Shadows // Backwater Forensics

Investigation Overview

Shadows Project // Residential Dark Net

Six years of continuous forensic research into a physical-layer dark net market operating on stolen telecommunications infrastructure. Unlike internet-hosted dark net markets, this network embeds its command-and-control inside residential cable infrastructure — using spliced signal paths, compromised ISP equipment, and recruited insiders to run a coordinated criminal enterprise that crosses multiple jurisdictions.

Investigation Active Since: 2020

7 Confirmed Tor Relays

113,920 IPv4 Addresses / AS11878

222 IP Ranges Catalogued

16 Identified Attacker IPs

1.03 GB Exfiltrated Feb 27 2026

6 Infrastructure Geographies

■ What Is the Shadows Project

The Residential Dark Net (RDN) is not a website. It has no .onion address and is not reachable from the open internet. It is a physical market structure built into cable and fiber infrastructure — operating through signal-layer access and compromised ISP equipment in residential and commercial service areas across multiple geographies.

The enterprise sells three core commodities: unauthorized network access, device access and persistence, and data exfiltration as a service. Customers are not end-users purchasing drugs or contraband — they are operators purchasing infrastructure-level capabilities for downstream criminal activity.

This investigation spans six years of continuous monitoring, packet capture, physical observation, public records research, and infrastructure analysis.

Core Thesis

Physical telecom infrastructure in the affected geographies has been compromised at the signal layer. The compromise is not incidental — it is systematic, maintained over years, and supported by insider access at multiple points in the service chain. The network sells that access.

Physical Layer Cable Infrastructure ISP Compromise Insider Threat Data Exfiltration C2 Infrastructure 6 Geographies

■ C2 Anonymization Infrastructure — Tzulo Inc. / AS11878

Primary C2 Target IP

107.152.41.203

Cloudfanatic.NET sub-tenant of AS11878 • Active Tor relay • Confirmed C2 anchor

Device Cloning / WireGuard Node

23.234.70.127

Pre-existing WireGuard session counter 3352 at first capture • Device clone coordination

Business Identity

Entity: Tzulo Inc.
ASN: AS11878
Registered: Feb 25, 2003
Location: Aurora, IL
IPv4 Space: 113,920 addresses • 222 ranges
PoP Cities: 14 confirmed

Sub-Tenant Layer

Cloudfanatic.NET operates as a sub-tenant within Tzulo’s address space, providing an additional anonymization layer. Chinese-attributed sub-tenants have been identified within the same block ranges.

Network Position & Peering Concerns

AS11878 peers with 10 upstream providers. Two BGP peers have been flagged for elevated concern: IVPN (commercial no-log VPN) and NetInformatik (privacy hosting). The combination of commercial VPN peering, active Tor relay hosting, and sub-tenant anonymization layers creates a compounded obfuscation stack that makes traffic attribution difficult at the carrier level.

Seven confirmed Tor relays operate within the Tzulo IP space. The 198.44.132.0/24 and 198.44.140.0/24 blocks are designated Tzulo-TOR allocations. The Cloudfanatic block 107.152.41.0/24 carries the primary target IP. Additional WireGuard exfiltration tunnels (UDP port 10607) route through Mullvad relay infrastructure also hosted on Tzulo address space.

Exfiltration Node

23.234.108.3 — WireGuard exfiltration tunnel terminating at Mullvad relay on Tzulo infrastructure. Identified as the primary egress point for the Feb 27, 2026 data exfiltration event (~1.03 GB).

■ Incident Timeline — Feb 2026 (SITREP 1–5)

Trigger Event

Installation of a security camera at a monitored location in mid-February 2026 triggered a coordinated escalation across five distinct attack phases over 12 days. The adversary response confirmed active, real-time monitoring of the target environment.

SITREP 1 — Feb 15, 2026

Initial Escalation / Reconnaissance Surge

Camera installation triggers accelerated network reconnaissance. Anomalous inbound probing noted from infrastructure-attributed sources. Baseline behavioral shift from passive persistence to active engagement.

SITREP 2 — Feb 17–20, 2026

Device Cloning Attempt

23.234.70.127 identified conducting device cloning operations. WireGuard session counter 3352 observed at first capture, indicating a pre-existing persistent session — not a new intrusion, but a long-running background process already embedded.

SITREP 3–4 — Feb 21–26, 2026

Sustained Presence / TCP Manipulation

Multiple TCP RST injection events detected. RST injector 155.226.144.130 operates outbound-only with zero inbound — classic forced-reconnection tactic to route victim through attacker-controlled path. TLS probing from CloudFront-attributed IPs across multiple sessions.

SITREP 5 — Feb 27, 2026

Sustained Exfiltration Event

Largest single event in the investigation timeline. Three concurrent capture sessions recorded approximately 1.03 GB of outbound exfiltration across 6 priority IPs. Detection was performed using data rate analysis, not IP attribution alone.

P1 EXFIL + ACK STORM

64.233.176.207

416.5 MB • 43:1 ratio • 154K ACK pkts

P2 BULK EXFILTRATION

52.217.112.82

308.1 MB • 65:1 ratio

P3 BULK EXFILTRATION

16.182.69.58

72.1 MB • 64:1 ratio

Detection Methodology

Data Rate as Primary Indicator

All attacker IPs identified through three converging signals: (1) sustained rate >100 KB/s — automated process, not human browsing; (2) out/in ratio >10:1 — exfiltration signature (pure exfil showed 43:1–65:1); (3) session pre-existing at capture — WireGuard counter 3352 proves persistent background process.

Explore the Investigation

Three Lenses Into the Network

RIAB Market Structure

How the Network Is Built

A full technical and organizational breakdown of the Residential Dark Net market. Covers the physical-layer architecture — from cable signal access points through ISP node compromise, patchover infrastructure, and the commercial corridors that carry the network’s traffic between geographies.

Includes mapped infrastructure nodes with confidence codes (Verified / Assumed / Inferred / Field-check pending), ISP franchise research, cross-geography routing anomalies, and the dual-plant condition identified in multiple geographies that enables persistent access without triggering standard abuse detection.

6 Geographies Physical Infrastructure ISP Node Map Patchover Points

shadows.backwaterforensics.com/structure/ →

RIAB Market Roles

Who Runs It and How

A detailed taxonomy of the four role classes identified operating within the network. Each class has a distinct function, capability set, and method of engagement — and each leaves different forensic signatures in the evidence record.

RIAB Operator Access Manager Access Controller Insider

The RIAB (Residential Infrastructure As a Business) operator sits at the top of the hierarchy, managing the physical plant and overseeing commercial relationships. Access Managers broker specific access transactions. Access Controllers enforce operational security at the signal layer. Insiders provide the human element — recruited personnel inside ISPs, housing complexes, and adjacent services.

shadows.backwaterforensics.com/roles/ →

Journey — Blogs & Stories

Six Years of Looking

The technical record tells what happened. The Journey section tells what it was like. Posts and stories from the investigation itself — the false starts, the moments a packet capture confirmed something that had only been a suspicion, the process of building a forensics practice from the ground up in response to being targeted.

A Backwater Forensics field log: methods that worked, methods that failed, and the longer arc of what it means to document a criminal network that doesn’t exist anywhere a court has looked before.

shadows.backwaterforensics.com/journey/ →

■ Disclosure Status

ISP Carrier Disclosure

Spectrum / Charter Communications has been identified as the primary affected carrier across multiple geographies. ISP-facing vulnerability disclosure is in preparation.

Tzulo / AS11878 — Priority Target

AS11878 subscriber records, routing logs, and sub-tenant agreements are identified as priority targets. Cloudfanatic.NET sub-tenant layer requires independent investigation.

Data Provenance & Research Standards

All findings on this site are sourced from public records, network captures from monitored equipment, OSINT analysis, physical observation logs, and lawfully obtained infrastructure data. No classified sources. No unauthorized access to third-party systems. Evidence is maintained with SHA-256 chain of custody on local encrypted storage. No cloud storage. Specific addresses and GPS coordinates are available to authorized recipients upon request.