BlackVortex1

BlackVortex1 is a cybercriminal persona linked in the provided reporting to the emerging ransomware-as-a-service operation ShadowByt3$ / ShadowByt3s. The handle was observed across multiple cybercrime-related forums, including DarkForums, BreachForums-style profiles, and Cracked.sh, with account creation concentrated between late 2025 and early 2026. Reporting states that a DarkForums thread explicitly connected BlackVortex1 to ShadowByt3$, and that the repeated use of the handle across platforms appeared intended to build cross-platform visibility. The accounts were described as having low reputation and limited engagement. BlackVortex1 was tied to advertising ShadowByt3$'s RaaS offering on Cracked.sh. The advertised model offered a 70/30 revenue split in favor of affiliates, allowed participants with existing corporate access to join without an upfront fee, and allowed others to join by paying USD 250 in cryptocurrency. The offering also stated that affiliates could rely on the operator for parts of the negotiation process. In the broader ShadowByt3$ ecosystem described in the content, associated infrastructure included onion leak sites, mirrored onion domains, Telegram channels, ProtonMail, TOX, and cryptocurrency payment options in Bitcoin, Ethereum, and Monero. Telegram was reportedly used to announce leaks, share partial datasets, direct users to downloads, issue extortion messaging, and recruit collaborators with corporate access. The content also states that a threat actor using the moniker BlackVortex1 posted on a dark web forum claiming to have exfiltrated Starbucks intellectual property, in an incident attributed by the reporting to ShadowByt3s. In that case, the actor claimed theft of approximately 10GB of proprietary source code and operational firmware allegedly obtained from a misconfigured Amazon S3 bucket named "sbux-assets," and an extortion deadline was issued threatening public release if payment was not made. Based on the provided content, BlackVortex1 should be understood as a forum persona associated with promotion and recruitment activity for ShadowByt3$ / ShadowByt3s rather than a separately established intrusion set. No nation-state attribution is stated in the content.