Thursday, 29 March 2012

Ray Adams and his friends, the Bulgarian Hackers

Earlier this week the Austrlian Financial Review received an archive copy of 14,400 emails that appear to have come from the laptop of Ray Adams, Former head of security at NDS. They published a 6mb selection of around 700 pages of emails, and have asked people to look through them

Something Awful forum member Nation found a number of emails relating what appears to be the recruiting of a hacker, and possibly requests for work by Ray Adams.

First it appears a Veselin Nedelchev sent the profiles of two individuals, Nedeltchev and Donev to Ray Adams:

From: Veselin Nedelchev <>
To: Ray Adams
Date: 2/23/2001 9:06:54 AM
Subject: correction


Attended Grammar School equivalent in Kazanlak. A school with a technical profile stream until 1976

1976 to 1978 Military service in Bulgaria.

1978 Student at Technical institute in Gabrovo (Nothern Bulgaria) studying electronics. Graduated in 1981.

1981 engaged at I.M.M Government technical micro-electronic Institute in Kazanlak. Employed until 1990 as director of Micro-electronic research.

Visited Switzerland on Government Project and remained in Switzerland at end of project where employed by ADEZA, electronics company, on short term consultancy. Returned to Bulgaria and formed company ALIENS, specialising in microprocessor technology development and research.

In 1997 commenced as consultant to NDS (UK)


Attended Technical institute in Kazanlak until 1986 when selected for specialist training at I.M.M. the government research Institute. So engaged until 1985

Joined Army for military service until 1988

From 1990 to 1995 engaged in the research and design departments at I.M.M. Specialising in Micro technology, micro-processor and encryption research. Responsible for development of protection systems in smart card technology.

Fluent in Russian and Bulgarian technical languages.

In 1994 joined private company ALIENS, Kazanlak, Bulgaria as partner. Company responsible for development of micro electronic and engineering techniques applicable to smart card technology and protective encryption methods.

1997 engaged as consultant to NDS. Visited and worked in Israel as specialist team leader with NDS in Jerusalem and Haifa. Units responsible for the protection of Pay TV encryption technology. Visited UK and engaged on applications of satellite broadcast encryption techniques.

The units within NDS that Donev has worked with are re-locating from Israel and Germany to the UK. He will be required to continue working with NDS in the UK.

It appears the first profile Veselin's own information, plus the profile of one other, “Donev”. Interestingly there’s a series of emails between Ray Adams and the email address, which may be related to the above highlighted ALIENS, Kazanlak.

For example, this email was sent by Ray Adams to two accounts named vesco and Plamen
for <>; Fri, 26 Jan 2001 03:03:13 +0200
Reply-To: <>
From: "Alien" <>
To: "Adams, Ray" <>
Date: Fri, 26 Jan 2001 03:06:43 +0200
Message-ID: <>
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
In-Reply-To: <F128BF333D06D41192D700508BC25EAC26C8EF@MOTH>
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700

From: Alien <>
To: Adams, Ray
Date: 1/26/2001 12:06:44 PM
I'm thinking how to explain it...
Is there a position 'main hacker'?
How is it going to look in the form?


you can fax anything you want on my home phone line: +35943120600


p.s. Write anything you would like to. I don't care.

-----Original Message-----
From: Adams, Ray []
Sent: 25 ßíóàðè 2001 ã. 12:36
To: 'Plamen'; 'vesco'

The sooner I have some information that I can supply to the immigration people the better.

I could fax the forms to you so that you can see the type of information that we are having to supply. What is the best fax number for you.

So this seems to prove that Plamen is using the email address. It certainly seems to imply that Plamen is a “main hacker” as he describes himself, and that Ray is trying to help him with immigration documents.

This email from Ray Adams to the account seems to show they build up a trusting relationship

A letter with a sealed envelope from Barclays Bank has arrived at my house - addressed to you...

To which he receives this reply
Hi Ray,

I'm very happy to hear you again...
I trust you completely. Please, open the envelope and send me the access codes via e-mail as soon as possible. It is URGENT. Thanks in advance.
Zvi is coming here at 16-th (Wednesday).
We (me and Vesco) will meet him at the airport...

the visit to UK could be very nice 'vacation' :-)

In this email we see more information on what the guy has actually been doing

It is very good job - good salary, very good conditions, chance for development in the position, small responsibilities as to keep your mouth shut...

The first project was to get out some code, to look at it and to explain some part of the program inside. Everything was well documented, the code was not protected and the CPU architecture was well known. Where is the challenge in this? Nothing is unknown!

The second project was to construct DDT having only FEW BYTES of code, boring again! I could have accepted the first project as a test, but the second was not a test. Someone really thought it was a challenge or he was simply bored to do it himself and said "The fucking Bulgarian has to do it for a lesson". I did my best and I found something challenging in it, leaving a trap, just a small detail inserting random element in its behavior. I was surprised when Zvi asked for my opinion and sent me another DDT made by someone else using the same method and having the SAME detail UNTOUCHED! It meant the person constructed the new ECM has not taken even a look at the
kill packet, he has not even tried to understand what it does, he just used it literally knowing what it should do because I claimed that it should work and someone tested it and said it works.

The next project is to give a LECTURE to some guys on the subject "How to write better protected software for our products - the confession of one ex-hacker..." I apologize for the irony but I couldn't keep it.

Plamen also offers to use some of his other skills
I have another idea. Why don't you let me hack some of your competitor's products? It will be fun for me and profitable for the company...
...This letter is not something I could send to anybody else except to you

This email provides more details of the work the hacker was doing for Ray Adams
Hi Zvi,

I need information urgently. I would like to know is there a service ID:FB90 or ID:E047 in the Galaxy system. The last job was a hard nut! I think I found solution...
Well, it depends of your answer but if it is yes - the problem has no solution. Probably you would have to change some of the IDs of the services...

Is there a way to give me program making signatures? I would like to test the DDT before sending it to you in order to avoid the bugs...


p.s. I modified the glitcher program to support Galaxy cards. It now supports both DTV and Galaxy. Would you like to have it? :-)

Finally in this email it seems Ray has a special take for Plamen and Vesco

I have a mission for you and possibly for Vesco as weel.

One question is who Vesco is? The original emails with the two profiles were sent by 'Veselin Nedelchev', so it’s not a massive leap to imagine his nickname could be Vesco. Could “Donev” be Plamen?  Interestingly Plamen Donev is a Bulgarian football coach, maybe the nickname Plamen is a play on that?

You can contact the author on Twitter @brown_moses or by email at


  1. About 15-10 years ago I was doing some research into the economies of eastern Europe. Sometime in the 80s there was a state drive to develop a computer industry in Bulgaria. While the Bulgarians could not make a go of it for macroeconomic reasons they did train up a load of computer bods. Come the downfall of Stalinism these people had nothing to do…the economy ground to a halt. So they created viruses. Several good sources said that most of the viruses in the early 90s were coming out of Bulgaria.
    They're not fools.
    Check their names online and likely candidates emerge.

  2. Thanks for this post, only just noticed despite a few visits to your blog.

    It ties in rather nicely to what Medawar was writing independently at the time.

    Now tied together: