In February 2026 a threat actor named Prinz Eugen targeted the Standard Bank and Liberty Holdings group exfiltrating around 1.2 terabytes of data which included a sql dump containing sensitive client information. In this article I explore the group Prinz Eugen and one of their members (Rootboy).

The seed data

I originally was made aware of this data being circulated around April 2026 where the following post appeared on a popular underground hacking forum by a user under the name Rootboy.

The post linked to a .onion address (darknet) which took users to a site operated by a group calling themselves Prinz Eugen a quiet nod to a German ship which sunk in December 1946.

So who is Prinz Eugen?

They appear to be a new group on the Ransomware scene with their first target being one of the largest banks in South Africa. At the time of writing this article there is a second victim listed on their darknet site.

Where does Rootboy fit into all of this.

I believe Rootboy is likely one of their members due to them having a preview of the data weeks before the data was published on the Prinz Eugen darknet site (see the screenshot above for the exact date which it was posted).

Using my corpus of opensource breach data I was able to find an email address for Rootboy from the leaked database of a popular hacking forum that was released in March 2026.

The leaks that they are included in are

• BFV5 (verified) source: haveibeenpwned.com and local dataset
• Breachforums 2025 (unverified) source: haveibeenpwned.com
• Sancaktim (verified) (leaked around 2018 ) source: intelx.io and later local dataset

BFv5:

Please note that the below data was formatted using an llm however I made sure to double check that the data remained accurate with what was in the raw sql dumps

User ID: 155806 
Username: rootboy 
Registered Email: r.boy@xxx.de 
Password Hash (Argon2i): $argon2i$v=19$m=65536,t=4,p=1$dEtSVnJWTTdjUmJWVnNwZA$ZQ0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 
Account Creation (regdate): March 20, 2024 (Unix: 1710971649) 
Last Active (lastactive): April 6, 2025 (Unix: 1743927559)

Sancaktim :

The users table in the Sancaktim dump revealed the following artifacts

{
  "uid": "58",
  "username": "RooTBoY",
  "password": "6c9b9xxxxxxxxxxxx",
  "salt": "jpkQmbnW",
  "loginkey": "CiSU86PCBZZxxxxxxxxxxxxxxxxxs",
  "email": "r.boy@xxx.de",
  "postnum": "2",
  "threadnum": "2",
  "usergroup": "2",
  "regdate": "1482182006",
  "lastactive": "1482445691",
  "lastvisit": "1482445691",
  "lastpost": "1482182367",
  "birthday": "17-6-1991",
  "birthdayprivacy": "all",
  "allownotices": "1",
  "receivepms": "1",
  "pmnotice": "1",
  "buddyrequestspm": "1",
  "threadmode": "linear",
  "showimages": "1",
  "showvideos": "1",
  "showsigs": "1",
  "showavatars": "1",
  "showquickreply": "1",
  "showredirect": "1",
  "timezone": "2",
  "dstcorrection": "2",
  "pmfolders": "1**Gelen Kutusu$%%$2**Gönderilen Mesajlar$%%$3**Taslaklar$%%$4**Çöp Kutusu",
  "referrals": "2",
  "regip": "Q\tµ",
  "lastip": "¹PÜ)",
  "timeonline": "856",
  "showcodebuttons": "1",
  "usernotes": "1"
}

The data from the BFV5 leak contained usernames argon2 password hashes (a very secure hashing algorithm). For the purposes of this article I focused on the email address as the obvious next step. I later tracked down the Sancaktim leak and was able to pull some useful metadata as seen above and confirm that Rootboy was using the same gmx.de email address

Using free tools I was able to link the email address from the leaked data to a gravatar account

https://gravatar.com/namelesstr

This account gives us another username to go on

using a popular open source username enumeration tool I was able to find multiple online accounts operating under the same username

This is not an indication that all of these accounts are operated by the same person however it serves as a lead on what to look at next and verifies what I found already.

[+] Gravatar: http://en.gravatar.com/namelesstr
[+] HackerOne: https://hackerone.com/namelesstr

The hackerone profile stood out and follows the same pattern as the Gravatar profile which I know is linked to the email address I found in the breach data however no reports were filed under this account and it appears to be a rabbit hole I decided to go back to email enumeration and discovered that the email address appears to be registered on x.com and office365 among others. I verified this by going to each of the above mentioned services and performing email validation using the password reset functionality on each site this forces each site to look in its database to confirm that indeed the email address I specified exists.

Other systems where rootboy has registered

• cracked.at — popular hacking forum
• gofile.io — commonly used by threat actors to host stolen information
• steam (steampowered.com) —needs more active probing
• office365 (checked by using adjacent login.live.com portal)
• x.com (checked using the x.com account recovery functionality)

Other interesting artifacts include a possible vk account however I was unable to verify that these belong to r.boy@xxx.de so I will not include it in this post.

Hitting a brick wall

Traditional username and email enumeration had run its course so I decided to take a closer look at the Sancaktim leak to gain more insights.

Taking the user_id of 58 from the mybb_users table that tells us r.boy@xxx.de is associated with user id 58 I decided to search for the posts he made.

I observed the following posts made by the account. The first post is just a greeting and yields no useful leads however the second post seemed interesting.

This data was formatted into json using an llm to make it easier to read however I double cheked this against the raw sql and confirmed
that the data is accurate
[
  {
    "pid": "169",
    "tid": "45",
    "replyto": "0",
    "fid": "6",
    "subject": "RooTBoY was here!",
    "icon": "0",
    "uid": "58",
    "username": "RooTBoY",
    "dateline": "1482182059",
    "message": "Selamün aleyküm. Hayırlı olsun ve başarılar.",
    "ipaddress": "Q\tµ",
    "includesig": "0",
    "smilieoff": "0",
    "edituid": "0",
    "edittime": "0",
    "editreason": "",
    "visible": "1",
    "tyl_pnumtyls": "0"
  },
  {
    "pid": "173",
    "tid": "47",
    "replyto": "0",
    "fid": "3",
    "subject": "Sancak.Team Yayında!",
    "icon": "0",
    "uid": "58",
    "username": "RooTBoY",
    "dateline":"1482182367",
    "message": "[color=#7e7e7e][font=Lato, Tahoma, Verdana, Arial, sans-serif]Türk hack alemine yeni bir hack sitesi katıldı.[/font][/color]\n[url=http://hacknewsgo.com/sancak-team-yayinda/]devamı...[/url]",
    "ipaddress": "Q\tµ",
    "includesig": "0",
    "smilieoff": "0",
    "edituid": "58",
    "edittime": "1482182650",
    "editreason": "",
    "visible": "1",
    "tyl_pnumtyls": "0"
  }
]

I used an llm to translate what the message in the second post was and realized this was promoting a site called hacknewsgo.com I decided to look deeper into this as this appears to be the last post Rootboy made on the Sancaktim forum. correlating the UNIX timestamps in each of the posts I realized they were made in short succession I then looked at when the account was created using the data that was observed before in the users table and found that the timeline was condensed to a couple of minutes from account creation to final post. This appeared to be interesting because it seems the account was created to promote the hacknewsgo.com site suggesting the possibility of a deeper level of affiliation between the author of the post and the now defunct blog.

This is what the original post said:

note: an llm was used for translation here.

"[Font settings] A new hack site has joined the Turkish hack community. Continue reading here..."

Hacknewsgo.com

Taking a look at the site this appeared to be a now defunct news site/blog that followed various topics relating to the Turkish hacking scene.

I ran the following command against the earliest version of the site on archive.org to try and determine authorship on the site via the archived rss feed endpoint.

curl -s "https://web.archive.org/web/20160904131036text_/http://hacknewsgo.com/feed/" | grep -E "(<dc:creator>|<author>|<wp:author_login>)" | sort -u

The following information was returned

<dc:creator><![CDATA[RooT AhmeT]]></dc:creator>

Upon getting an alias including what appears to be a first name following a similar writing style to the Rootboy username I observed in the Sancaktim and BFV5 breaches I decided to try and see if I could get a full name by running a search across all archived endpoints using the following command.

curl -s "http://web.archive.org/cdx/search/cdx?url=hacknewsgo.com/*&output=json&collapse=urlkey" | jq .

I got back a massive list to sift through however I found the following endpoint that stood out

[
  "com,hacknewsgo)/author/ahmet-nacar",
  "20161205214007",
  "http://hacknewsgo.com:80/author/ahmet-nacar/",
  "text/html",
  "200",
  "XTTAGDODVEJX2DB63W6INRQMIONT4OXS",
  "8354"
]

Why does this matter?

By default, WordPress automatically builds an internal directory structure to archive posts written by a specific user. It structures it as /author/[username]/ so even if a user changes their display name to something different in this case RooT AhmeT the underlying user handle that the system relies on still leaks giving us a full name with a semi-clean mapping to from the RooTBoY user handle RooT AhmeT to a full author alias Ahmet Nacar. This full name needs further investigation and corroboration in order to confidently say that RootBoy and Ahmet Nacar are the same person however the connection offers at least one lead in this instance. I have decided to stop here because any further investigation could be misunderstood as doxing which is not the intention of this post. That being said we can see that it is possible to piece together a fairly comprehensive picture about a threat actors historic behavior based on some clever archive.org enumeration techniques and historic breach data.

Conclusion

As seen in this post it is possible to gather subpoena worthy information using some strategically acquired breach data as well as some off the shelf open source tools. This post personally taught me that there are red lines that need to be drawn as well with regards to using passive means only so as not to pollute the active ongoing law enforcement investigation. That being said we can still build a comprehensive pattern of life for the threat actor in terms of which services they use along with potential historic opsec failures.