CLASSIFICATION: Unclassified / Open Source

Executive Summary

Surabaya Black Hat (SBH) is an Indonesian underground collective active since September 20, 2011, straddling the country’s defacement scene and profit-motivated intrusions. Media and police reporting in March 2018—triggered by an FBI referral—document hundreds to thousands of website compromises across 40+ countries, SQL injection as a common vector, and extortion for payment via PayPal/Bitcoin. Group infrastructure included a web forum and a sizable Telegram community (approx. 707 members) used for data sharing, which disbanded after arrests. SBH also maintains a public GitHub organization hosting the SBH Shell v2.5 (webshell/defacement toolkit). Overall assessment: criminal crew with organized tooling and social reach; technical depth moderate, impact amplified by scale and publicity. Confidence: high based on mainstream Indonesian press, GitHub artifacts, and law-enforcement statements.

• Origin & brand: Underground community founded 2011-09-20 with forum + Facebook group; publicity spikes correlated with high-profile defacements (e.g., Farhat Abbas).
• Goalset: Mixed—status in local scene, some hacktivist-style defacements for clout, but primary monetization via hacking-for-profit and blackmail/ransom. tirto.id
• Comms: Forum, Facebook, and later Telegram (707 members, shut down after arrests). CNN Indonesia

• Recruitment & reach: Rapid community growth after media-covered defacements; forum/FB seen as on-ramps for novices, with seniors coaching. LinuxSec Exploit
• Narrative leverage: Indonesian press coverage and social chatter magnified SBH’s notoriety. The Jakarta Post
• Operational discipline: Public GitHub presence for tooling suggests semi-organized development and shared tradecraft. GitHub