Draft:Dancho Danchev

Danchev is an influential figure in the world of cybersecurity. With his extensive knowledge and experience he has made significant contributions to this field. One of his key contributions to cyber security is his role in uncovering and analyzing new cyber threats. He has a keen ability to identify emerging trends and techniques used by threat actors, which has helped organizations stay one step ahead in protecting their systems and data.

Dancho Danchev has pioneered his own methodology for processing threat intelligence leading to a successful set of hundreds of high-quality analysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge..{{Cite web |title=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge |url=https://ddanchev.blogspot.com |archive-url=https://web.archive.org/web/20060112090437/http://ddanchev.blogspot.com/ |archive-date=2006-01-12 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge}} and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld and H+Magazine.

He's been active on Twitter{{Cite web |title=Twitter |url=https://twitter.com/dancho_danchev |access-date=2024-04-25 |website=Twitter}}, LinkedIn{{Cite web |title=LinkedIn |url=https://linkedin.com/in/ddanchev |website=LinkedIn.com}} and Facebook{{Cite web |title=Facebook |url=https://facebook.com/dancho.danchev.1426/ |access-date=2024-04-25 |website=Facebook}} and has made all of his research throughout the years publicly accessible on the Internet Archive{{Cite web |title=Archive.org |url=https://archive.org/details/@ddanchev |access-date=2024-04-25 |website=Archive.org}}.

He has presented at RSA Europe 2012{{Cite web |title=Cyber Jihad vs Cyberterrorism - Separating Hype from Reality |url=https://speakerdeck.com/ddanchev/rsa-europe-presentation-01 |access-date=2024-04-25 |website=Speakerdeck}}, CyberCamp 2016 in Spain{{Cite web |title=Exposing Koobface - The World's Largest Botnet |url=https://speakerdeck.com/ddanchev/cyber-camp-exposing-koobface-botnet-02 |access-date=2024-04-25 |website=Speakerdeck}}, InfoSec 2012 in London, GCHQ{{Cite web |title=Who's Who in Cybercrime for 2007? |url=https://speakerdeck.com/ddanchev/cesg-hp-cyberintel-dancho |access-date=2024-04-25 |website=Speakerdeck}} in Cheltenham and Interpol{{Cite web |title=Exposing the Dynamic Money Mule Recruitment Ecosystem |url=https://speakerdeck.com/ddanchev/cesg-hp-cyberintel-dancho |access-date=2024-04-25 |website=Speakerdeck}} in Lyon, France including Cyber Security Talks Bulgaria{{Cite web |title=Cyber Security Talks Bulgaria |url=https://www.cybersecuritytalks.bg/articles/6-cyber-security-talks-bulgaria |access-date=2025-03-15 |website=CyberSecurityTalks.bg}}.

Danchev has been an active security blogger since 2007. He is a cybersecurity researcher and a WhoisXML API threat researcher.{{Cite web |title=Who Could Be Behind the Latest GitHub-Hosted Malware Infrastructure? |url=https://circleid.com/posts/20220928-who-could-be-behind-the-latest-github-hosted-malware-infrastructure |access-date=2023-07-17 |website=circleid.com |language=en}}{{Cite web |title=Koobface Makes a Comeback |url=https://circleid.com/posts/20220730-koobface-makes-a-comeback |access-date=2023-07-17 |website=circleid.com |language=en}}{{Cite web |title=Predator Surveillance Software May Not Be Lawful at All |url=https://circleid.com/posts/20220712-predator-surveillance-software-may-not-be-lawful-at-all |access-date=2023-07-17 |website=circleid.com |language=en}} He is known for reporting on the Chinese hacktivist attack on CNN in 2008, with additional reports on the Operation Ababil attack on Wells Fargo U.S. Bank and PNC Bank and the New York Times advertisement attack in 2009.{{Cite web |title=Hackers expand massive IFRAME attack to prime sites |url=https://www.networkworld.com/article/2285012/hackers-expand-massive-iframe-attack-to-prime-sites.html |archive-url=https://web.archive.org/web/20201020062815/https://www.networkworld.com/article/2285012/hackers-expand-massive-iframe-attack-to-prime-sites.html |archive-date=2020-10-20 |access-date=2023-07-17 |website=NetworkWorld}}

At ZDNet’s Zero Day blog, he co-wrote articles and analyses on East European criminal activity and online scams. Danchev’s research often focused on cyber terrorism activities of terrorist groups and monitoring the activities of the Koobface worm which targeted users of social networking sites, including Facebook.

He then started working for Webroot.{{Cite web |title=Welcome to the team, Dancho! |url=https://www.webroot.com/blog/2012/01/05/welcome-to-the-team-dancho/ |access-date=2024-01-25 |website=Webroot Blog|date=5 January 2012 }} In 2021 he started{{Cite web |title=Dancho Danchev |url=https://cybernews.com/author/danchod/ |access-date=2024-01-26 |website=Cybernews}} working for CyberNews{{Cite web |title=US Section 702 - or how the US plans to reclaim dominance over the threat intelligence market segment |url=https://cybernews.com/security/us-plans-reclaim-dominance-over-threat-intelligence-market/ |access-date=2025-05-21 |website=Cybernews|date=4 June 2021 }}.

Danchev went missing in 2011, according to reports, after his blog post on the collection of his research on terrorist organizations' use of the internet for jihad.{{Cite magazine |last=Zetter |first=Kim |title=Security Researcher, Cybercrime Foe Goes Missing |language=en-US |magazine=Wired |url=https://www.wired.com/2011/01/dancho-danchev-missing/ |access-date=2023-07-17 |issn=1059-1028}} With help from the security community and security professionals he then resurfaced{{Cite web |title=Dancho Danchev returns |url=https://www.scmagazine.com/news/dancho-danchev-returns |access-date=2024-01-26 |website=SCMagazine|date=21 January 2011 }} in January 2011.

File:Sqq2w1juu4bvhk6ptafu.png

• Presented at the GCHQ with the Honeynet Project{{Cite web |title=Who's Who in Cybercrime for 2007? |url=https://speakerdeck.com/ddanchev/cesg-hp-cyberintel-dancho |access-date=2024-04-25 |website=Speakerdeck}}
• SCMagazine Who to Follow on Twitter for 2011
• Participated in a Top Secret GCHQ Program called "Lovely Horse"{{Cite web |title=Lovely Horse |url=https://cryptome.org/2015/02/gchq-lovely-horse-intercept-15-0204.pdf |access-date=2024-04-25 |website=Cryptome}}
• Identified a major victim{{Cite web |title=Robust Indicators of Compromise for SUNBURST |url=https://www.netresec.com/?page=Blog&month=2021-01&post=Robust-Indicators-of-Compromise-for-SUNBURST |access-date=2024-04-25 |website=Netresec| date=11 January 2021 }} of the SolarWinds Attack - PaloAltoNetworks
• Found malware{{Cite web |title=After-Action Report: Flashpoint Remediation of 0-Day Exploit on Our Public-Facing Website |url=https://flashpoint.io/blog/after-action-report-flashpoint-remediation-of-0-day-exploit-on-our-public-facing-website/ |access-date=2024-04-25 |website=Flashpoint|date=22 April 2019 }} on the Web Site of Flashpoint{{Cite web |title=Flashpoint: Our site was not dishing malware |url=https://www.scmagazine.com/news/flashpoint-our-site-was-not-dishing-malware |access-date=2024-04-25 |website=SCMagazine|date=23 April 2019 }}
• Tracked monitored and profiled the Koobface Botnet{{Cite web |title=Dancho Danchev unmasks man behind the Koobface Botnet |url=https://www.csoonline.com/article/541438/data-protection-dancho-danchev-unmasks-man-behind-the-koobface-botnet.html |access-date=2024-04-25 |website=CSO Online}} and exposed one botnet operator
• Made it to Slashdot{{Cite web |title=The Strange Disappearance of Dancho Danchev |url=https://yro.slashdot.org/story/11/01/15/016241/the-strange-disappearance-of-dancho-danchev |access-date=2024-04-25 |website=Slashdot|date=14 January 2011 }} two times{{Cite web |title=Future Trends of Malware |url=https://it.slashdot.org/story/06/01/11/1323212/future-trends-of-malware |access-date=2024-04-25 |website=Slashdot|date=11 January 2006 }}
• His personal blog got 5.6M page views since December, 2005
• His old Twitter Account got 11,000 followers{{Cite web |title=Twitter |url=https://twitter.com/danchodanchev |url-status=dead |archive-url=https://web.archive.org/web/20150123044407/twitter.com/danchodanchev |archive-date=2015-01-23 |access-date=2024-04-25 |website=Twitter}}
• He had an average of 7,000 RSS readers on my blog
• He had his own vinyl "Blue Sabbath Black Cheer / Griefer – We Hate You / Dancho Danchev Suck My Dick"{{Cite web |title=Blue Sabbath Black Cheer / Griefer – We Hate You / Dancho Danchev Suck My Dick |url=https://www.discogs.com/release/2365257-Blue-Sabbath-Black-Cheer-Griefer-We-Hate-You-Dancho-Danchev-Suck-My-Dick |access-date=2024-04-25 |website=Discogs|date=July 2010 }} made by a Canadian artist
• He's currently running Astalavista.box.sk
• Listed as a major competitor by Jeffrey Carr's Taia Global

His first teenage hacker group which he created and worked alone was called S1F{{Cite news |title=Security is Futile - For All of Your Security Needs |url=https://users.ldproxy.com/maniac |archive-url=https://web.archive.org/web/20010208101236/users.ldproxy.com/maniac |archive-date=2001-02-08 |work=LDProxy.com}} (Sekurity is Futile). He is also known to have been moderating Blackcode Security Raver's{{Cite news |title=BC-Newsletter-1.zip |url=https://packetstormsecurity.com/files/16968/BC-Newsletter-1.zip.html |work=Packetstormsecurity.com}} newsletter{{Cite news |title=black2.zip |url=https://packetstormsecurity.com/files/16969/black2.zip.html |work=Packetstormsecurity.com}}. He originally began writing security and hacking articles which were published on NewOrder{{Cite news |title=The Maniac |url=https://newdata.box.sk/themaniac/ |archive-url=https://web.archive.org/web/20031126001647/http://newdata.box.sk/themaniac/ |archive-date=2003-11-26 |work=Neworder.box.sk}}. During that time he was also writing articles for Frame4 Security Systems where he wrote the infamous "The Complete Windows Trojans Paper"{{Cite news |title=The Complete Windows Trojans Paper |url=https://www.frame4.com/cms/news/publications/the_complete_windows_trojans_paper.html |archive-url=https://web.archive.org/web/20060510200851/http://www.frame4.com/cms/news/publications/the_complete_windows_trojans_paper.html |archive-date=2006-05-10 |work=Frame4 Security Systems}} including WindowSecurity.com{{Cite news |title=Dancho Danchev |url=https://www.windowsecurity.com/authors/dancho-danchev/ |archive-url=https://web.archive.org/web/20150427031602/http://www.windowsecurity.com/authors/dancho-danchev/ |archive-date=2015-04-27 |work=WindowSecurity.com}} and was running an information security section at HiComm Bulgaria a popular technology magazine. He also contributed an article for CIO.bg{{Cite news |title=Кибертероризмът и кибервойните – до колко реален е проблемът? |url=https://cio.bg/621_kiberterorizmat_i_kibervojnite_do_kolko_realen_e_problemat |archive-url=https://web.archive.org/web/20090620055340/http://cio.bg:80/621_kiberterorizmat_i_kibervojnite_do_kolko_realen_e_problemat |archive-date=2009-06-20 |work=CIO.bg |language=bg}}. He was also a member of different H/C/P/A (Hacking/Cracking/Phreaking/Anarchy) groups at the time. His first commercial position was at the anti-trojan vendor DiamondCS's Trojan Defense Suite where he assisted in the building of the Trojan Information Database{{Cite news |title=tlibrary.zip |url=https://packetstormsecurity.com/files/25533/tlibrary.zip.html |work=Packetstormsecurity.com}}. He later bought the software copyright and sold it to LockDownCorp which was a competing anti-trojans vendor where he started working at on his way to collect malicious software releases and improve the vendor's market position as a leading anti-trojans vendor. He continued his work on the Trojan Database{{Cite news |title=Trojan Information Database |url=https://lockdown2000.com:80/hlp/ldhelp.exe |archive-url=https://web.archive.org/web/20040104225354/http://lockdown2000.com:80/hlp/ldhelp.exe |archive-date=2004-01-04 |work=LockDownCorp}} and began producing detailed information on various malicious software releases that he was collecting as part of his work.

Danchev studied in Vasil Levski Secondary School in Troyan, Bulgaria and later in The Netherlands at Hogschool Zuyd in Sittard, and Hogeschool In Holland in Rotterdam.{{Citation needed|date=February 2024}}

File:Infosec 274950404446643.jpg

Danchev is known to have been moderating DiamondCS's Trojan Defense Suite newsletter in 1999.{{Cite web |title=Trojan Defense Suite |url=http://tds.diamondcs.com.au/ |archive-url=https://web.archive.org/web/19991012070252/http://tds.diamondcs.com.au/ |archive-date=1999-10-12 |website=DiamondCS}} He then joined the Netherlands-based company Frame4 Security Systems where he wrote the infamous "The Complete Windows Trojans Paper". He then worked for TechGenix's{{Cite web |title=Dancho Danchev |url=https://techgenix.com/author/dancho-danchev/ |access-date=2024-01-26 |website=TechGenix}} WindowSecurity.com where he wrote "Building and Implementing a Successful Information Security Policy" paper. Danchev is known to have been running Astalavista Security Group's Astalavista.com{{Cite web |title=Team Astalavista Group |url=http://www.astalavista.ch/index.php?page=222 |archive-url=https://web.archive.org/web/20040216222503/http://www.astalavista.ch/index.php?page=222 |archive-date=2004-02-16 |website=Astalavista.ch}} in 2003 Web site and Astalavista.box.sk Web site in 2021. He presently works at WhoisXML API as a DNS Threat Researcher.

He is known to have worked at the following companies and organizations:

• 1999 - DiamondCS
• 2000 - LockDownCorp
• 2002 - Frame4 Security Systems

• 2003 - TechGenix
• 2003 - ASTALAVISTA IT Engineering GmbH{{Cite web |title=Team Astalavista Group |url=https://www.astalavista.ch/index.php?page=222 |archive-url=https://web.archive.org/web/20040216222503/http://www.astalavista.ch/index.php?page=222 |archive-date=2004-02-16 |website=Astalavista.ch}}
• 2008 - ZDNet
• 2012 - Webroot
• 2014 - Wandera
• 2017 - GroupSense
• 2018 - KCS GROUP EUROPE LIMITED
• 2019 - Treadstone 71
• 2019 - Armadillo Phone
• 2020 - Astalavista.box.sk
• 2021 - WhoisXML API
• 2025 - Rexxfield Cybercrime Investigations
• 2025 - Merkle Science

He has also contributed to ITSecurity.com's Security Clinic{{Cite web |title=Dancho Danchev |url=https://itsecurity.com |url-status=dead |archive-url=https://web.archive.org/web/20040601065739/http://www.itsecurity.com:80/asktecs/biogs/danchodanchev.htm |archive-date=2004-06-01 |access-date=2024-04-25 |website=ITSecurity.com}} and was a newsletter moderator at Blackcode Ravers{{Cite web |title=Blackcode |url=https://www.blackcode.com |url-status=dead |archive-url=https://web.archive.org/web/19991127111938/http://www.blackcode.com/content.htm |archive-date=1999-11-27 |access-date=2024-04-25 |website=Blackcode}}

File:Abuse.ch guy.png

In September 2010, Danchev went missing under mysterious circumstances amid concerns about his safety. Prior to his disappearance, he had expressed concerns about surveillance by Bulgarian law enforcement and intelligence services. Despite efforts to contact him through various means, including phone and email, he could not be reached. ZDNet published a letter and photos he had sent, seeking information on his whereabouts. While anonymous sources indicated he was alive but facing difficulties, the exact details of his disappearance remain unknown.

According to Internet Anthropologist{{Cite web |title=Dancho Danchev Missing |url=https://warintel.blogspot.com/2011/01/dancho-danchev-missing.html |url-status=dead |archive-url=https://web.archive.org/web/20110120170150/http://warintel.blogspot.com/2011/01/dancho-danchev-missing.html |archive-date=2011-01-20 |access-date=2024-04-25 |website=Internet Anthropologist Think Tank}} who tried to track him and find out using his law enforcement contacts his legal contact in Sofia Bulgaria told him that he was in a psychiatric clinic as his mother requested the hospitalization due to his belief that he was under surveillance. The same information was confirmed by Krypt3ia{{Cite web |title=The NRS, Dancho Danchev, and A Beautiful Mind |url=https://krypt3ia.wordpress.com/2011/01/17/the-nrs-dancho-danchev-and-a-beautiful-mind/ |access-date=2024-01-26 |website=Krypt3ia|date=17 January 2011 }} and Threatpost who approached a press officer{{Cite web |title=ZDNet Security Blogger Goes Missing in Bulgaria |url=https://threatpost.com/zdnet-security-blogger-goes-missing-bulgaria-011411/74850/ |access-date=2024-01-26 |website=Threatpost|date=14 January 2011 }} at the U.S. Embassy in Sofia, Bulgaria who told him that they were unaware of his case, but would look into reports of his arrest. The hospital where Danchev was held confirmed that he will be released{{Cite web |title=Dancho Danchev: Missing cybersecurity expert |url=https://www.scmagazine.com/news/dancho-danchev-missing-cybersecurity-expert |access-date=2024-01-26 |website=SCMagazine|date=20 January 2011 }} within four or six weeks but declined to comment. He sent an email letter{{Cite web |title=Cybercrime Blogger Resurfaces After Mysterious Disappearance |url=https://gizmodo.com/cybercrime-blogger-resurfaces-after-mysterious-disappea-5739805 |access-date=2024-01-26 |website=Gizmodo|date=21 January 2011 }} describing the situation to a colleague prior to his disappearance just in case something might happen including a photo of a supposed surveillance device in his bathroom.

In 2013 the infamous Darkode forum got breached and based on public information by the ones who breached it there was a Hitman request{{Cite web |title=Darkode Repository |url=https://darkode.cybercrime-tracker.net/index.php?dir=Random%20interesting%20stuff/Dancho%20Danchev |access-date=2024-01-26 |website=Cybercrime Tracker}} for Danchev Danchev in the forum.

This was covered by Slashdot,{{Cite web |title=The Strange Disappearance of Dancho Danchev |url=https://yro.slashdot.org/story/11/01/15/016241/the-strange-disappearance-of-dancho-danchev |access-date=2024-01-27 |website=Slashdot|date=14 January 2011 }} ZDNet,{{Cite web |title=We need help with the strange disappearance of Dancho Danchev |url=https://www.zdnet.com/article/we-need-help-with-the-strange-disappearance-of-dancho-danchev/ |access-date=2024-01-27 |website=ZDNet}} CSO Online,{{Cite web |title=Update on Dancho Danchev |url=https://www.csoonline.com/article/540842/data-protection-update-on-dancho-danchev.html |access-date=2024-01-27 |website=CSO Online}} SC Magazine,{{Cite web |title=Dancho Danchev: Missing cybersecurity expert |url=https://www.scmagazine.com/news/dancho-danchev-missing-cybersecurity-expert |access-date=2024-01-27 |website=SC Magazine|date=20 January 2011 }} Gizmodo,{{Cite web |title=ZDNet Blogger Disappears Mysteriously in Bulgaria |url=https://gizmodo.com/zdnet-blogger-disappears-mysteriously-in-bulgaria-5733964 |access-date=2024-01-27 |website=Gizmodo|date=14 January 2011 }} Gawker,{{Cite web |title=Cybercrime Blogger Vanishes After Finding Tracking Device In His Bathroom |url=https://gawker.com/5733961/cybercrime-blogger-vanishes-after-finding-tracking-device-in-his-bathroom |url-status=dead |archive-url=https://web.archive.org/web/20110116161857/https://gawker.com/5733961/cybercrime-blogger-vanishes-after-finding-tracking-device-in-his-bathroom |archive-date=2011-01-16}} PC Mag,{{Cite web |title=ZDNet Security Blogger Mysteriously Disappears |url=https://uk.pcmag.com/news/103057/zdnet-security-blogger-mysteriously-disappears |access-date=2024-01-27 |website=PC Mag|date=14 January 2011 }} Techdirt{{Cite web |title=Bulgarian Security/Cybercrime Researcher Missing For Months |url=https://www.techdirt.com/2011/01/14/bulgarian-securitycybercrime-researcher-missing-months/ |access-date=2024-01-27 |website=Techdirt|date=14 January 2011 }} and TG Daily.

File:Phoenix exploit kit.jpg

The numerous occasions Danchev's work and research has been quoted and referenced by Russia based cybercriminals and cybercrime gangs.

• Dancho Danchev and Brian Krebs got married message{{Cite web |title=Krebs, KrebsOnSecurity, As Malware Memes |url=https://krebsonsecurity.com/2013/05/krebs-krebsonsecurity-as-malware-memes/ |access-date=2024-04-25 |website=Krebsonsecurity.com|date=22 May 2013 }}
• Koobface Botnet C&C channel referencing him in the network communication{{Cite web |title=The Heart of KOOBFACE C&C and Social Network Propagation |url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/58/2009/12/21185104/the_20heart_20of_20koobface_final_1_.pdf |access-date=2024-04-25 |website=Kaspersky.com |page=25}}
• SpyEye blog post referencing him{{Cite web |title=SpyEye, ZeuS Users Target Tracker Sites |url=https://krebsonsecurity.com/2011/03/spyeye-zeus-users-target-tracker-sites/ |access-date=2024-04-25 |website=Krebsonsecurity.com|date=9 March 2011 }}
• Darkode Leak mentioning his kidnapping and Ivan Kaspersky's kidnapping{{Cite web |title=Dancho Danchev |url=https://darkode.cybercrime-tracker.net/index.php?dir=Random%20interesting%20stuff/Dancho%20Danchev |access-date=2024-04-25 |website=Darkode Cybercrime Tracker}}
• U.S Treasure Department web site redirected to his personal Blogger profile{{Cite web |title=U.S. Treasury Site Compromise Linked to the NetworkSolutions Mass WordPress Blogs Compromise |url=https://ddanchev.blogspot.com/2010/05/us-treasury-site-compromise-linked-to.html |access-date=2024-04-25 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge|date=4 May 2010 }}
• Scareware serving campaign using a message referencing him{{Cite web |title=From Ukrainian Blackhat SEO Gang With Love - Part |url=https://ddanchev.blogspot.com/2009/06/from-ukrainian-blackhat-seo-gang-with.html |access-date=2024-04-25 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge|date=9 June 2009 }}

File:Astalavista 267305378544479.jpg

Danchev is known to have been running Astalavista Security Group's Astalavista.com{{Cite book |url=https://books.google.com/books?id=DfmHTPRBjtwC&dq=%22astalavista+security+group%22&pg=PA73 |title=PC Mag |publisher=Ziff Davis |year=2005 |pages=73 |issn=0888-8507}} in since 2003. He was responsible for producing the monthly security newsletter.{{Cite web |title=Astalavista |url=https://packetstormsecurity.com/groups/astalavista/ |access-date=2024-01-26 |website=Packetstormsecurity}}

He has interviewed the following people from the security industry and the Scene.

• Proge — http://www.progenic.com/
• Jason Scott — http://www.textfiles.com/
• Kevin Townsend — http://www.Itsecurity.com/
• Richard Menta — http://www.bankinfosecurity.com
• MrYowler — http://www.cyberarmy.net/
• Prozac — http://www.astalavista.com/
• Candid Wuest — http://www.trojan.ch/
• Anthony Aykut — http://www.frame4.com/
• Dave Wreski — http://www.linuxsecurity.com/
• Mitchell Rowtow — http://www.securitydocs.com/
• Eric (SnakeByte) — http://www.snake-basket.de/
• Björn Andreasson — http://www.warindustries.com/
• Bruce — http://www.dallascon.com/
• Nikolay Nedyalkov — http://www.iseca.org/
• Roman Polesek — http://www.hakin9.org/en/
• John Young — http://www.cryptome.org/
• Eric Goldman — http://www.ericgoldman.org/
• Robert — http://www.cgisecurity.com/
• Johannes B. Ullrich — http://isc.sans.org/
• Daniel Brandt — http://google-watch.org/
• David Endler — http://www.tippingpoint.com/
• Vladimir, 3APA3A — http://security.nnov.ru/

In 2020 Danchev announced the official re-launch{{Cite web |title=Astalavista.box.sk |url=https://astalavista.box.sk/phpBB3/ |archive-url=https://web.archive.org/web/20200313162927/http://astalavista.box.sk/phpBB3/ |archive-date=2020-03-13 |access-date=2024-04-25 |website=Astalavista.box.sk}} of the infamous Astalavista.box.sk hacking search engine web site with a forum community targeting security experts and hackers.

On April 7, 2021, an article was published on Medium.com{{Cite web |title=Astalavista.box.sk — We're Back! Introducing the World's first search engine for hackers! |url=https://medium.com/@danchodanchev/astalavista-box-sk-were-back-introducing-the-world-s-first-search-engine-for-hackers-51b5541e81a5 |website=Medium|date=7 April 2021 }} by Dancho Danchev stating that the site is back up and running. Danchev has released several versions of the web site.{{Cite web |title=Astalavista.box.sk |url=https://astalavista.box.sk/ |archive-url=https://web.archive.org/web/20200507164247/https://astalavista.box.sk/ |archive-date=2020-05-07 |website=Astalavista.box.sk}}{{Cite web |title=Astalavista.box.sk |url=https://astalavista.box.sk/ |archive-url=https://web.archive.org/web/20210303044729/https://astalavista.box.sk/ |archive-date=2021-03-03 |access-date=2024-04-25 |website=Astalavista.box.sk}}{{Cite web |title=Astalavista.box.sk |url=https://astalavista.box.sk/ |archive-url=https://web.archive.org/web/20210303044729/https://astalavista.box.sk/ |archive-date=2021-03-03 |access-date=2024-04-25 |website=Astalavista.box.sk}}

File:Dancho danchev.jpg

In October 2009 the gang redirected Facebook's Internet Protocol (IP) netspace{{Cite web |title=Koobface Botnet Redirects Facebook's IP Space to my Blog |url=https://ddanchev.blogspot.com/2009/10/koobface-botnet-redirects-facebooks-ip.html |access-date=2024-04-25 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge|date=21 October 2009 }} to his blog.

In February 2010 Danchev posted an article called "10 things you didn't know about the Koobface gang"{{Cite web |title=10 things you didn't know about the Koobface gang |url=http://www.zdnet.com/blog/security/10-things-you-didnt-know-about-the-koobface-gang/5452 |access-date=2024-04-25 |website=ZDNet.com}} where he discussed some of the key aspects of the Koobface botnet. In May 2010 the group responded{{Cite web |title=Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post" |url=https://ddanchev.blogspot.com/2010/05/koobface-gang-responds-to-10-things-you.html |access-date=2024-04-25 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge|date=17 May 2010 }} to his article in a step by step fashion response within the source code of all the malware-infected hosts that were distributing the malicious software.

In January The Register released{{Cite web |title=Five Koobface botnet suspects named by New York Times |url=https://www.theregister.com/2012/01/18/koobface_prime_suspect_outed/ |access-date=2012-01-18 |website=The Register}} an article stating that five Koobface gang suspects were named by The New Times{{Cite news |title=Web Gang Operating in the Open |work=The New York Times |date=17 January 2012 |url=https://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html |access-date=2024-04-25 |last1=Richmond |first1=Riva }} following Danchev's investigation.

In January 2012 Danchev gave an interview{{Cite web |title=Cybercriminals unveiled |url=https://www.dw.com/en/bulgarian-sleuth-unveils-botnet-operators/a-15689368 |access-date=2024-04-25 |website=DW.com}} to DW where he discussed his findings into the Koobface botnet.

In February 2012 Danchev posted an OSINT (Open Source Intelligence) analysis called "Who's Behind the Koobface Gang?"{{Cite web |title=Who's Behind the Koobface Botnet? - An OSINT Analysis |url=https://ddanchev.blogspot.com/2012/01/whos-behind-koobface-botnet-osint.html |access-date=2024-04-25 |website=Dancho Danchev's Blog - Mind Streams of Information Security Knowledge|date=9 January 2012 }} where he provided personally identifiable information on one of the botnet masters behind the Koobface botnet.

File:Images koobface botnet.png

In 2006 he released his Malware Future Trends{{Cite news |title=De toekomst van malware |url=https://www.security.nl/posting/12781/De+toekomst+van+malware |work=Security.nl |language=nl}} paper where he also presented his findings on the current and future trends of malicious software. He also elaborated on the fact that TrendMicro's{{Cite news |title=Website Trend Micro infecteert bezoekers met malware |url=https://www.security.nl/posting/18232/Website+Trend+Micro+infecteert+bezoekers+met+malware |work=Security.nl |language=nl}} web site got infected with malware including the fact that the United Nations{{Cite news |title=500.000 websites gehackt in grootschalige aanval |url=https://www.security.nl/posting/18534/500_000+websites+gehackt+in+grootschalige+aanval |work=Security.nl |language=nl}} web site was susceptible to a SQL injection flaw.

He also offered in-depth coverage on the rise of the Storm Worm{{Cite news |title=I Love You maakt rentree dankzij Storm worm |url=https://www.security.nl/posting/18660/I+Love+You+maakt+rentree+dankzij+Storm+worm |work=Security.nl |language=nl}} botnet. He also found that the Whitehouse.org{{Cite news |title=Whitehouse.org infecteert bezoekers met malware |url=https://www.security.nl/posting/18668/Whitehouse_org+infecteert+bezoekers+met+malware |work=Security.nl |language=nl}} web site was serving malware. He also found a malware campaign that's exploiting a Flash zero day{{Cite news |title=Waarschuwing: Flash-lek op grote schaal misbruikt |url=https://www.security.nl/posting/18706/Waarschuwing%3A+Flash-lek+op+grote+schaal+misbruikt |work=Security.nl |language=nl}} flaw. He also did some research on the GPCode{{Cite news |title="Puisterige Russische tieners achter gijzelvirus" |url=https://www.security.nl/posting/18799/"Puisterige+Russische+tieners+achter+gijzelvirus" |work=Security.nl |language=nl}} malicious software. He also offered insights into the DNS hijacking of PhotoBucket{{Cite news |title=Turkse hackers kapen DNS Photobucket |url=https://www.security.nl/posting/18852/Turkse+hackers+kapen+DNS+Photobucket |work=Security.nl |language=nl}} by Turkish hacktivists. He also uncovered that the infamous ZeuS{{Cite news |title=Achilleshiel in Zeus crimeware-toolkit nekt hackers |url=https://www.security.nl/posting/18861/Achilleshiel+in+Zeus+crimeware-toolkit+nekt+hackers |work=Security.nl |language=nl}} crimeware kit was vulnerable to a zero day flaw. He also provided an analysis into the mass web site defacement by Russian hackers of over three hundred Lithuanian{{Cite news |title=Russische hackers bekladden 300 Letse overheidssites |url=https://www.security.nl/posting/18956/Russische+hackers+bekladden+300+Letse+overheidssites |work=Security.nl |language=nl}} web sites.

He was also featured in Computerworld on Russia's{{Cite news |title=Russian hacker 'militia' mobilizes to attack Georgia |url=https://www.computerworld.com.au/article/256798/russian_hacker_militia_mobilizes_attack_georgia/ |archive-url=https://web.archive.org/web/20131219225032/https://www.computerworld.com.au/article/256798/russian_hacker_militia_mobilizes_attack_georgia/ |archive-date=2013-12-19 |work=Computerworld.com}} cyber militia mobilizing itself to attack Georgia. His research into a Facebook{{Cite news |title=Fraudsters Target Facebook With Phishing Scam |url=https://www.wired.com/2008/01/fraudsters-target-facebook-with-phishing-scam/ |work=Wired.com}} themed phishing campaign also got featured on Wired. His research on a fake Microsoft Patch Tuesday{{Cite news |title=Fake Microsoft e-mail contains Trojan virus |url=https://www.cnet.com/news/privacy/fake-microsoft-e-mail-contains-trojan-virus/ |work=CNET.com}} email spam campaign delivering malware was also featured in CNET. He was also among the first security researchers to raise awareness on a mass cyber attack involving abuse of input validation{{Cite news |title=Hackers expand massive IFrame attack to prime sites |url=https://www.computerworld.com/article/1573455/hackers-expand-massive-iframe-attack-to-prime-sites.html |work=Computerworld.com}} flaws on thousands of legitimate Web sites which was featured in Computerworld.

He also offered an insight into how hackers took Comcast.net{{Cite news |title=Hackers knocked Comcast.net offline |url=https://www.infoworld.com/article/2652021/hackers-knocked-comcast-net-offline.html |work=InfoWorld.com}} offline which was featured in InfoWorld.

His research on a recently exploited Adobe Flash{{Cite news |title=Adobe investigates Flash Player attacks |url=https://www.securityfocus.com/brief/744 |archive-url=https://web.archive.org/web/20111011211805/https://www.securityfocus.com/brief/744 |archive-date=2011-10-11 |work=Securityfocus.com}} zero day vulnerability was also featured in Securityfocus. He also offered insights into the U.S Air Force{{Cite news |title=Carpet bombing networks in cyberspace |url=https://www.cnet.com/news/privacy/carpet-bombing-networks-in-cyberspace/ |work=CNET.com}} efforts to build an offensive botnet and was featured in CNET. His research into the Storm Worm{{Cite news |title=Storm worm e-mail says U.S. attacked Iran |url=https://www.cnet.com/news/privacy/storm-worm-e-mail-says-u-s-attacked-iran/ |work=CNET.com}} botnet was also featured in CNET. His research into India's CAPTCHA{{Cite news |title=India's underground CAPTCHA-breaking economy |url=https://boingboing.net/2008/08/30/indias-underground-c.html |work=BoingBoing}} solving economy was also featured on BoingBoing.

In 2009 Dancho Danchev was referenced three times in Foreignpolicy{{Cite news |title="In gaz we trust": a fake Russian energy company facilitating cybercrime |url=https://foreignpolicy.com/2009/05/20/in-gaz-we-trust-a-fake-russian-energy-company-facilitating-cybercrime/ |work=Foreignpolicy.com}} on his findings of a fake Russia based gas company that was facilitating cybercrime activities including a reference on his research into ransomware{{Cite news |title=Don't pay your ransom via SMS |url=https://foreignpolicy.com/2009/05/12/dont-pay-your-ransom-via-sms/ |work=Foreignpolicy.com}} using mobile payments and a reference for his research into DDoS{{Cite news |title=Is "aggregate-and-forget" the future of cyber-extortion? |url=https://foreignpolicy.com/2009/11/04/is-aggregate-and-forget-the-future-of-cyber-extortion/ |work=Foreignpolicy.com}} attacks. He was also featured in The Register{{Cite news |title=NYT scareware scam linked to click fraud botnet |url=https://www.theregister.com/2009/09/18/scareware_botnet_scam/ |work=TheRegister}} with his research on what he described as the "Ukrainian Fan Club" with his research emphasizing on the connection between the scareware attack campaign on the web site of the NYTimes and the click fraud botnet known as the Bahama botnet. He was also featured in a separate article in InfoWorld{{Cite news |title=Microsoft declares war on 'scareware' |url=https://www.infoworld.com/article/2629993/microsoft-declares-war-on--scareware-.html |work=InfoWorld.com}} on the topic of the "Ukrainian Fan Club" where his research established a connection between the cybercrime gang and an active scareware distributing campaign. His research on Iran's cyber attack campaigns was also featured in PCWorld{{Cite news |title=With Unrest in Iran, Cyber-attacks Begin |url=https://www.pcworld.com/article/523585/article-5674.html |work=PCWorld.com}}. He was also featured in The Register{{Cite web |title=Zeus bot found using Amazon's EC2 as C&C server |url=https://www.theregister.com/2009/12/09/amazon_ec2_bot_control_channel/ |access-date=2024-10-13 |website=The Register}} with an article on a ZeuS crimeware release that was using Amazon's EC2 as command and control channel.

In 2010 Dancho Danchev was referenced in The Register{{Cite web |title=Cybercrime's bulletproof hosting exposed |url=https://www.theregister.com/2010/03/17/bulletproof_hosting_exposed/ |access-date=2024-10-13 |website=The Register}} in an article detailing the activities of a bulletproof hosting provider known as AS-Troyak. He was also referenced in Wired.com{{Cite magazine |title=Malware Threatens to Sue BitTorrent Downloaders |url=https://www.wired.com/2010/04/ransomware/ |access-date=2024-10-13 |website=Wired.com |last1=Kravets |first1=David }} in an article where a malicious software release was found to attempt to trick users into thinking they're sued for owning copyrighted material. He was also mentioned in a PCWorld.com{{Cite web |title=Chuck Norris Botnet Karate-chops Routers Hard |url=https://www.pcworld.com/article/517118/article-4933.html |access-date=2024-10-13 |website=PCWorld.com}} article on the Chuck Norris botnet.

In 2011 Dancho Danchev was referenced in PCMag.com{{Cite web |title=Has EVN-SSL Growth Been Slow? |url=https://www.pcmag.com/archive/has-ev-ssl-growth-been-slow-283499 |access-date=2024-10-13 |website=PCMag.com}} article discussing EVN SSL (Secure Socket Layer) adoption and the insecurities of the practice. He was also mentioned in a Threapost.com{{Cite web |title=Report: Vishing Attack Targets Skype Users |url=https://threatpost.com/report-vishing-attack-targets-skype-users-050211/75190/ |access-date=2024-10-13 |website=Threatpost.com|date=2 May 2011 }} article on the topic of a phone phishing attack that was circulating across Skype.

In 2012 Dancho Danchev was referenced in Helpnetsecurity.com{{Cite web |title=Fake UPS notices deliver malware |url=https://www.helpnetsecurity.com/2012/08/31/fake-ups-notices-deliver-malware/ |access-date=2024-10-13 |website=Helpnetsecurity.com|date=31 August 2012 }} in an article detailing a circulating malware attack that was using fake UPS messages. He was also mentioned in a PCMag.com{{Cite web |title=Zeus/Zbot Trojans Spread Through Rogue U.S Airways Email |url=https://www.pcmag.com/archive/zeuszbot-trojan-spread-through-rogue-us-airways-email-296289 |access-date=2024-10-13 |website=PCMag.com}} article detailing a malware campaign using rogue U.S Airways Email notices to trick users into installing it.

In 2022 Dancho Danchev is known to have released his Cyber Intelligence{{Cite web |title=Cyber Intelligence |url=https://archive.org/download/cyber-intelligence_20210817/cyber-intelligence_611b8774.pdf |website=Archive.org}} memoir which was published on Cryptome.

In January 2024 Dancho Danchev is known to have filed a FOIA{{Cite web |title=U.S Cyber Command 2024 FOIA Log |url=https://www.cybercom.mil/Portals/56/2024_%20FOIA_Log.pdf |access-date=2025-03-15 |website=Cybercom.mil}} request at the U.S Cyber Command about himself. In December Dancho Danchev announced the relaunch of Astalavista.com{{Cite web |title=Astalavista.com - Official Re-Launch Introduction |url=https://forum.astalavista.com/blogs/entry/1-astalavistacom-official-re-launch-introduction/ |archive-url=https://web.archive.org/web/20241207031855/https://forum.astalavista.com/ |archive-date=2024-12-07 |website=Astalavista.com}} as a security forum community.

In February 2025 Dancho Danchev was mentioned in a LinuxSecurity.com{{Cite web |title=ClatScope: Powerful OSINT Integration for Linux Administrators |url=https://linuxsecurity.com/features/clatscope-osint-for-security-and-linux-admins |access-date=2025-03-15 |website=LinuxSecurity.com}} article. In March 2005 he was also mentioned in the Romanian Snoop.ro{{Cite web |title=Investigații Pe urmele banilor din reclamele rusești. Drumul de la Ministerul Apărării din Rusia la date personale colectate din România |url=https://snoop.ro/pe-urmele-banilor-din-reclamele-rusesti-drumul-de-la-ministerul-apararii-din-rusia-la-date-personale-colectate-din-romania/ |access-date=2025-03-15 |website=Snoop.ro |date=4 March 2025 |language=ro}} site.

Danchev is known to have given an interview to Russian OSINT{{Cite web |title=Интервью с болгарским хакером Данчо Данчевым специально для Russian OSINT: Киберкрайм в 2021 |url=https://telegra.ph/Intervyu-s-hakerom-Dancho-Danchev-04-12 |archive-url=https://web.archive.org/web/20210413125349/https://telegra.ph/Intervyu-s-hakerom-Dancho-Danchev-04-12 |archive-date=2021-04-13 |website=Russian OSINT}}. Danchev is also known to have given an interview to LinuxSecurity.com{{Cite web |title=Open Source Intelligence, Security Hacking, and Security Blogger Dancho Danchev |url=https://linuxsecurity.com/features/open-source-intelligence-security-hacking-and-security-blogger-dancho-danchev |access-date=2024-04-25 |website=LinuxSecurity.com}}

File:Cyber wars.jpg

• Danchev is known to have participated in a Top Secret GCHQ Program to monitor hackers online based on a document part of Edward Snowden's archive.{{Cite web |title=LOVELY HORSE – GCHQ Wiki Overview |url=https://theintercept.com/document/2015/02/04/lovely-horse-gchq-wiki-overview/ |archive-url=https://web.archive.org/web/20190414012621/https://theintercept.com/document/2015/02/04/lovely-horse-gchq-wiki-overview/ |archive-date=2019-04-14 |website=The Intercept}}
• Danchev is known to have discovered a major SolarWinds supply chain attack victim which is PaloAlto Networks.{{Cite web |title=Robust Indicators of Compromise for SUNBURST |url=https://www.netresec.com/?page=Blog&month=2021-01&post=Robust-Indicators-of-Compromise-for-SUNBURST |access-date=2024-01-25 |website=NETRESEC| date=11 January 2021 }}
• Danchev is also known to have contributed to research involving the Avalanche and the Mumba botnets.{{Cite web |title=The "Mumba" Botnet Disclosed |url=https://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf |access-date=2023-07-18 |website=AVG}}
• Danchev is known to have contributed to the use of search engines by Cyber Criminals in the context of blackhat SEO (search engine optimization) and malicious search engine results poisoning research.{{Cite web |title=Web hacks of 2007 and how to protect your web applications in 2008 with OWASP |url=https://owasp.org/www-chapter-belgium/assets/2008/2008-03-20/OWASP_BeLux_Infosecurity_v20080319_v2.pdf |access-date=2023-07-18 |website=OWASP}}
• Danchev is known to have contributed research on the Luthuanian cyber attacks and the Russia vs Georgia cyber attacks.{{Cite web |title=International Cyber Incidents Legal Considerations |url=https://ccdcoe.org/uploads/2018/10/legalconsiderations_0.pdf |access-date=2023-07-18 |website=CCDCEO}}
• Danchev is known to have been running and maintaining the "Diverse Portfolio of Fake Security Software" blog posts on scareware blog posts series.{{Cite web |title=Malzilla: Exploring scareware and drive-by malware |url=https://holisticinfosec.io/toolsmith/pdf/july2009.pdf |access-date=2023-07-18 |website=HolisticInfoSec}}

• Jessy H. Neal Award for Best Blog for ZDNet's Zero Day Blog in 2010{{Cite web |title=2010 Jesse H. Neal Award Winners |url=https://adage.com/article/btob/2010-jesse-h-neal-award-winners/278185 |access-date=2023-07-17 |website=Ad Age}}
• SCMagazine Social Media Award for "Five to Follow on Twitter" in 2011{{Cite web |title=SC Social Media Awards |url=https://www.scmagazine.com/news/content/sc-social-media-awards |access-date=2022-07-17 |website=SCMagazine|date=16 February 2011 }}

[https://ddanchev.blogspot.com Danchev Danchev's Blog]

File:Cyber camp.jpg|cyber camp

File:Cyber camp 01.jpg|cyber camp 01

File:Cyber security talks.png|cyber security talks

File:Cyber camp 02.jpg|cyber camp 02

File:Rsa europe.jpg|rsa europe

{{reflist}}