Firefox Snap Finally Support Installing Gnome Extensions in Ubuntu

The pre-installed Firefox browser in Ubuntu 22.04 finally to add back the ability to install Gnome Shell Extensions.

As you may know, Firefox in Ubuntu 22.04 defaults to Snap package that runs in sandbox. It however lacks the feature to exchange messages with native applications. So, you’ll find that the password manager integration (e.g., KeePassXC and 1password) with Firefox does not work. And, there’s no ON/OFF switch when you trying to install extensions from Gnome website.

For those sticking to the default Firefox package in Ubuntu 22.04, the new WebExtensions XDG desktop portal and its Firefox integration is present now to add back the native messaging support, though it’s in Beta stage at the moment for testing!

How to Try it out:

First of all, backup your bookmark, passwords, and other important data from current Firefox package.

1. Open ‘Ubuntu Software’, search for Firefox and go into its installation page. Then, switch to ‘latest/beta‘ channel via the header bar ‘Source’ dropdown-box. Finally, click install it.

Install Firefox from Beta channel

Or, simply press Ctrl+Alt+T to open terminal, and run command to switch Firefox from stable to latest beta:

sudo snap refresh firefox --beta

2. Next, run command in terminal (Ctrl+Alt+T) to update the XDG desktop portal, and also install chrome-gnome-shell agent:

sudo apt install xdg-desktop-portal chrome-gnome-shell

3. Now, kill the process of ‘xdg-desktop-portal’ and let it starts automatically. What I did is just log out and back in.

4. Finally, open Firefox web browser and go to It should pop-up a dialog ask user to grant permission to allow native connection for the website.

After clicking ‘Allow’, and install the browser extension via the ‘Click here to install broswer extension‘ link. You should finally be able to install an extension via the ON/OFF switch.

Skip the warning message ‘Your native host connector do not support following APIs: v6.‘, which also appear in my Google Chrome browser, though the extension install/uninstall function works.

Those using KeePassXC password manager may also install this extension to see if the browser integration works.

Switch back Firefox stable:

To go back the stable version of Firefox as Snap package, either search Firefox in Ubuntu Software and select ‘latest/stable’ channel from source and click install.

Or, run command in a terminal window (Ctrl+Alt+T):

sudo snap refresh firefox --stable

via: Ubuntu Discourse

Amazon advancements are standing out enough to be noticed by organizations and IT applicants

To speed up your profession in the data innovation industry, you need to confirm your abilities with the AWS Certified Solutions Architect Associate affirmation.

This declaration demonstrates your skill in achieving specialized assignments. Progress in the AWS Certified Solutions Architect Associate SAA-C02 exam makes you an individual from the first-class gathering of ensured experts.

You Can Get Global Reorganization with the Help of Exactinside:

  • Organizations favor you during the employing system because of your AWS Certified Solutions Architect Associate SAA-C02 confirmation identification.
  • In the event that you are as of now working in an IT firm, you get different chances to ascend the profession stepping stool.
  • You get every one of these vocation benefits when you pass the AWS CSA Associate SAA-C02 exam. This test tests your abilities and information on Amazon advancements.
  • The Amazon Exam Dumps is for sure testing and you really want inside and out planning to pass it.
  • In the event that you will show up in the Amazon certificate test, you need to get ready completely from the refreshed AWS Certified Solutions Architect Associate SAA-C02 exam dumps.

The AWS Certified Solutions Architect Associate Certificate Is Exceptionally Well Known in IT:

  • Many people endeavor the SAA-C02 exam consistently to redesign their abilities and send off an effective vocation.
  • Difficult work and refreshed AWS CSA Associate SAA-C02 exam planning material are important to make progress.
  • In this Amazon test arrangement venture, you can find support from Exactinside, which offers two organizations of items.
  • The Exactinside is one of the well-known stages that have been giving AWS Certified Solutions Architect Associate test up-and-comers.
  • You get substantial and refreshed AWS Certified Solutions Architect – Associate Exam SAA-C02 PDF dumps and an online practice test.

Amazon SAA-C02 Real Exam Questions Available in A PDF Format:

Various AWS test candidates have arranged the SAA-C02 exam in a brief time frame with these Amazon SAA-C02 Exam PDF Questions.

You can without much of a stretch utilize the PDF design AWS Certified Solutions Architect Associate SAA-C02 exam dumps on cell phones, workstations, and tablets.

We suggest you get ready from Exactinside SAA-C02 PDF dumps and get the authentication for the AWS.

Get Certified in A Short Time:

Every one of the determinations of the AWS Certified Solutions Architect Associate SAA-C02 work area test or reenactment programming is available in the online AW test.

It needn’t bother with Amazon SAA-C02 practice test programming establishment or extra modules.

You can take the SAA-C02 practice test on Windows, iOS, Android, Mac, and Linux.

All well-known programs like Safari, Internet Explorer, Opera, Chrome, and Firefox support the AWS practice test.

The Genuine Amazon SAA-C02 Exam Dumps for Splendid Results: offers genuine AWS Certified Solutions Architect – Associate Exam SAA-C02 exam dumps with top elements to win the trust of its clients. The unmistakable highlights are free.

Online SAA-C02 dumps refresh for as long as 90 days, two exceptionally viable test items arrange, and 100 percent ensure on AWS test dumps.

You can likewise download a free demo to test our AWS Certified Solutions Architect Associate SAA-C02 PDF dumps, and practice tests.

Pass Amazon SAA-C02 Exam Without Wasting Additional Time:

You can show your capacities and information with the AWS Certified Solutions Architect Associate confirmation identification.

The outcome in the AWS Certified Solutions Architect Associate SAA-C02 exam will likewise put your vocation on the right path.

Amazon SAA-C02 Real Exam Questions with Answers:

With this real wellspring of readiness. You will be an expert field master. Get our legitimate SAA-C02 pdf questions. Set up every one of the significant focuses as expected.

The review materials are confirmed. You will get the most recent and refreshed Amazon SAA-C02 dumps. These updates are given free with the Amazon SAA-C02 exam questions. Preparation is necessary because it makes you a stronger candidate.

Your ideas ought to be clear prior to taking the AWS Certified Solutions Architect – Associate test, and you can get the best arrangement. Without the exact review material, you never set up your AWS Certified Associate test precisely.


Our Amazon SAA-C02 exam dumps are extremely strong to support your vocation and help to redesign your insight. Every one of the essentials of the AWS Certified Associate test is achieved through Amazon SAA-C02 pdf dumps. Practice your AWS Certified Solutions Architect – Associate test with the Amazon SAA-C02 internet testing motors well, these are awesome to make your planning interesting. If you want to follow a readiness plan appropriately. you can accomplish the AWS Certified Associate objectives without any problem. The Amazon SAA-C02 pdf dumps are the absolute best to plan and you can get refreshed and legitimate data. Your planning is ideal for the SAA-C02 exam questions or You can investigate the admirable statements in the arrangement. These will assist you with getting ready for the impending confirmations.

Linux Mint 21 “Vanessa” Is Now Available for Download

Linux Mint 21 “Vanessa” Is Now Available for Download

There is no official announcement yet but you can download the final ISO images of the Linux Mint 21 “Vanessa” operating system right now from the following download link.

Linux Mint 21 Vanessa will have a long-term support plan till 2027.

Download Linux Mint 21 “Vanessa” Cinnamon ISO

Download Linux Mint 21 ” Vanessa”  Xfce ISO

Download Linux Mint 21 MATE ISO


What’s New On Linux Mint 21

  • In Linux Mint 21 Blueman replaces Blueberry.
  • In Linux Mint 21, you can find the improved file browser thumbnails.
  • The Sticky Notes application now has the ability to duplicate notes.
  • Impoved process monitor
  • Timeshift is now maintained as an XApp
  • Printing and Scanning improvements.

People of Open Source: Neville Spiteri, Wevr

This post originally appeared on the Academy Software Foundation’s (ASWF) blog. The ASWF works to increase the quality and quantity of contributions to the content creation industry’s open source software base. 

Tell us a bit about yourself – how did you get your start in visual effects and/or animation? What was your major in college?

I started experimenting with the BASIC programming language when I was 12 years old on a ZX81 Sinclair home computer, playing a game called “Lunar Lander” which ran on 1K of RAM, and took about 5 minutes to load from cassette tape.

I have a Bachelor’s degree in Cognitive Science and Computer Science.

My first job out of college was a Graphics Engineer at Wavefront Technologies, working on the precursor to Maya 1.0 3D animation system, still used today. Then I took a Digital Artist role at Digital Domain.

What is your current role?

Co-Founder / CEO at Wevr. I’m currently focused on Wevr Virtual Studio – a cloud platform we’re developing for interactive creators and teams to more easily build their projects on game engines.

What was the first film or show you ever worked on? What was your role?

First film credit: True Lies, Digital Artist.

What has been your favorite film or show to work on and why?

TheBlu 1.0 digital ocean platform. Why? We recently celebrated TheBlu 10 year anniversary. TheBlu franchise is still alive today. At the core of TheBlu was/is a creator platform enabling 3D interactive artists/developers around the world to co-create the 3D species and habitats in TheBlu. The app itself was a mostly decentralized peer-to-peer simulation that ran on distributed computers with fish swimming across the Internet. The core tenets of TheBlu 1.0 are still core to me and Wevr today, as we participate more and more in the evolving Metaverse.

How did you first learn about open source software?

Linux and Python were my best friends in 2000.

What do you like about open source software? What do you dislike?

Likes: Transparent, voluntary collaboration.

Dislikes: Nothing.

What is your vision for the Open Source community and the Academy Software Foundation?

Drive international awareness of the Foundation and OSS projects.

Where do you hope to see the Foundation in 5 years?

A global leader in best practices for real-time engine-based production through international training and education.

What do you like to do in your free time?

Read books, listen to podcasts, watch documentaries, meditation, swimming, and efoiling!

Follow Neville on Twitter and connect on LinkedIn.  

The post People of Open Source: Neville Spiteri, Wevr appeared first on Linux Foundation.

The post People of Open Source: Neville Spiteri, Wevr appeared first on

911 Proxy Service Implodes After Disclosing Breach

The 911 service as it existed until July 28, 2022.

911[.]re, a proxy service that since 2015 has sold access to hundreds of thousands of Microsoft Windows computers daily, announced this week that it is shutting down in the wake of a data breach that destroyed key components of its business operations. The abrupt closure comes ten days after KrebsOnSecurity published an in-depth look at 911 and its connections to shady pay-per-install affiliate programs that secretly bundled 911’s proxy software with other titles, including “free” utilities and pirated software.

911[.]re is was one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

As noted in KrebsOnSecurity’s July 19 story on 911, the proxy service operated multiple pay-per-install schemes that paid affiliates to surreptitiously bundle the proxy software with other software, continuously generating a steady stream of new proxies for the service.

A cached copy of flashupdate[.]net circa 2016, which shows it was the homepage of a pay-per-install affiliate program that incentivized the silent installation of 911’s proxy software.

Within hours of that story, 911 posted a notice at the top of its site, saying, “We are reviewing our network and adding a series of security measures to prevent misuse of our services. Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

At this announcement, all hell broke loose on various cybercrime forums, where many longtime 911 customers reported they were unable to use the service. Others affected by the outage said it seemed 911 was trying to implement some sort of “know your customer” rules — that maybe 911 was just trying to weed out those customers using the service for high volumes of cybercriminal activity.

Then on July 28, the 911 website began redirecting to a notice saying, “We regret to inform you that we permanently shut down 911 and all its services on July 28th.”

According to 911, the service was hacked in early July, and it was discovered that someone manipulated the balances of a large number of user accounts. 911 said the intruders abused an application programming interface (API) that handles the topping up of accounts when users make financial deposits with the service.

“Not sure how did the hacker get in,” the 911 message reads. “Therefore, we urgently shut down the recharge system, new user registration, and an investigation started.”

The parting message from 911 to its users, posted to the homepage July 28, 2022.

However the intruders got in, 911 said, they managed to also overwrite critical 911[.]re servers, data and backups of that data.

“On July 28th, a large number of users reported that they could not log in the system,” the statement continues. “We found that the data on the server was maliciously damaged by the hacker, resulting in the loss of data and backups. Its [sic] confirmed that the recharge system was also hacked the same way. We were forced to make this difficult decision due to the loss of important data that made the service unrecoverable.”

Operated largely out of China, 911 was an enormously popular service across many cybercrime forums, and it became something akin to critical infrastructure for this community after two of 911’s longtime competitors — malware-based proxy services VIP72 and LuxSocksclosed their doors in the past year.

Now, many on the crime forums who relied on 911 for their operations are wondering aloud whether there are any alternatives that match the scale and utility that 911 offered. The consensus seems to be a resounding “no.”

I’m guessing we may soon learn more about the security incidents that caused 911 to implode. And perhaps other proxy services will spring up to meet what appears to be a burgeoning demand for such services at the moment, with comparatively little supply.

In the meantime, 911’s absence may coincide with a measurable (if only short-lived) reprieve in unwanted traffic to top Internet destinations, including banks, retailers and cryptocurrency platforms, as many former customers of the proxy service scramble to make alternative arrangements.

Riley Kilmer, co-founder of the proxy-tracking service, said 911’s network will be difficult to replicate in the short run.

“My speculation is [911’s remaining competitors] are going to get a major boost in the short term, but a new player will eventually come along,” Kilmer said. “None of those are good replacements for LuxSocks or 911. However, they will all allow anyone to use them. For fraud rates, the attempts will continue but through these replacement services which should be easier to monitor and stop. 911 had some very clean IP addresses.”

Happy Sysadmin Appreciation Day: 2022’s top articles for sysadmins

Thank you to all of the system administrators who keep our systems up and running, patched, and deployed every day of the year. Check out our most popular articles for sysadmins.

Read More at Enable Sysadmin

The post Happy Sysadmin Appreciation Day: 2022’s top articles for sysadmins appeared first on

Ransomware Group Demand £500,000 From Bedfordshire School

Wooton Upper School in Bedfordshire suffered a ransomware attack this week, with hackers demanding £500,000 in ransom, according to reports.
The attack also affected the Kimberley college for 16-19 year olds, with both members of the Wootton Academy Trust. The attack was said to be the work of the Hive ransomware group.
The cybercriminals messaged parents and students to inform them of the compromise. Bank details, medical records, home addresses and psychological reviews were stolen in the attack.
On Tuesday, the Trust updated students and parents by saying that the disruption to its operations was limited due to the upcoming summer school holidays. The attack has, however, affected the production of some grade sheets along with scheduling for next year. They hope that backups will allow them to retrieve some data. Normal operations are expected to return within 10 days.
The Hive group believes that Wooton has £500,000 in cyber insurance, according to Bedford Today, a local newspaper. It has threatened the Trust with the release of all data unless they pay up.
The trust said, “we understand there may be concerns about whether any pupil/student data has been impacted. While we don’t have firm answers to these questions at the moment, this is our number one priority of the ongoing investigations.”
Global cybersecurity advisor at ESET and former head of digital forensics at Dorset Police, Jake Moore, warned that the potential release of stolen data could pose a big problem for the Trust, even though the timing minimised disruption for the school.
Moore suggested that the damage could last for years. He added that local authorities often lack the funds to pay the desired ransoms, suggesting that this may not have been a targeted attack, rather it may have just been an attack caught up in a broader sweep of vulnerable systems.

The post Ransomware Group Demand £500,000 From Bedfordshire School appeared first on IT Security Guru.

What is the OpenGEH (Green Energy Hub) Project

The OpenGEH Project is one of the many projects at LF Energy. We want to share about it here on the LF blog. This originally appeared on the LF Energy site

OpenGEH ( GEH stands for Green Energy Hub ) enables fast, flexible settlement and hourly measurements of production and consumption of electricity. OpenGEH seeks to help utilities to onboard increased levels of renewables by reducing the administrative barriers of market-based coordination. By utilizing a modern DataHub, built on a modular and microservices architecture, OpenGEH is able to store billions of data points covering the entire workflow triggered by the production and consumption of electricity.

The ambition of OpenGEH is to use digitalization as a way to accelerate a market-driven transition towards a sustainable and efficient energy system. The platform provides a modern foundation for both new market participants and facilitates new business models through digital partnerships. The goal is to create access to relevant data and insights from the energy market and thereby accelerate the Energy Transition.

Initially built in partnership with Microsoft, Energinet (the Danish TSO) was seeking a critical leverage point to accelerate the Danish national commitment to 100% renewable energy in their electricity system by 2030. For most utilities, getting renewables onboard creates a technical challenge that also has choreography and administrative hurdles. Data becomes the mechanism that enables market coordination leading to increased decarbonization. The software was contributed to the LF Energy Foundation by Energinet.

Energinet sees open source and shared development as an opportunity to reduce the cost of software, while simultaneously increasing the quality and pace of development. It is an approach that they see gaining prominence in TSO cooperation. Energinet is not an IT company, and therefore does not sell systems, services, or operate other TSOs. Open source coupled with an intellectual property license that encourages collaboration, will insure that OpenGEH continues to improve, by encouraging a community of developers to add new features and functionality.

The Architectural Principles behind OpenGEH

By implementing Domain Driven Design, OpenGEH has divided the overall problem  into smaller independent domains. This gives developers the possibility to only use the domains that are necessary to solve for the needed functionality. As the domains trigger events when data changes, the other domains listen on these events to have the most updated version of data.

The architecture supports open collaboration on smaller parts of OpenGEH. New domains can be added by contributors, to extend the OpenGEH’s functionality, when needed to accelerate the green transition.

The Green Energy Hub Domains

The Green Energy Hub system consists of two different types of domains:

A domain that is responsible for handling a subset of business processes.
A domain that is responsible for handling an internal part of the system (Like log accumulation, secret sharing or similar).

Below is a list of these domains, and the business flows they are responsible for.

Business Process Domains

Metering Point

Create metering point
Submission of master data – grid company
Close down metering point
Connection of metering point with status new
Change of settlement method
Disconnection and reconnecting of metering point
Meter management
Update production obligation
Request for service from grid company


Submission of calculated energy time series
Request for historical data
Request for calculated energy time series
Aggregation of wholesale services
Request for aggregated tariffs
Request for settlement basis

Time Series

Submission of metered data for metering point
Send missing data log
Request for metered data for a metering point


Request for aggregated subscriptions or fees
Update subscription price list
Update fee price list
Update tariff price list
Request price list
Settlement master data for a metering point – subscription, fee and tariff links
Request for settlement master data for metering point

Market Roles

Change of supplier
End of supply
Managing an incorrect change of supplier
Incorrect move
Submission of customer master data by balance supplier
Initiate cancel change of supplier by customer
Change of supplier at short notice
Mandatory change of supplier for metering point
Submission of contact address from grid company
Change of BRP for energy supplier

Data Requests

Master data request

System Domains

Shared Resources

Secrets handling
DataBricks workspace

Validation Reports

Log accumulation for all domains

Post Office

Messaging service for outbound messages

API Gateway

Authentication and routing

The post What is the OpenGEH (Green Energy Hub) Project appeared first on

Breach Exposes Users of Microleaves Proxy Service

Microleaves, a ten-year-old proxy service that lets customers route their web traffic through millions of Microsoft Windows computers, recently fixed a vulnerability in their website that exposed their entire user database. Microleaves claims its proxy software is installed with user consent, but data exposed in the breach shows the service has a lengthy history of being supplied with new proxies by affiliates incentivized to distribute the software any which way they can — such as by secretly bundling it with other titles.

The Microleaves proxy service, which is in the process of being rebranded to Shifter[.[io.

Launched in 2013, Microleaves is a service that allows customers to route their Internet traffic through PCs in virtually any country or city around the globe. Microleaves works by changing each customer’s Internet Protocol (IP) address every five to ten minutes.

The service, which accepts PayPal, Bitcoin and all major credit cards, is aimed primarily at enterprises engaged in repetitive, automated activity that often results in an IP address being temporarily blocked — such as data scraping, or mass-creating new accounts at some service online.

In response to a report about the data exposure from KrebsOnSecurity, Microleaves said it was grateful for being notified about a “very serious issue regarding our customer information.”

Abhishek Gupta is the PR and marketing manager for Microleaves, which he said in the process of being rebranded to “” Gupta said the report qualified as a “medium” severity security issue in Shifter’s brand new bug bounty program (the site makes no mention of a bug bounty), which he said offers up to $2,000 for reporting data exposure issues like the one they just fixed. KrebsOnSecurity declined the offer and requested that Shifter donate the amount to the Electronic Frontier Foundation (EFF), a digital rights group.

From its inception nearly a decade ago, Microleaves has claimed to lease between 20-30 million IPs via its service at any time. Riley Kilmer, co-founder of the proxy-tracking service, said that 20-30 million number might be accurate for Shifter if measured across a six-month time frame. Currently, Spur is tracking roughly a quarter-million proxies associated with Microleaves/Shifter each day, with a high rate of churn in IPs.

Early on, this rather large volume of IP addresses led many to speculate that Microleaves was just a botnet which was being resold as a commercial proxy service.

Proxy traffic related to top Microleaves users, as exposed by the website’s API.

The very first discussion thread started by the new user Microleaves on the forum BlackHatWorld in 2013 sought forum members who could help test and grow the proxy network. At the time, the Microleaves user said their proxy network had 150,000 IPs globally, and was growing quickly.

One of BlackHatWorld’s moderators asked the administrator of the forum to review the Microleaves post.

“User states has 150k proxies,” the forum skeptic wrote. “No seller on BHW has 150k working daily proxies none of us do. Which hints at a possible BOTNET. That’s the only way you will get 150k.”

Microleaves has long been classified by antivirus companies as adware or as a “potentially unwanted program” (PUP), the euphemism that antivirus companies use to describe executable files that get installed with ambiguous consent at best, and are often part of a bundle of software tied to some “free” download. Security vendor Kaspersky flags the Microleaves family of software as a trojan horse program that commandeers the user’s Internet connection as a proxy without notifying the user.

“While working, these Trojans pose as Microsoft Windows Update,” Kaspersky wrote.

In a February 2014 post to BlackHatWorld, Microleaves announced that its sister service — reverseproxies[.]com — was now offering an “Auto CAPTCHA Solving Service,” which automates the solving of those squiggly and sometimes frustrating puzzles that many websites use to distinguish bots from real visitors. The CAPTCHA service was offered as an add-on to the Microleaves proxy service, and ranged in price from $20 for a 2-day trial to $320 for solving up to 80 captchas simultaneously.

“We break normal Recaptcha with 60-90% success rate, recaptcha with blobs 30% success, and 500+ other captcha,” Microleaves wrote. “As you know all success rate on recaptcha depends very much on good proxies that are fresh and not spammed!”


The exposed Microleaves user database shows that the first user created on the service — username “admin” — used the email address A search on that email address in Constella Intelligence, a service that tracks breached data, reveals it was used to create an account at the link shortening service under the name Alexandru Florea, and the username “Acidut.” [Full disclosure: Constella is currently an advertiser on this website].

According to the cyber intelligence company Intel 471, a user named Acidut with the email address had an active presence on almost a dozen shadowy money-making and cybercrime forums from 2010 to 2017, including BlackHatWorld, Carder[.]pro, Hackforums, OpenSC, and CPAElites.

The user Microleaves (later “”) advertised on BlackHatWorld the sale of 31 million residential IPs for use as proxies, in late 2013. The same account continues to sell subscriptions to

In a 2011 post on Hackforums, Acidut said they were building a botnet using an “exploit kit,” a set of browser exploits made to be stitched into hacked websites and foist malware on visitors. Acidut claimed their exploit kit was generating 3,000 to 5,000 new bots each day. OpenSC was hacked at one point, and its private messages show Acidut purchased a license from Exmanoize, the handle used by the creator of the Eleonore Exploit Kit.

By November 2013, Acidut was advertising the sale of “26 million SOCKS residential proxies.” In a March 2016 post to CPAElites, Acidut said they had a worthwhile offer for people involved in pay-per-install or “PPI” schemes, which match criminal gangs who pay for malware installs with enterprising hackers looking to sell access to compromised PCs and websites.

Because pay-per-install affiliate schemes rarely impose restrictions on how the software can be installed, such programs can be appealing for cybercriminals who already control large collections of hacked machines and/or compromised websites. Indeed, Acidut went a step further, adding that their program could be quietly and invisibly nested inside of other programs.

“For those of you who are doing PPI I have a global offer that you can bundle to your installer,” Acidut wrote. “I am looking for many installs for an app that will generate website visits. The installer has a silence version which you can use inside your installer. I am looking to buy as many daily installs as possible worldwide, except China.”

Asked about the source of their proxies in 2014, the Microleaves user responded that it was “something related to a PPI network. I can’t say more and I won’t get into details.”

Acidut authored a similar message on the forum BlackHatWorld in 2013, where they encouraged users to contact them on Skype at the username “nevo.julian.” That same Skype contact address was listed prominently on the Microleaves homepage up until about a week ago when KrebsOnSecurity first reached out to the company.


There is a Facebook profile for an Alexandru Iulian Florea from Constanta, Romania, whose username on the social media network is Acidut. Prior to KrebsOnSecurity alerting Shifter of its data breach, the Acidut profile page associated Florea with the websites,, leftclick[.]io, and online[.]io. Mr. Florea did not respond to multiple requests for comment, and his Facebook page no longer mentions these domains.

Leftclick and online[.]io emerged as subsidiaries of Microleaves between 2017 and 2018. According to a help wanted ad posted in 2018 for a developer position at online[.]io, the company’s services were brazenly pitched to investors as “a cybersecurity and privacy tool kit, offering extensive protection using advanced adblocking, anti-tracking systems, malware protection, and revolutionary VPN access based on residential IPs.”

A teaser from Irish Tech News.

“Online[.]io is developing the first fully decentralized peer-to-peer networking technology and revolutionizing the browsing experience by making it faster, ad free, more reliable, secure and non-trackable, thus freeing the Internet from annoying ads, malware, and trackers,” reads the rest of that help wanted ad.

Microleaves CEO Alexandru Florea gave an “interview” to the website in 2018, in which he explained how Online[.]io (OIO) was going to upend the online advertising and security industries with its initial coin offering (ICO). The word interview is in air quotes because the following statements by Florea deserved some serious pushback by the interviewer.

“Online[.]io solution, developed using the Ethereum blockchain, aims at disrupting the digital advertising market valued at more than $1 trillion USD,” Alexandru enthused. “By staking OIO tokens and implementing our solution, the website operators will be able to access a new non-invasive revenue stream, which capitalizes on time spent by users online.”

“At the same time, internet users who stake OIO tokens will have the opportunity to monetize on the time spent online by themselves and their peers on the World Wide Web,” he continued. “The time spent by users online will lead to ICE tokens being mined, which in turn can be used in the dedicated merchant system or traded on exchanges and consequently changed to fiat.”

Translation: If you install our proxy bot/CAPTCHA-solver/ad software on your computer — or as an exploit kit on your website — we’ll make millions hijacking ads and you will be rewarded with heaps of soon-to-be-worthless shitcoin. Oh, and all your security woes will disappear, too.

It’s unclear how many Internet users and websites willingly agreed to get bombarded with Online[.]io’s annoying ads and search hijackers — and to have their PC turned into a proxy or CAPTCHA-solving zombie for others. But that is exactly what multiple security companies said happened when users encountered online[.]io, which operated using the Microsoft Windows process name of “online-guardian.exe.”

Incredibly, Crunchbase says Online[.]io raised $6 million in funding for an initial coin offering in 2018, based on the plainly ludicrous claims made above. Since then, however, online[.]io seems to have gone…offline, for good.


Until this week,’s website also exposed information about its customer base and most active users, as well as how much money each client has paid over the lifetime of their subscription. The data indicates Shifter has earned more than $11.7 million in direct payments, although it’s unclear how far back in time those payment records go, or how complete they are.

The bulk of Shifter customers who spent more than $100,000 at the proxy service appear to be digital advertising companies, including some located in the United States. None of the several Shifter customers approached by KrebsOnSecurity agreed to be interviewed.

Shifter’s Gupta said he’d been with the company for three years, since the new owner took over the company and made the rebrand to Shifter.

“The company has been on the market for a long time, but operated under a different brand called Microleaves, until new ownership and management took over the company started a reorganization process that is still on-going,” Gupta said. “We are fully transparent. Mostly [our customers] work in the data scraping niche, this is why we actually developed more products in this zone and made a big shift towards APIs and integrated solutions in the past year.”

Ah yes, the same APIs and integrated solutions that were found exposed to the Internet and leaking all of Shifter’s customer information.

Gupta said the original founder of Microleaves was a man from India, who later sold the business to Florea. According to Gupta, the Romanian entrepreneur had multiple issues in trying to run the company, and then sold it three years ago to the current owner — Super Tech Ventures, a private equity company based in Taiwan.

“Our CEO is Wang Wei, he has been with the company since 3 years ago,” Gupta said. “Mr. Florea left the company two years ago after ending this transition period.”

Google and other search engines seem to know nothing about a Super Tech Ventures based in Taiwan. Incredibly, Shifter’s own PR person claimed that he, too, was in the dark on this subject.

“I would love to help, but I really don’t know much about the mother company,” Gupta said, essentially walking back his “fully transparent” statement. “I know they are a branch of the bigger group of asian investment firms focused on private equity in multiple industries.”

Adware and proxy software are often bundled together with “free” software utilities online, or with popular software titles that have been pirated and quietly fused with installers tied to various PPI affiliate schemes.

But just as often, these intrusive programs will include some type of notice — even if installed as part of a software bundle — that many users simply do not read and click “Next” to get on with installing whatever software they’re seeking to use. In these cases, selecting the “basic” or “default” settings while installing usually hides any per-program installation prompts, and assumes you agree to all of the bundled programs being installed. It’s always best to opt for the “custom” installation mode, which can give you a better idea of what is actually being installed, and can let you control certain aspects of the installation.

Either way, it’s best to start with the assumption that if a software or service online is “free,” that there is likely some component involved that allows the provider of that service to monetize your activity. As KrebsOnSecurity noted at the conclusion of last week’s story on a China-based proxy service called 911, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others.

Further reading on proxy services:

July 18, 2022: A Deep Dive Into the Residential Proxy Service ‘911’
June 28, 2022: The Link Between AWM Proxy & the Glupteba Botnet
June 22, 2022: Meet the Administrators of the RSOCKS Proxy Botnet
Sept. 1, 2021: 15-Year-Old Malware Proxy Network VIP72 Goes Dark
Aug. 19, 2019: The Rise of “Bulletproof” Residential Networks