Security BSides Las Vegas 2025

We built a tool HIBR, a system that crawls ransomware gang leak sites, downloads the chaos, and uses OCR + LLMs to sift through scanned IDs, contracts, HR PDFs, and anything else these digital hyenas leave behind. And yes, it works. No, we don’t show you the PII. But we know where it is.

This talk is a guided tour through a pipeline that’s half tool, half moral panic generator. You’ll see how we built it, what we found, and what it means when your passport is sitting in a ZIP file called pay_or_we_leak.zip.

This isn't a product demo. It’s a deep dive into uncomfortable data, blurry legal zones, and the fine art of not getting sued while looking directly at the internet's open wound.

Modern ransomware attacks no longer just encrypt files—they exfiltrate and leak terabytes of internal corporate documents. These leaks contain unstructured chaos: scanned passports, HR forms, insurance records, and other sensitive data. Yet most breach-checking tools ignore them completely.

This talk presents Have I Been Ransomed? (HIBR), a toolchain and public search engine designed to extract meaningful PII from this mess using OCR and Large Language Models (LLMs). We’ll explore how we crawl these leaks, how we safely extract identifiers without exposing PII, and how LLMs allow us to detect personal data buried deep inside PDFs and image scans. We'll also address the ethical landmines, legal constraints (e.g., GDPR), and our design decisions to avoid becoming a privacy nightmare.

Attendees will walk away with a practical understanding of how to process complex ransomware dump data and build awareness tools responsibly—while seeing live examples of HIBR in action.