e la tecnologia.
Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Ascoltando i nostri Podcast
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

Crazyhunter’s Tor portal is divided into multiple sections, featuring a minimal but functional design:

• Homepage → Displays the group’s name and their motto: “There is no absolute safety.” This statement reflects their philosophy that no system is immune to a well-structured attack.
• 
• Victim List →
• 
• The published list of victims primarily includes companies and institutions in Taiwan, such as hospitals and universities. Each entry includes:
  • Ransom amount demanded (up to $1,500,000).
  • Negotiation status, with some cases marked as Expired (likely meaning the data will be leaked) and others labeled Successful cooperation (indicating a ransom payment was made).
  • Countdown timer for the agreement deadline, suggesting a psychological pressure tactic on victims.
• About Us → A section where the group describes its modus operandi and the ransomware’s key strengths.
• 
• Contact Us → A form-based contact page, likely used for negotiations or potential collaborations.

Attack Techniques and Tactics

Based on information from their strategic manifesto, Crazyhunter positions itself as a highly technical operation with several distinctive characteristics that make it particularly dangerous:

1. Ultra-fast attack approach: “72-hour Vulnerability Response Vacuum”

Crazyhunter claims to breach victim security in less than 72 hours, leveraging:

• Exclusive exploit chains with a survival duration 300% longer than MITRE’s average estimates.
• Advanced bypass techniques for leading endpoint protection systems, including:
  • CrowdStrike
  • SentinelOne
  • Microsoft Defender XDR
  • Symantec EDR
  • Trend Micro XDR

This suggests that the group exploits zero-day or well-selected N-day vulnerabilities, in addition to advanced evasion tactics, which may include polymorphic malware and fileless attack techniques.

2. The “Three-Dimensional Data Annihilation System”

Crazyhunter doesn’t just encrypt data; it introduces a three-layer data annihilation concept:

• Encryption Layer → Uses the XChaCha20-Poly1305 algorithm, known for its security and speed, making data recovery impossible without the correct key.
• Destruction Layer → Implements CIA-approved data-wiping technology, likely referring to standards such as DoD 5220.22-M or multi-pass overwriting methods to make data unrecoverable.
• Deterrence Layer → This is a new element in the ransomware landscape: the group claims to generate highly realistic compromising evidence against executives using AI and deepfake techniques, increasing the pressure during negotiations.

This combination of advanced encryption, total data destruction, and reputation threats makes Crazyhunter a unique actor, blending traditional ransomware with psychological coercion methods.

3. Criminal Branding and Blockchain

Crazyhunter also introduces a new concept in the ransomware world: criminal branding. Among the services they offer:

• The option to delay data publication by paying 50% of the ransom upfront.
• A guide to remediating the vulnerabilities exploited during the attack, seemingly as an incentive for payment.
• A video proving the deletion of stolen data after the ransom is paid.

Finally, their strategic manifesto highlights that the group does not consider itself as “greedy” as REvil or “too loud” as LockBit, and states that they focus on only three things:

1. Proving attack inevitability through mathematics.
2. Ensuring threat irreversibility through code.
3. Recording every fulfilled promise on the blockchain.

The last point suggests that Crazyhunter may be using a public or private blockchain to track completed operations, perhaps to demonstrate to future victims that they keep their word when it comes to providing decryptors after payment.

Targets and Victims

An analysis of the victim list on Crazyhunter’s DLS reveals that the group has primarily targeted Taiwanese organizations, focusing on:

• Universities and research institutions (Asia University, Asia University Hospital).
• Healthcare facilities (Mackay Hospital, Changhua Christian Medical Foundation).
• Energy sector companies (Huacheng Electric).

The inclusion of hospitals and academic institutions suggests an opportunistic targeting strategy, where the likelihood of ransom payment is high due to the sensitivity of the data involved. However, it is possible that the group will expand its scope to other sectors in the coming months.

Conclusions: Why Crazyhunter Is a Threat to Watch

Crazyhunter is not just another ransomware group. Unlike other operations that focus solely on file encryption, this group introduces additional pressure tactics, including:

• Irreversible data destruction, beyond encryption.
• AI-powered deepfake evidence creation to compromise executives.
• Blockchain-based tracking of operations to build “trust” in the criminal market.

Although it is still too early to assess its full impact, Crazyhunter has already demonstrated its ability to target high-profile organizations and maintain a highly strategic operational model. The combination of advanced exploits, sophisticated encryption, and psychological coercion tactics makes it an emerging threat that should not be underestimated.

For businesses, the lesson is clear:
Traditional ransomware defenses are no longer enough. The new generation of cybercriminals is refining increasingly destructive and difficult-to-counter strategies.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"