Oh, my...

The AG office has released proofs of culpability of TAD Group and Kristian Boykov in the hack of the Bulgarian National Revenue Agency.

Things don't look good for the defendant...

The stuff I saw in the media is mostly images, so Google Translate won't work; it will take me some time to compose the gist of it for Twitter. Hang on.

BTW, I couldn't find the corresponding info on the site of the AG office.

According to the prosecution, TAD Group has hacked 49 entities. There has been a collection of personal data for magistrates, stored in a folder, whose name roughly translates to "can't be cleaned".

Nearly 5 hours before the NRA data was made publicly available, the security camera on the balcony of TAD Group has recorded a conversation between Boykov and his trade director. Apparently, there was voice recording too.

Boykov: You know what I think, this stuff I've sent to the media, nobody's going to properly report on them, they will store it for internal use only, LMAO... It will be a pity; I've sent to Bivol (a BG newspaper), Ruters, etc.

Nine and a half hours after the leak, the camera has recorded the trade directory having a phone conversation with someone. He says "Just the opposite, this will create more business for us".

"Not to mention that Bivol have had the info for two weeks already... We chat directly with the owner... Have in mind, not everything has been released... They have been released to the media for verification, to see what it's about..."

"...the government must go... with everyone... everyone".

(That's where the theory that it's been done to damage the government comes from, I guess.)

TAD Group's internal surveillance cameras show Boykov, on 16-07-2019, 11:21, for the site of the national television, copying the contact e-mail address, then doing the same with Kapital (another newspaper that got the info).

At 11:24 he opens Google Translate and searches for some of the phrases used in the "letter from the Russian hacker" that was sent to the media.

Editing a text message between 11:24-11:26. Message was received by the media at 11:50.

The system logs (bash history?) of his (decrypted) office computer show that on 9th of June he went to a directory named "MINFIN_BREACH" and searched for the SSNs of several prominent people.

He also changed the date of the files inside:

From his personal phone, a Telegram chat with Bivol (in green) can be seen:

Use Tor (not your browser), use Signal (not Telegram), and use an iPhone (instead of Android), I guess...

His office computer contains a file named homework_maths.txt, which contains the names of the folders in the leaked archive with NRA info.

A screenshot from the decrypted computer shows that Boykov has exploited a vulnerability (XSS?) in the official site of the Customs, ecustoms.bg:

The decrypted office computer contains a file, named domashno_count.txt ("domashno" means "homework" in Bulgarian), containing the structure of the NRA database. This information was not present in the leaked archive.

The decrypted office computer has a screenshot of a Telegram Desktop chat. Not related to the case (I think), but shows the unethical thinking going on in the company.

The chat is between Boykov and Todorov (the trade directory).

Todorov: "Give them to Nachev and call them. Yesterday I gave him a list of quite a lot of clients for conditional contracts (?), for which we know 100% that they've been hacked."

Boykov: "I gave them to him and a bit of info about the vulnerabilities. Told him not to tell them which particular customers have been hacked, because it's covered by the NDA."

Boykov: "These twats have sold him to 3-4 banks and a bunch of big BG companies. If we sniff him, we could shake them too."

That's it for now. Bulgarian language source for all of the above:

mediapool.bg/prokuraturata-…

Official publication (Bulgarian-only, not on their English site) of the AG office:

prb.bg/bg/news/aktual…

H/t to @l4m3rx for finding the latter.