TL;DR
In early 2026, a threat actor using the alias Quellostanco ran a campaign against Egyptian targets: airlines, an aluminium company, a government roads authority, multiple universities, and a national university payment gateway. Together with collaborators, the group claimed to have stolen and advertised millions of records, including close to a million student records from a single university.
This blog walks through how we traced that anonymous handle back to a real person by chaining together many small mistakes the actor made over time: reused usernames, a leaked email address in GitHub commit metadata, a password that was actually a phone number, and a saved contact entry that matched it all.
The people behind these breaches are not faceless or untouchable. They behave like normal internet users, and they make the same mistakes normal internet users make. The same habits that protect privacy, such as avoiding the reuse of usernames and passwords and keeping personal information out of public projects, are exactly the habits attackers fail to follow.
This investigation was a collaborative effort between DeXpose and Buguard. The full uncensored attribution package, including all supporting evidence and the actor’s real-world identity, was compiled and formally handed over to the relevant law enforcement authorities.
Note: What is OSINT, and what are we actually doing?
OSINT (Open-Source Intelligence) is the practice of collecting and connecting information that is already publicly available: forum posts, data from old breaches, code repositories, social media profiles to answer a question. We are not “hacking” anyone here. Every piece of evidence below comes from data that was already exposed, leaked, or published by the actor themselves.
The core idea behind an attribution investigation is simple: people are consistent. A person who picks the username quellostanco on a criminal forum is, more often than not, the same person who picked something similar on GitHub, Reddit, or discord years earlier long before they had any reason to hide. Attackers protect their criminal identity carefully, but their ordinary identity was created back when they had nothing to hide, and it leaks through.
Our job is to find a thread that connects the careful, anonymous criminal persona to the careless, ordinary one and then to confirm that link with enough independent evidence that it is not a coincidence. Avoiding false positives (accusing the wrong person) is the single most important discipline in this work, which is why every step below is corroborated by more than one source before we move forward.
Who is quellostanco?
Quellostanco is a threat actor who gained attention in early 2026 after conducting and advertising multiple cyberattacks targeting Egyptian organizations, universities, and companies. The actor became particularly active across cybercrime forums, where they promoted stolen databases, leaked sensitive information, and claimed responsibility for several breaches and defacement operations.
The actor frequently collaborated with other threat actors, including CrowStealer and bigF, in breach sales and data leak operations under the INT3X team banner.
Some of the notable activities attributed to Quellostanco include:
On 9 February, Quellostanco advertised and offered for sale EgyptAir’s database containing approximately 104,000 records from HR and recruitment systems.
HR and recruitment databases are highly sensitive because they typically contain employee information, resumes, phone numbers, internal documents, and authentication credentials.
On 23 February, Quellostanco claimed to have defaced the website of Egyptalum and referenced the INT3X group, stating that he had breached the company and gained full control over its systems.
On 25 February, Quellostanco, in collaboration with CrowStealer, claimed to have breached the General Authority for Roads and Bridges and exfiltrated data from the authority’s Contract Extract System.
On 10 May, the INT3X group account on cybercrime forums advertised a breach of Mansoura University conducted by CrowStealer, Quellostanco, and bigF, claiming to possess more than 10GB of internal data, including nearly 989,000 student records spanning from 2012 to 2025/2026, student photographs, research material, and internal documents.
Breaches targeting universities are particularly critical because they often expose large volumes of personally identifiable information (PII), including student records, national IDs, photographs, and academic documents. Such data can later be abused for identity theft, phishing campaigns, financial fraud, or social engineering attacks.
On 14 May, the INT3X group including Quellostanco, CrowStealer, and bigF advertised an alleged breach of the mutreasury Payment Gateway, claiming it impacted more than 28 Egyptian universities and exposed administrator credentials and API keys. They also stated that the intrusion involved a zero-day vulnerability.
On 17 May, the INT3X group compromised and defaced pat.edu.eg after gaining unauthorized access to the platform’s systems, leaving a message for the Egyptian community.
Initial Username Correlation
First, we searched for the username across multiple breach datasets because a threat actor’s chosen alias is often the simplest and most consistently reused identifier across platforms. Before moving to more advanced attribution techniques, it is important to determine whether the username itself already appears in previous breaches, forum leaks, or exposed databases.
We focused primarily on breaches related to dark web forums. Since Quellostanco was identified as a member of DarkForums, we reviewed data associated with the DarkForums breach.
Ironically, the forums where criminals operate get breached too and when they do, the personal details criminals entered to register (IP addresses, emails, recovery info) are exposed just like anyone else’s.
We identified several leaked IP addresses tied to the account. Most of the IP addresses were linked to VPN providers, which is common among threat actors attempting to conceal their real location. However, three of the identified IP addresses resolved to Egyptian networks, making them particularly noteworthy from an attribution perspective but not a cutting evidence yet as threat actors usually use residential proxies for such operations.
We also identified another user named leakdealer using an OnionMail address containing the username Quellostanco before the @onionmail domain. The associated breach contained two Egyptian IP addresses.
Additionally, in several forum threads, the actor repeatedly shared the following Session ID as a contact method:
05b2d87dee26c5f4b0fe86d3caf2020039ca056be98f3c0348c1559c5eedcbcc76Session is an encrypted messaging app that, unlike WhatsApp, requires no phone number to register. Your identity is just a long random ID. Criminals like it precisely because it appears to reveal nothing about them.
At this stage, the correlation graph is as follows:
At this point a useful pattern emerged. A common behavior among threat actors is reusing the same username across many platforms and email services, a habit formed long before they had a reason to be careful. Working from that assumption, we systematically combined quellostanco with common email domains.
One result stood out: quellostanco@outlook.com. OSINT analysis of that address showed it was tied to an Egyptian Microsoft account and a phone number ending in 94. We did not yet know whose number it was, but we flagged those two digits and kept moving. (This detail becomes decisive later)
Persona Reuse Across Platforms
On one of the websites it breached, the actor signed the work Quello$tanco the same name with a stylized “S.” Small stylistic choices like this are habits, and habits travel between accounts.
A simple Google search for that variation led to a HackerOne profile using quello_stanco.
The account used the INT3X group image as its profile picture and listed * ** ******* *******, Giza as its address.
The profile bio:
“The system rots in silence. I no longer resist—I observe. No sides. No savior. Just echoes in wires and ghosts in logic.”
We also identified a Bugcrowd account using the same username as the HackerOne profile. This account used a different bio:
“I stopped trying to fix the system. Now I just listen to it bleed.”
Using both bios as pivot points, we identified a Reddit account that appeared to combine elements from the bios used on both the HackerOne and Bugcrowd profiles.
The content of that account reinforced the link further. One post described the discovery of a critical vulnerability in the institute site while his brother was taking an online exam through a university portal.
Another post from the same account contained an Arabic-language rant criticizing the cybersecurity and hacking scene in Egypt. The author argued that many individuals in the community seek status rather than developing real technical skills, and later challenged anyone claiming expertise to contact him directly to solve a puzzle he believed they would fail.
The Git Trail: Extracting Identity from Commit Metadata
Since quellostanco used quello_stanco as a username variation, we tested additional variations commonly used across online platforms, such as replacing underscores with dots or hyphens. One variation that stood out was quell***tanco.
This variation was associated with a GitHub account using the username Quell***tanco and the display name Selva*****A5.
Reviewing Git repositories and commit history is an important step during attribution investigations, as Git commits often contain metadata automatically attached by Git itself. This metadata can include usernames, email addresses, and timestamps that may unintentionally expose identifying information.
We reviewed the commit metadata across multiple repositories associated with the account. In one repository, a commit dated 11 November 2023 exposed a personal email address within the Git metadata.
The exposure did not stop there. In another repository, the developer’s real name appeared directly within the project files.
Confirming the identity with the leaked email and phone number
We then searched the exposed email address against breach datasets and infostealer logs. The email appeared in the 2024 ULP dataset, which also exposed a phone number used as the account password.
More significantly, that recovered number ended in 94, exactly matching the digits we had flagged much earlier from the quellostanco@outlook.com correlation. Two completely independent paths a guessed Outlook address and a leaked Git email converged on the same phone number.
Since ULP files are commonly derived from infostealer logs, the presence of the exposed credentials strongly suggested that Quellostanco’s device had previously been compromised by infostealer malware. Based on this assumption, we searched the infostealer log datasets and identified records associated with the actor’s machine, which also exposed a residential address linked to the device.
We also conducted additional OSINT analysis on the phone number and found that the number had been saved by others as a contact under the actor’s name together with the name of his institute, written in Arabic.
How a phone number reveals a name: crowdsourced caller-ID and contact-lookup services work by aggregating address-book entries that millions of users have uploaded. If enough people saved a number under the same name, that name becomes searchable. It is a quiet but powerful identity leak and it does not require the target to have done anything.
Further OSINT analysis of the exposed email address revealed an associated Upwork profile describing the individual as an “Expert Linux system administrator and Network & security specialist.”
Recalling the previously identified Reddit account, we observed that the actor had published multiple posts in the FiverrGigs subreddit about Linux system administration. Notably, the post titles closely matched the profession later identified through the associated Upwork profile, further strengthening the attribution link.
Using the attributed data collected throughout the investigation, along with the CTF challenge the actor had previously published a write-up about, we identified a LinkedIn profile containing his photo and additional personal details.
Notably, the latest post on the profile referenced the same GitHub repository previously identified during the investigation, which contained the write-up and solution for the CTF challenge, further strengthening the attribution chain.
From the LinkedIn contact information, we were able to verify the previously identified phone number. The profile also revealed a birth date of 26 March.
Direct Communication with quellostanco
To gather additional information about Quellostanco and the INT3X group, we contacted the actor directly using the previously identified Reddit account.
To avoid raising suspicion and to facilitate the interaction naturally, we approached the actor under the pretext of being a potential client interested in obtaining services from him.
During the conversation, the actor provided his Session ID to continue the discussion in more detail through the encrypted messaging platform.
The Session ID provided by the actor was associated with a Session account using the name Quello$tanco, further linking the previously identified Reddit account to the quellostanco alias used across multiple platforms.
The actor was highly cooperative and shared several valuable details during the conversation. He claimed to be the founder of the INT3X group and stated that he had previously used Reddit to recruit and identify potential members for the team.
From Session, we jumped to Discord to meet the team there. When Quellostanco accepted the request, we observed that the account used the same alias previously identified on the GitHub profile (Selva*****A5).
He later invited us to a channel alongside bigF and another user operating under the alias Dig Bick, whom we believe to be CrowStealer due to the highly similar profile picture observed across previously identified accounts.
While sharing his screen using another account named ettaproject, the actor accidentally exposed his Discord interface, revealing the servers, channels, and users associated with the account.
Deletion of his accounts
After Quellostanco defaced pat.edu.eg and left a message directed at the Egyptian community, multiple individuals began conducting OSINT investigations into the actor’s identity and online presence, while we had already been tracking the actor for an extended period. Shortly afterward, Quellostanco started deleting and changing usernames across several accounts, including GitHub, Upwork, and HackerOne profiles.
We believe these actions were likely triggered after the actor noticed increased traffic and attention on the previously identified Upwork and LinkedIn accounts.
However, by that stage, we had already attributed and documented the actor’s identity and associated infrastructure before the accounts were modified or removed.
Conclusion & Final Notes
This post is a defensive threat intelligence write-up. All identifying details have been redacted from the public version of this report. Every data point referenced above was derived from already public or previously leaked sources; no systems were accessed during the production of this analysis.
Quellostanco did not fall because of one catastrophic mistake. He fell because of an accumulation of small, ordinary ones made over years: an alias picked long before he had a reason to hide it, an email baked into public Git metadata, a phone number recycled as a password, and a contact entry strangers had saved under his real name. Each artifact alone was noise. Correlated together and independently corroborated at every step they converged on a single individual.
The investigation also reinforces a broader reality about modern threat actors: many are technically capable, but operational security failures remain their weakest point. The same internet that enables anonymous activity also preserves years of metadata, reused identities, forgotten accounts, and leaked credentials waiting to be connected.
