Cl0p ^_- Til You Drop - 6 years, 9 Campaigns, 7 0-Days
Recon Village @ DEF CON 34 • August 6-9, 2026
Abstract
Cl0p has executed at least nine major exploitation campaigns since 2020, targeting file transfer and edge devices from Accellion to MOVEit to Centrestack. Each campaign looks different on the surface, different CVEs, different victims, different tooling. But their infrastructure tells a different story.
This talk presents the results of a multi-year infrastructure reconnaissance effort tracking Cl0p's hosting, ASN usage, and operational patterns across all known campaigns. By mining passive DNS data, network telemetry, and hosting records, I mapped the infrastructure behind each campaign and identified patterns the group can't seem to shake — including a favorite bulletproof hosting provider used across four separate campaigns, a finding that roughly one-third of their ASNs get recycled, and pre-attack reconnaissance probing observed as far as two years before exploitation.
Speaker
Senior Threat Intelligence Advisor with Team Cymru
Eli Woodward is a cyber threat intelligence advisor with Team Cymru. He's worked in a variety of industries including financial services and government, and has seen the range of organizations from extremely well-resourced and capable to the shoestring budget. This has given him unique insights into CTI at all levels of complexity, maturity, and resources. He holds a master's degree in Intelligence and Security Studies and also plays bagpipes competitively.
View full speaker profile →