Key Identifiers

Service domains
hardstresser.st, hardstresser.org, hardstresser.com (panel: /panel/login.php)
Operator handle
@bl4ckhatx (Telegram ID 954683181) / GitHub: PolatBey
Location
Istanbul, Turkey (confirmed via Turkish-language Telegram activity, Paribu exchange usage)
Active since
At least April 2020 (earliest captured message); operator claims ~10 years; GitHub exploit repo from WordPress RevSlider era (2014-2016)
Botnet type
ADB (Android Debug Bridge, port 5555) - Aisuru family; ~1,500 compromised Android devices
Attack signature
Exactly 100 residential source IPs per attack run - confirmed via Wireshark, not packet spoofing
Free tier
~5 Gbps, available to any registered account, zero vetting
BTC address (current)
bc1qkr5fm4vqzrk6vm6cfal00gx993mtehka2nc6zy
BTC address (2020 era)
3LpCMcQvfQtt3LKqh9g1JMCxcsGTcewhWn
Withdrawal address
bc1qmc4etzlhu9fcn4ug8jvxp9upej7jue9umrydhg (likely Paribu exchange)
Infrastructure IP
176.96.136.232 (hacklink.space, bulletproof - DataForest)
Registrar
NiceNIC - maintains service despite abuse reports, fake WHOIS on all domains
SEO spam host (example)
statistics.du.ac.in - Delhi University Department of Statistics (hacked)
Forum (archived)
blackhatz.net (Wayback: Sep 2022), vag.ee

Take 1 - A decade of open operation, zero consequences

hardstresser.st is not a new service and its operator is not hiding. The Telegram dump attached to this article begins on April 7, 2020 with the message "kardesim hardstresser.com" (Turkish: "brother, hardstresser.com") - and goes back further if earlier messages exist outside the captured window. The operator has told customers the service has been running for approximately ten years, which would place its origin around 2014-2016, consistent with a GitHub exploit repository from that era (see below).

Throughout a decade of operation the operator has used a single consistent handle - @bl4ckhatx on Telegram - and the same branding across every platform. The Telegram channel "Hard Stresser / Booter / DDOS SERVICES / IP STRESSER / BOTNET" (channel ID 1167664963) has accumulated thousands of messages from customers, all archived and attached to this article. The channel has never been taken down. The service has never been seized. The operator has never been arrested.

GitHub under the real-name handle PolatBey

The same operator maintains a GitHub account under the handle PolatBey - a Turkish name/title combination ("Polat Bey") that suggests a real first name. The repository PolatBey/Wordpress-Revslider-upload-shell is a shell uploader exploiting the WordPress RevSlider plugin file upload vulnerability (widely exploited 2014-2016). This repository connects the @bl4ckhatx Telegram handle to a real-name-adjacent GitHub account and places the operator's hacking activity at least as far back as the WordPress RevSlider mass exploitation wave.

Forum history: blackhatz.net and vag.ee

The operator ran and promoted a hacker forum at blackhatz.net - archived by the Wayback Machine as recently as September 2022. The channel messages from October 2022 advertise both hardstresser.com and the forum at the same time. The operator was also registered on vag.ee, a cybercrime-adjacent forum, further establishing a decade-long footprint in the underground ecosystem.

The domain history across all these properties shows consistent reuse of the same infrastructure IP block, the same NiceNIC registrar, and the same fake WHOIS patterns.

Personal profile

Based on direct conversations with the operator: approximately 30-35 years old, has a wife and several children. Whether this is true or not, ten years of consistent criminal service operation is itself consistent with someone running an established, professionally managed business rather than a teenager's side project.

"im owner not a user"

@bl4ckhatx - 30 August 2024, directly addressing a question about whether he was a reseller

"Payment Method only crypto coin, and just Admin is @bl4ckhatx"

Channel announcement - 16 June 2023

Take 2 - The attacks are real. Exactly 100 residential IPs, confirmed.

Many booter/stresser services are scams: they accept payment and produce either no traffic or trivially-blocked datacenter traffic that no serious target notices. hardstresser.st is not one of those. We conducted test runs and captured the traffic. The results are unambiguous.

What the Wireshark capture shows

Every attack run from hardstresser.st produces exactly 100 distinct source IP addresses. Not approximately 100 - precisely 100, every time, with zero overlap between runs. This is not a coincidence and it is not packet spoofing.

Spoofed UDP floods typically come from either randomized source IPs (millions of addresses) or a small number of controlled servers. A fixed count of exactly 100 residential addresses per run is the signature of a botnet controller that deliberately slices out a 100-device batch per job - almost certainly to avoid burning the entire botnet on a single customer attack and to stay under per-source-IP traffic thresholds that would trigger ISP-level filtering.

The source addresses resolve to consumer residential ISPs across multiple countries. They are not datacenter ranges. They are not cloud VPS providers. They are real Android devices with residential connections that have been compromised by the Aisuru malware family via open ADB port 5555.

Wireshark capture of hardstresser.st UDP flood: exactly 100 distinct residential source IPs
Wireshark capture of a hardstresser.st test run. UDP datagrams from exactly 100 distinct source IPs, all resolving to residential ISPs. Destination column redacted. The fixed count of 100 per run is a definitive ADB botnet signature.
hardstresser.st web attack panel showing active session
The hardstresser.st attack control panel with an active session. Host column redacted. The panel shows real-time attack status, method selection (UDP, TCP, Layer 7), and duration control.

The ADB/Aisuru botnet mechanism

ADB (Android Debug Bridge) is a debugging interface built into every Android device. When port 5555/tcp is left open and exposed to the internet - common on Android TV boxes and budget smartphones with misconfigured firmware - the device can be fully controlled remotely with no authentication. The Aisuru botnet family automates mass scanning for open ADB ports and installs a persistent DDoS agent on each compromised device.

The operator confirmed integrating an ADB/Aisuru botnet into the paid tier in February 2024 and announced reaching 1,500 compromised devices ("zombies") by July 2024. The botnet generates legitimate-looking traffic from real residential ISP addresses - making it effective against targets that rely on IP reputation or ASN-based filtering.

Related botnets and malware families: Aisuru, Mirai variants targeting ADB, IPStorm, and the broader class of Android-targeting DDoS implants exploiting open port 5555.

"1500 Zombies now"

@bl4ckhatx - 28 July 2024

"botnet added to premium networks!"

@bl4ckhatx - 12 February 2024

The free tier: anyone can attack anyone for ~5 Gbps

This is the detail that makes hardstresser.st particularly dangerous: the free tier requires no payment and no vetting. Any registered account can immediately launch attacks delivering approximately 5 Gbps against any public IP address. The only barrier is account registration.

The API is explicitly open to all registered users, as the operator confirmed in August 2024. This means anyone with a grudge, a competitor, or a target can access real attack capacity with no friction and no money. The paid tiers simply offer more power, longer duration, and bypass capabilities for hardened targets.

"Free api is work but the api is open the all registered client."

@bl4ckhatx - 30 August 2024

Take 3 - Hacked government and university sites used for SEO advertising

Running a DDoS service is one crime. The operator has layered on a second one: systematically compromising government, university, and other high-authority websites and injecting backlink spam that advertises the hardstresser network, boosting its search engine rankings through hacked legitimate infrastructure.

statistics.du.ac.in - Delhi University compromised, proof

The Department of Statistics at Delhi University (statistics.du.ac.in, Apache on Google Cloud IP 34.93.79.249) has had two key files silently replaced. Both files now point to the stresser mirror network. Verified July 16, 2026:

$ curl https://statistics.du.ac.in/robots.txt
HTTP 200 | Server: Apache | IP: 34.93.79.249

User-agent: *
Allow: /
Disallow: /admin/

Sitemap: https://ipstresserr.site/sitemap.xml    <-- injected
$ curl https://statistics.du.ac.in/sitemap.xml
HTTP 200

<?xml version="1.0" encoding="UTF-8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
  <url>
    <loc>https://ipstresserr.site/</loc>           <-- replaced content
    <lastmod>2026-07-16</lastmod>
    <changefreq>daily</changefreq>
    <priority>1.0</priority>
  </url>
</urlset>

Both robots.txt and sitemap.xml were replaced. A legitimate university statistics department has no reason to declare a Sitemap pointing to an IP stresser mirror, or to replace its entire sitemap with a single entry for an unrelated commercial domain. The modified sitemap instructs search engine crawlers to treat ipstresserr.site as a top-priority page associated with the university's academic domain - a direct SEO authority transfer from an .ac.in academic domain to a criminal service.

The university site runs Apache on Google Cloud (not WordPress), so the access vector was not the RevSlider plugin. The compromise was likely through credential theft, a server-side vulnerability in the custom CMS/admin interface visible at /admin/, or a compromised hosting account.

Mirror network: ipstresserr.site - same server as hardstresser.st

The stresser mirror ipstresserr.site and the main domain hardstresser.st both resolve to the same IP address, confirming shared backend infrastructure:

$ nslookup hardstresser.st
Name:    hardstresser.st
Address: 216.150.1.1

$ nslookup ipstresserr.site
Name:    ipstresserr.site
Address: 216.150.1.1        <-- identical

The mirror network extends across multiple domains with similarly varied names (ipstresserr.site is one confirmed example). All carry fake WHOIS registrations through NiceNIC. Several mirrors were placed on hacked hosting accounts, including the Delhi University case above. The mirrors serve two purposes: redundancy if a domain gets seized, and additional SEO surface area distributed across different domain registrations.

hacklink.space - infrastructure hub on DataForest, Frankfurt

hacklink.space resolves to 176.96.136.232, confirmed as AS58212 dataforest GmbH, Frankfurt, Germany - a bulletproof hosting provider that accepts and retains criminal infrastructure tenants. DNS verified July 16, 2026:

$ nslookup hacklink.space
Name:    hacklink.space
Address: 176.96.136.232

$ curl https://ipinfo.io/176.96.136.232
{
  "ip": "176.96.136.232",
  "city": "Frankfurt am Main",
  "region": "Hesse",
  "country": "DE",
  "org": "AS58212 dataforest GmbH"
}

The HTTPS endpoint at hacklink.space is live but presents an invalid or self-signed TLS certificate (curl exits with code 60, SSL verification failure), a common pattern for operator-controlled infrastructure panels not intended for public browsers. The domain resolving to DataForest GmbH's ASN is significant: DataForest is a well-documented bulletproof provider that maintains hosting for abuse-reported tenants, ignores takedown requests, and is regularly cited in threat intelligence reports as infrastructure for botnets, stressers, and malware C2.

livec.site - the customer chat widget

livec.site is the live chat widget embedded on hardstresser.st for customer support. It resolves exclusively through the hardstresser.st infrastructure (no other known deployments), and the operator responds to support chats rapidly - indicating either a dedicated support operation or a solo operator who monitors the chat constantly. The chat tool is used to close upgrade sales, handle refund requests, and negotiate custom attack packages.

Follow the money: three BTC addresses, Paribu connection

The operator's payment history spans three Bitcoin addresses across approximately six years of operation, providing a partial financial trail:

Bitcoin Address History

2020 (legacy)
3LpCMcQvfQtt3LKqh9g1JMCxcsGTcewhWn - used in the channel from at least October 2020, legacy P2PKH format
Current receive
bc1qkr5fm4vqzrk6vm6cfal00gx993mtehka2nc6zy - displayed on the hardstresser.st payment page; 3 incoming transactions recorded on July 15, 2026
Withdrawal address
bc1qmc4etzlhu9fcn4ug8jvxp9upej7jue9umrydhg - identified as the operator's outbound exchange wallet; likely Paribu (Turkey's largest crypto exchange, consistently referenced in the operator's Turkish-language activity)

The service is generating active revenue. Three incoming transfers to the current receive address were recorded on July 15, 2026 alone. The withdrawal address routing through what appears to be Paribu - Turkey's largest domestic cryptocurrency exchange - is consistent with the operator's participation in Turkish-language Paribu discussion groups and provides a potential KYC trace: Turkish exchanges are subject to MASAK (Turkey's financial intelligence unit) reporting requirements.

The automated blockchain payment system, introduced in 2024, means funds are processed and credited to customer accounts without the operator manually handling each transaction. This infrastructure investment is not consistent with a casual operation.

"Blockchain payment system fixed!"

@bl4ckhatx - 31 July 2025, after an outage

"Payment system is work automaticly and all membership attack power is the different."

@bl4ckhatx - 29 April 2024
hardstresser.st payment page with BTC address bc1qkr5fm4vqzrk6vm6cfal00gx993mtehka2nc6zy
The hardstresser.st BTC payment page. The receive address is unredacted as it is an instrument of criminal activity. The payment page is live and accepting transactions.

Operator in his own words (selected quotes)

The following are verbatim from the public Telegram channel dump attached to this article. The full export contains thousands of messages spanning 2020-2025.

"pay to destroy :)."

@bl4ckhatx - 17 July 2021, to a prospective customer

"YouTube down :)."

@bl4ckhatx - 26 February 2021 (likely referring to a test run or a local routing disruption, not a literal YouTube takedown)

"down all cloudflare web sites."

@bl4ckhatx - 27 May 2021, advertising Cloudflare bypass capability at the $250 tier

"hardstresser.com still is live."

@bl4ckhatx - 24 July 2024, confirming the .com domain remained active alongside the .st variant

"No, sorry cant attack the for test. I can give guarantee of money. if not work you can get refund the btc amount."

@bl4ckhatx - 16 December 2021, declining a free demo while offering a money-back guarantee

"Yes is enough for phone" / "65 gb is better than 50gb"

@bl4ckhatx - 18 December 2021, discussing attack bandwidth options with a customer

"if you want uam down min 250usd"

@bl4ckhatx - 15 April 2021, quoting price for bypassing Cloudflare Under Attack Mode

"I just btc accept"

@bl4ckhatx - 11 November 2020, consistent Bitcoin-only policy since the earliest captured messages

"Нет, но я могу говорить по-русски. Отправьте мне личное сообщение, даваите обсудим детали"

@bl4ckhatx - 14 August 2024, offering to negotiate in Russian ("No, but I can speak Russian. Send me a private message, let's discuss the details")

The enabling ecosystem: NiceNIC and DataForest

NiceNIC is the registrar of record for the hardstresser domain family. The WHOIS records are demonstrably fabricated - a direct violation of ICANN RAA Section 3.3.1. Here is the actual hardstresser.st WHOIS record (retrieved July 16, 2026):

Registrar:            NiceNIC
Registrar WHOIS:      whois.nicenic.net
Name Server:          alpha.alexhost.com
Name Server:          beta.alexhost.com
Status:               clientDeleteProhibited, clientTransferProhibited
Created:              2026-04-19 06:33:29
Updated:              2026-07-15 21:07:02

registrant-organization: hardstresser          <-- the service name, not a real org
registrant-name:         hard stres            <-- not a real person
registrant-street:       new york
registrant-city:         new york
registrant-state:        NW                    <-- "NW" is not a US state code (NY = New York)
registrant-zip:          10011
registrant-country:      US
registrant-phone:        +1.1234567235435      <-- 12 digits; US numbers have 10
registrant-email:        [redacted]@proton.me

Every field is fabricated. The "state" field reads "NW" - a nonexistent US state abbreviation (New York is "NY"). The phone number has 12 digits in the subscriber portion; US NANP numbers have exactly 10. The organization and name fields use the service name itself. The registrar NiceNIC (Hong Kong) and nameservers at AlexHost (Luxembourg) are both popular choices for operators who need registrars that process abuse reports slowly. NiceNIC has maintained this registration and the broader hardstresser domain portfolio throughout the service's active criminal operation.

DataForest (AS58212 dataforest GmbH, Frankfurt) hosts hacklink.space and associated mirror infrastructure on 176.96.136.232. It is a bulletproof provider that maintains hosting for tenants through abuse complaints and law enforcement contact with upstream providers. Bulletproof hosting is what makes stresser economics viable: the operator can keep backend infrastructure stable even as frontend domains rotate.

Documented entity map

Infrastructure Entities

hardstresser.st
Primary service domain (current). VirusTotal: flagged for malware/phishing by multiple engines. Fake WHOIS via NiceNIC.
hardstresser.org
Active mirror, heavily promoted in 2025. Same backend as .st. Fake WHOIS via NiceNIC.
hardstresser.com
Original domain; panel at /panel/login.php. Still active as of July 2024 per operator. Fake WHOIS via NiceNIC.
ipstresserr.site
Mirror site - same server as hardstresser.st (216.150.1.1, confirmed). robots.txt and sitemap.xml at statistics.du.ac.in both point to this domain.
hacklink.space
Infrastructure hub on 176.96.136.232 = AS58212 dataforest GmbH, Frankfurt. DNS confirmed, TLS active (self-signed cert).
livec.site
Live customer chat widget embedded exclusively on hardstresser.st. Rapid operator response.
blackhatz.net
Operator's hacker forum, archived Sep 2022. Promoted alongside hardstresser.com in Oct 2022.
176.96.136.232
DataForest bulletproof server. Hosts hacklink.space and mirror stresser network.
statistics.du.ac.in
Delhi University Dept. of Statistics (Apache / 34.93.79.249) - robots.txt and sitemap.xml both replaced to point to ipstresserr.site. Verified July 16, 2026.

Timeline

Documented Activity

~2014-2016
GitHub account PolatBey publishes WordPress RevSlider shell upload exploit - earliest confirmed hacking activity
Apr 2020
Earliest captured Telegram message (hardstresser.com already operational, Bitcoin-only payments)
Oct 2020
Legacy BTC address 3LpCMcQvfQtt3LKqh9g1JMCxcsGTcewhWn posted publicly in channel
2021-2022
Active customer support; manual account upgrades; refund guarantees; blackhatz.net forum promoted
Sep 2022
blackhatz.net archived by Wayback Machine - last known snapshot
Feb 2024
ADB/Aisuru botnet integrated into premium tiers
Apr 2024
Automated blockchain payment system confirmed active
Jul 2024
Botnet at 1,500 devices; 20% promotional discount; hardstresser.com and .st both live
Aug 2024
"im owner not a user"; free API confirmed open to all registered users; Russian-language support offered
2025
hardstresser.org heavily promoted; blockchain payment restored after outage (Jul 2025)
Jul 2026
All services active; 3 incoming BTC transactions on Jul 15; hacklink.space HTTPS handshake confirmed; this report published

How to report

This is a cross-jurisdictional criminal operation. Key contact points:

  • Turkish authorities (primary jurisdiction): USOM (National Cyber Incident Response Center) - usom.gov.tr; MASAK (Financial Crimes Investigation Board) for Paribu KYC/financial trail
  • US victims: FBI IC3 - ic3.gov; DOJ CCIPS for Operation PowerOFF-style coordination
  • UK victims: NCSC - report.ncsc.gov.uk
  • EU victims: Via national CERTs or Europol - europol.europa.eu/report-a-crime
  • NiceNIC registrar abuse: nicenic.net - ICANN RAA Section 3.3.1 violation (false WHOIS)
  • DataForest hosting abuse: Reference IP 176.96.136.232 and hacklink.space
  • Paribu (Paribu Kripto Para Borsas): Turkish MASAK-regulated exchange - report the withdrawal address bc1qmc4etzlhu9fcn4ug8jvxp9upej7jue9umrydhg as connected to DDoS-for-hire proceeds

Key references when filing: operator Telegram handle @bl4ckhatx, GitHub PolatBey, channel ID 1167664963, receive BTC bc1qkr5fm4vqzrk6vm6cfal00gx993mtehka2nc6zy, withdrawal BTC bc1qmc4etzlhu9fcn4ug8jvxp9upej7jue9umrydhg. The attached Telegram dump provides timestamped primary evidence.

Informational only. Published under the editorial mission to document cybercriminal infrastructure. Victim identifiers in evidence screenshots have been redacted. Bitcoin addresses, Telegram handles, and GitHub accounts are published as they are instruments or identifiers of documented criminal activity, not personal data in the privacy-law sense.