DEV Community

Cover image for Shadow Money Gang – Ireland Division? More Like Sunday School Copy-Paste Gang: How a Lazy Botnet Failed to Breach Formant.ca
Tyler Johnston-Kent
Tyler Johnston-Kent

Posted on

Shadow Money Gang – Ireland Division? More Like Sunday School Copy-Paste Gang: How a Lazy Botnet Failed to Breach Formant.ca

Shadow Money Gang – Ireland Division? More Like Sunday School Copy-Paste Gang: How a Lazy Obfuscated Spam Botnet Failed to Breach Formant.ca

Introduction – How “Shadow Money Gang – Ireland Division” Became a Thing
Back in April and May, I migrated my entire web system architecture to Firebase, partly to unify my games and backend, and partly to learn cloud networking and database features. At the same time, I was looking into passive bot defense, and ended up deploying a hybrid stack: Cloudflare firewalling in front, Firebase hosting in back.

At first, I just noticed some odd HTTP traffic patterns on Cloudflare. Then I spotted discrepancies between Cloudflare logs and Google Analytics 4 reports. Since GA4 runs in JavaScript, the obvious question was: how were these visitors evading that tracker?

That curiosity turned into a honeynet experiment. I set up a short HTML redirection chain for headless traffic, funneling it into what became my “king of the hill” honeytrap. And, much like Thor describing the Tesseract in the Marvel movies, once I “activated” it, it was like sending a signal to the universe that my little website was ready for a higher form of war. The probes started arriving daily.

Costs went from negligible to… still negligible, honestly — maybe five cents to 48 cents a day in Google Cloud billings. But the persistence was suspicious. By June, I had implemented direct Firebase tracking events and started posting about the experiment on LinkedIn, dev.to, and Bluesky.

That’s when a specific flavor of attack appeared: small, lazy, automated spam payloads originating from an Irish Azure data center. Whoever was behind it called themselves “Shadow Money Gang – Ireland Division.”

Their opening move? Spoofed “event logs” labeled as “impregnations,” followed by targeted jabs at my mailing list. Their probing escalated in stages — starting with juvenile test strings (“8====D”) in June — then testing my duplication checks, error traps, and input sanitization. By August, I woke up to a coordinated payload that cost me all of $3 Canadian.

These weren’t million-dollar DDoS waves. They were penny-cost scare attempts. And the more I dug in, the more it became clear: I wasn’t dealing with elite cyber mercenaries. I was dealing with kids. Or one kid. Or maybe one really lazy old guy armed with a “how to hack for dummies” pamphlet.

Their pièce de résistance? An “obfuscated” spam injector that I reverse engineered, expecting to find some clever encoded payload — only to discover it was just strings of Bible verses. Full citations, numbers and all. No hex, no ciphers. Just raw Sunday school copy-paste.

Part Two – Why It Failed Before It Started
By the time “Shadow Money Gang – Ireland Division” really started leaning into their script, my defenses weren’t just up — they were layered like an onion dipped in Kevlar.

Cloudflare’s firewall rules were filtering for known exploit paths, blocking Tor on sight, and serving up JS challenges to anything that even sniffed like a bot. On top of that, I had Firebase logging every anomaly in real time, plus a honeypot that quietly fingerprinted any client dumb enough to take the bait.

And they took the bait. Every. Single. Time.

Their script wasn’t adaptive — it was on rails. The same malformed requests came in on a fixed rotation, hitting my honeypots at the same minute marks like clockwork. They didn’t even bother randomizing their intervals or payload order. That’s how I ended up with a timeline of their “operation” down to the second, like a bus schedule for script kiddies.

The “Obfuscation” That Wasn’t
When I pulled apart their so-called obfuscated injector, I was expecting at least some base64 or a chunk of minified JavaScript with hidden eval calls. Instead, it was exactly what it looked like at first glance — plaintext Bible verses, complete with chapter and verse numbers, pasted straight into the injection fields.

Not metaphorical verses. Not allegories. Literal “John 3:16”-style spam, sitting there like it had been cut-and-pasted from a church bulletin. I couldn’t decide if this was some misguided phishing campaign, a theological protest against my web architecture, or just a bizarre copy-paste error.

What Happens Next
Now that the logs are full and the fingerprints are collected, the whole thing is basically on a leash. I know their ASN ranges, their IP rotation habits, their CDN entry points, and their cloud vendor dependencies. The next step is connecting those dots back to the humans behind it. That means getting data disclosure from Microsoft (Azure), Tencent (cloud edge nodes), and any CDN they’re piggybacking off.

And that’s where it gets interesting. Because if these jokers really are tied to local tech circles — including the type of students who’d brag about “owning” someone’s site — then the evidence already in my honeypot logs is going to age like milk for them.

Part Three – The 4:00:00 Probe Parade
One of the fastest ways to tell you’re not dealing with a pro is when their attack window is so predictable you could set your coffee maker to it.

By July, the “Shadow Money Gang – Ireland Division” spam probes were clocking in like factory workers — on the hour, every hour, with a special fondness for exactly 4:00:00 in my server logs.

It wasn’t just a timezone artifact. The timestamps lined up no matter which log source I pulled from — Cloudflare, Firebase, or my own honeypot’s internal timers. It’s as if they loaded up their script, hit “start” once, and never adjusted for drift.

That rhythm made them easy to isolate. I could drop into my log view, scroll to the 4:00:00 mark, and find their latest payload sitting there like a dog waiting at the back door.

Geographic Fingerprints
The Cloudflare map told its own story:

Philippines – 3,500+ requests at multi-second load times.

Netherlands – ~5,500 ms latency spikes.

Ireland – Direct from Azure’s Dublin data center.

Tor Exit Nodes – Small handful of hits, probably just testing anonymity layers.

A sprinkling of noise from Canada, United States, and one-off curiosities like Tunisia and Brazil — low volume, high latency, negligible relevance.

This wasn’t a global DDoS. It was a lazy carousel of VPS hosts and public endpoints, rotated just enough to look “distributed” to an untrained eye, but still falling inside a handful of known cloud provider networks.

Firewalling Them Into Irrelevance
By the time I took the screenshot of my security rules, the system was running on four simple principles:

Exploit path filtering – /git, /env, /svn, /xmlrpc.php — auto JS challenge.

Tor blocking – Country equals T1, JS challenge or outright block.

Regional suppression – Ireland-specific filters with custom notices.

Honeypot escalation – Any trip into the honeynet triggers silent fingerprinting.

This meant that every “attack” attempt became another data point. They weren’t breaching anything. They were just padding my dataset and proving how unsophisticated they really were.

Why This Matters
The reason this goes beyond “some kid with a script” is because of where they’re staging from — major cloud providers and CDNs that have strict AUPs and traceable billing records. Once disclosure requests go out to Microsoft, Tencent, and any intermediate providers, this stops being just logs on my server. It becomes a paper trail that links accounts, credit cards, and ultimately, identities.

Which means that when I sit down Monday with the U of M Indigenous Centre to talk about cyber defense, I’m not just bringing theory — I’m bringing a live case study of what happens when you take a small, persistent, and lazy botnet, and you strip away every layer of perceived anonymity they think they have.

Part Four – From Probes to Punchlines
By August, the pattern was unshakable — Ireland was still the staging ground, the probes were still clocking in with the precision of a metronome, and the payloads were still laughably bad.

The thing about these campaigns is that the longer they run without adaptation, the more they tell you about the attacker. This crew (or lone keyboard warrior) never changed their timing, never improved their obfuscation, and never once managed to push past my first line of automated challenges. In other words, they failed every ungraded quiz my firewall threw at them.

They even took a detour into Tor, as if routing through an anonymity network would magically disguise the fact they were hitting the exact same trap paths as before. When that fizzled, they just… went back to the same Ireland node. It’s the cyber equivalent of robbing a store, getting caught, then showing up the next day in the same outfit.

The Bigger Picture
What matters more than the payloads is the pattern of life:

They are comfortable abusing large, well-funded cloud providers that absolutely have the logs to trace them.

They are not random — the attack signature is too consistent, and the resources are too neatly pooled, for this to be “just background noise.”

They are bad at hiding their tracks — which is either incompetence, arrogance, or both.

Final Word
In the end, “Shadow Money Gang – Ireland Division” has given me more laughs than losses. They’ve padded my analytics, stress-tested my defenses, and handed me a case study in lazy threat actor behavior that I can now discuss in real time with academic and Indigenous tech spaces.

If they wanted to scare me, they failed. If they wanted to waste my time, they failed.
If they wanted to give me a story worth telling? Mission accomplished.

See the supporting images and logs at https://formant.ca/#catching-hackers

Top comments (0)