Be careful what you OSINT with - Reloaded

Five years ago on 23 March 2020 I posted an article on my blog, explaining why you should always conduct due diligence before using OSINT tools. Today I would like to repost that article here and add a little something to it.

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with some friends and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower Kft. The company itself was registered in February 2019 and the CEO and sole shareholder is a guy named Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its servers in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

Apart from this, the their website started out in Russian language and the earliest redirects where also coming from domains linked to Russia.

We also managed to reveal a person named Andrey S. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

I felt confident to say that these tools share a common development and we could've closed the case here. However, we went looking for more evidence to link these two products and thus Norsi Trans and Data Tower to eachother. Did we find anything? You bet! We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok and a subsidiary of Norsi Trans named NT-Com.

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there was still plenty to be discovered, I think we had proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption possibilities for traffic in and out of Russia in order to enable their intelligence services to read along.

At this point I had published the article and Lampyre felt inclined to answer and posted a blog stating "Data Tower and Norsi-Trans are indeed connected. Some enthusiasts from Norsi-Trans are sharing with Data Tower their great experience in developing analytical systems. It helps us improve Lampyre." So, basically saying: calm down, it's not that bad. They're just giving us some advice.

Now, let's have a look how things unraveled since then. First off, I did some digging into official Russian databases. Turns out, NT Com had registered the brand name "Lampyre" in Russia in 2017. Because of course you would like to protect your brand name if you are just "giving some advice"...

Second off, the "Head of Analytics" of Norsi Trans had had posted pictures of Lampyre designs and marketing material in his office on Facebook quite a while before Data Tower was founded in Hungary. This guy is also responsible for all the VITOK-OSINT presentations I had found along the way, which showed me that both Lampyre and VITOK looked exactly the same.

This guy, named Evgeny V. or Eugene, was also listed as member/director of Data Tower in Hungary from September 2020 to March 2023, according to the official company register documents.

Remember László Schmidt, the supposed director and sole shareholder of Data Tower? Turns out his company Data Tower Kft. isn't the only one with strong ties to Russia. Last year there was reporting in the Hungarian press that he was also involved in circumventing sanctions against Russia through a network of other companies that provided electronics to the Russian aircraft manufacturer Sukhoi. The article states the following, while actually quoting another article from Kiberblog that had picked up on my original blog post:

Speaking of sanctions: did you know that Norsi Trans is sanctioned by the Office of Foreign Assets Control (OFAC)? To put it in plain and simple words: if you use Lampyre and Lampyre belongs to Norsi Trans (I think we can see this as a fact now), you are actually supporting a sanctioned entity. Now no matter if it is good or bad working with Russian software, this for me is the final blow to not use Lampyre.

In the meantime, Data Tower has registered in the United Arab Emirates. The UAE company is now listed in the terms of service on the Lampyre website. Unfortunately, I can't acquire a list of shareholders from this company register. But if I had to bet, I would assume they cut Laszlo out and now have Russians or actually the company Norsi Trans placed as the shareholders here.

As you can see, a story that started five years still hasn't come to an end and there is plenty more to be discovered. Bottom line is that we can prove without a doubt that using Lampyre actually means supporting a sanctioned Russian business. So, be careful what you OSINT with and always conduct your due diligence beforehand. Now, I could tell you that another global player in the OSINT game has it's roots in Russia, around 75% of it's workforce is Russian and some likely still on a Russian payroll and that the company is still registered in Russia - but I'll leave that one to you to figure out.

One last thing: I also wrote a blog about bad sock puppets a while back. It can still be found in the wayback machine. In this blog I had discovered some sock puppets that I felt where linked to Russia and where following me on Twitter and LinkedIn. One of these profiles had used a stock image as a profile pic:

About two years later, I was going through my "Lampyre files" again and noticed something similar in a presentation that Eugene from Norsi Trans had put together about VITOK OSINT.

Come on Eugene, you could have done better than that. I know you have a real LinkedIn profile, just follow me with that one. I'll accept the connection request, I promise.