The complete history of Sub7, the remote access trojan that shaped early 2000s hacker culture. From a Romanian teenager teaching himself Delphi in Windsor, Ontario, to the tool that powered a generation of script kiddies, to the mysterious disappearance of its creator - and the imposter who claimed credit for over a decade.

This is a story about identity, anonymity, and truth. The real Mobman stayed hidden while Greg from Tampa built a career on the lie. It took years of investigation and a three-way phone call to finally expose the fraud and give credit to the quiet Romanian kid who just wanted to code.

Sonically inspired by B.U.G. Mafia - the Bucharest Underground Mafia - the Romanian gangsta rap group that the real Mobman was a fan of. Their quotes appeared in Sub7’s About screens. This album honors that connection.

Structure:

Act 1: Origin (Tracks 1-3) The real Mobman’s story - immigration, learning to code, creating something that took on a life of its own.

Act 2: Phenomenon (Tracks 4-5) What Sub7 became - the script kiddie explosion and the dark side of webcam access and privacy violation.

Act 3: The Void (Track 6) Mobman disappears. The anonymous creator stays anonymous.

Act 4: The Lie (Tracks 7-8) Greg claims the throne. The lie goes mainstream on Darknet Diaries.

Act 5: The Reckoning (Tracks 9-11) Ill Will investigates. The confrontation. The truth finally emerges from Craiova.

Themes:

• Identity and anonymity in hacker culture
• The price of creation (fear of prosecution)
• Stolen valor / identity theft of an anonymous person
• Romanian immigrant experience
• The democratization of hacking (for better and worse)
• Truth eventually surfacing

Sub7 - Deep Research & Source Documentation

This document provides comprehensive research for the album “Sub7.” Every name, quote, date, technical detail, and event referenced is documented here with authoritative sources.

Purpose: Documentary accuracy and deep reference material. This album depicts real events, real people, and the true story of Sub7’s creation and the identity controversy surrounding its creator.

Last Updated: December 2024

Table of Contents

1. The Real Mobman
2. Sub7: Technical Deep Dive
3. The Master Password Decoded
4. B.U.G. Mafia: The Musical Connection
5. The Sub7 Crew
6. The Identity Controversy
   • The Rolling Stone Article (September 2013)
7. Greg’s False Claims (Episode 20)
8. The Investigation (Ill Will)
   • Additional Technical Evidence (IllMob Investigation)
9. The Confrontation (Episode 150)
10. Timeline of Events
11. Primary Sources
    • Journalism & Media
    • Security Research
12. Verified Quotes
13. Areas of Creative License

The Real Mobman

Identity

Background & Childhood

In Romania (pre-1997):

• Born in Craiova, a city in southwestern Romania (population ~300,000)
• Craiova is the capital of Dolj County, located in the historical region of Oltenia
• Growing up in post-communist Romania (Ceaușescu’s regime ended 1989)
• Taught himself programming at a young age: “I taught myself to program when I was very little”
• Created “a whole bunch of little games” in Romania before immigrating
• Had a NES console that his mother destroyed - he took it apart to understand how it worked: “his mother smashed it down, he took it apart just to see how it sounds” (paraphrased from Ep 150)

Immigration (1997):

• Family moved from Romania to Canada in 1997
• Settled in Windsor, Ontario - directly across the Detroit River from Detroit, Michigan
• Windsor is the southernmost city in Canada (further south than parts of California)
• The move brought him to North America at age 16-17

Learning Delphi:

• Discovered Delphi programming language after arriving in Canada
• “I wanted to start learning Delphi”
• “I learned Delphi by working on Sub7. It was my very first project”
• Sub7 was both his learning project AND his masterpiece

Handle Origin: The B.U.G. Mafia Connection

The handle “Mobman” came from B.U.G. Mafia (Bucharest Underground Mafia), a Romanian gangsta rap group:

“It comes from a rap band, a Romanian rap band, called B.U.G. Mafia. Bucharest Underground Mafia; that’s their name. I’m a big fan of them.” — Real Mobman, Darknet Diaries Ep 150

He adopted the nickname in 1999, the same year Sub7 was released.

Key evidence of Romanian authorship:

• B.U.G. Mafia lyrics (in Romanian) appeared in Sub7’s About screens across ALL versions
• “Every single version that was released, into the credits screen, and under Programmer, there’s only one name ever”
• “B.U.G. Mafia didn’t even have any songs online, man. I brought tapes with me from Romania. You could not have heard of them on the internet in 1999 when this was put in the About credits.”

This is crucial evidence - an American imposter in 1999 would have no way to know about B.U.G. Mafia or include their Romanian lyrics.

Why He Disappeared (~2004)

Reasons (from Ep 150):

1. Fear of prosecution: “People started getting in trouble for making tools like that”
2. Heard about malicious use: “People using it for malicious purposes”
3. Wanted to move on: “I wanted to get into something else”
4. Maintained anonymity: “Nobody knew my name, even the people that were closest to me”

Law Enforcement Contact:

• Never arrested or contacted by authorities
• “No, no, I did not [get heat from law enforcement]”

On letting Greg claim credit:

• “I just let it go… I thought ‘why would I even care’”
• Let the imposter take heat while staying safely anonymous

Sub7: Technical Deep Dive

Basic Information

Name Origin

The name “Sub7” is a wordplay derived from NetBus, an earlier RAT:

1. Spell “NetBus” backwards → “suBteN”
2. Swap “ten” for “seven” → “Sub7” / “SubSeven”

This naming referenced Sub7’s roots while establishing its own identity as the successor/competitor to NetBus.

Architecture (Three Components)

Security Expert Quote:

“With these features, Sub7 allows a hacker to take ‘virtually complete control’ over a computer. Sub7 is so invasive that anyone with it on their computer ‘might as well have the hacker standing right next to them’ while using their computer.” — Steve Gibson, computer security expert

Version History

Version 1.x Series (1999)

Version 2.x Series (1999-2003)

Note on v2.1.2 “Muie”: The version name “Muie” is Romanian vulgar slang (roughly meaning “blowjob” or used as “fuck you”). This naming choice:

1. Further proves Romanian authorship
2. Reflects the rebellious/underground hacker culture
3. Would be an extremely unlikely choice for a non-Romanian speaker

The Failed v2.2 Branch

The v2.2x branch attempted a modular approach with plugins and custom features. However, it failed because users lacked either the skills or motivation to create extensions. Mobman returned to the 2.1.x branch, culminating in the final “Legends” release.

Comprehensive Feature List

Sub7’s initial version (v1.0) had 113 capabilities organized into categories:

Surveillance & Monitoring

Password & Credential Theft

Prank/Disruption Features (“Fun Manager”)

System Control

Network Features

The IRC Control Innovation (v2.1): Starting with version 2.1, Sub7 could be controlled via IRC (Internet Relay Chat). As one security book noted:

“This set the stage for all malicious botnets to come.”

This was a pivotal innovation that influenced all future botnet development.

Why Sub7 Succeeded Where Others Failed

1. User-Friendly Interface: Unlike command-line tools, Sub7 had a polished GUI
2. “Fun” Features: The prank features made it appealing to curious teenagers
3. Constant Updates: Mobman actively developed it for 4+ years
4. Community Requests: He added features based on user emails
5. Free Distribution: Available on warez sites and hacking forums
6. Documentation: Came with help files and was easy to understand

“It was all fun. At the beginning and for the first many versions, it was all just fun. Having fun with people, playing tricks on them; pranks and things like that.” — Real Mobman, Ep 150

Distribution & Spread

• Uploaded to hacking sites and warez forums
• “I packaged it up and uploaded it to a hacking site. That started picking up steam”
• “People started sending me e-mails, contacting me; oh, can you add this?”
• Spread globally: particularly popular in China and India
• “Nearly every IP range I scanned would find at least 1 computer [infected]”

W32/Leaves Worm & Port 27374 Security Impact (2001)

In 2001, Sub7’s prevalence created an unexpected secondary threat: the W32/Leaves worm specifically targeted Sub7-infected machines.

How It Worked:

1. Scan for computers with open port 27374
2. Connect using Sub7 protocol
3. Upload and execute its own payload

Sources:

• GIAC Paper
• SpeedGuide Port 27374
• HandWiki Sub7

June 2001 Port 27374 Surge:

“In June 2001, an increase of scanning activity was detected for TCP port 27374, the default administration port for the Trojan known as Sub7. The dramatic rise in scanning activity indicated that a new tool had been released, potentially an auto-rooter or a worm.” — GIAC Security Paper

Scale of Infection:

“Many attackers…simply scanned the Internet for systems already infected with the Sub7 Trojan. This saved the attackers the work of having to compromise a system. By focusing on targets already compromised, attackers could easily gain control of hundreds, if not thousands, of systems.” — GIAC Security Paper

Steve Gibson Quote (Security Expert):

“With these features, Sub7 allows a hacker to take ‘virtually complete control’ over a computer. Sub7 is so invasive that anyone with it on their computer ‘might as well have the hacker standing right next to them’ while using their computer.”

Modern Status: Over time, variants of Sub7 introduced evasion techniques including polymorphic code and encryption of traffic. However, modern antivirus solutions and Windows security enhancements have reduced the effectiveness of classic Sub7 strains. Port 27374 continues to be probed by attackers looking for old infections.

This demonstrated both Sub7’s massive prevalence and how it created a secondary attack surface - infected machines became targets for other malware.

The Master Password Decoded

One of Sub7’s most controversial features was a hardcoded master password that allowed the author to connect to ANY Sub7 server, regardless of the password set by the user who deployed it.

The Discovery

Security researchers reverse-engineering Sub7 discovered:

“SubSeven’s author has secretly included a hardcoded master password for all of his Trojans! The Trojan itself has been Trojaned.”

Password by Version

Decoding “14438136782715101980”

The real Mobman explained the password’s meaning in Episode 150:

Full explanation from Mobman:

“The first part is my old ICQ number: 14438136. This was the default number in the EditServer, so it’s pretty obvious. The next 4 digits are from an old license plate I had back in Romania. The last 8 are my birthday: 15–10–1980.”

Why This Matters

The master password became key evidence in the identity controversy:

• Real Mobman’s birthday: October 15, 1980 → matches the password
• Greg’s claimed birthday: October 27 → does NOT match

When confronted, Greg could not explain why the master password contained a different birthday than his.

B.U.G. Mafia: The Musical Connection

B.U.G. Mafia (Bucharest Underground Mafia) is a Romanian hip hop group that directly inspired the real Mobman’s handle and whose lyrics appeared in Sub7’s code.

Group Overview

Members

Original members (departed 1993): D.D. and Mr.Nobody

Musical Style & Significance

B.U.G. Mafia were:

“The pioneers of the gangsta rap scene in Europe, being the first major group to fuse the raw, West Coast-inspired sound of 90s gangsta rap with the social and political struggles of post-communist Romania, shaping the foundation of Romanian rap.”

Musical characteristics:

• Heavy “boom bap” drums
• G-funk synthesizers and keyboards
• Dark, raw, unpolished production
• Preference for live instrumentation over sampling
• Themes: poverty, crime, police hostility, post-communist housing projects

Discography (1995-1999)

“De Cartier” (1998) - Key Album

Released September 20, 1998 - just 5 months before Sub7 dropped.

Album significance:

“Although rough, the album’s tracks provided a more introspective and passionate outlook of working-class life in Romania… the album paved B.U.G. Mafia’s way to superstardom in Romania.”

Sales: 130,000+ copies - massive for Romania

The Connection to Sub7

Why this matters:

1. Real Mobman was a B.U.G. Mafia fan who brought tapes from Romania
2. B.U.G. Mafia lyrics appeared in Sub7’s About screens across ALL versions
3. His handle “Mobman” came from “Bucharest Underground Mafia”
4. “B.U.G. Mafia didn’t even have any songs online, man. I brought tapes with me from Romania.”
5. An American imposter in 1999 would have no way to know about B.U.G. Mafia

This is irrefutable evidence of Romanian authorship.

Controversy

In 1997, B.U.G. Mafia members were taken into police custody after a concert in Turnu-Severin due to profanity laws:

“Profanity in public performances had an unclear legal status at the time. The charges were dropped the following morning, but the incident became a turning point in the history of Romanian hip hop.”

The Sub7 Crew

The Sub7 Crew was Mobman’s inner circle - close associates who helped test, refine, and distribute Sub7.

Known Members

Source Code Possession

As of 2024, the following versions are accounted for:

The 2010 Revival (Failed)

Around 2010, former crew members FC and Read101 attempted to revive Sub7:

• Based on official v2.2 source code shared by Mobman
• Failed because FC was “more interested in monetizing the new version than enhancing its quality”
• Never gained traction

IllWill’s Unique Position

IllWill was uniquely positioned to investigate the identity controversy because:

1. He was a former Sub7 Crew member from the 1990s-2000s
2. He knew the real community and history
3. Something about Greg’s Episode 20 story “didn’t sit right”
4. He spent years doing OSINT research to find the truth

The Identity Controversy

For over a decade, two people claimed to be “Mobman,” the creator of Sub7.

The Two Claimants

How Greg’s Lie Began

After Mobman disappeared (~2004), Greg stepped into the void:

1. Acquired expired domain names (sub7crew.com, etc.) - he didn’t own them originally
2. Claimed creator status at DEFCON and other security conferences
3. Got featured in Rolling Stone (2013) as an American hacker
4. Used credentials for job interviews at Capital One and Facebook
5. Appeared on Darknet Diaries Episode 20 (2018) telling his fabricated story

Why Nobody Questioned It

1. Real Mobman had been silent for nearly a decade
2. Greg controlled the domain names
3. The hacker community values anonymity - hard to verify
4. Greg’s story was detailed and confident
5. Nobody did deep forensic investigation until Ill Will

The Rolling Stone Article (September 2013)

The peak of Greg’s false identity was a feature in Rolling Stone magazine, written by David Kushner.

Claims Made in the Article:

Why This Matters:

• Rolling Stone is a major publication with editorial standards
• This article gave Greg mainstream credibility
• It was cited as “proof” of his identity for years
• The article’s claims were never independently verified
• All claims came solely from Greg’s own statements

Note: AT&T spokesperson explicitly refused to confirm the alleged network outage. The article published Greg’s claims without independent verification.

Greg’s False Claims (Episode 20)

In 2018, Greg appeared on Darknet Diaries Episode 20 and told an elaborate false story. This section documents what he claimed for the record.

⚠️ NOTE: These are Greg’s claims. They were later proven false in Episode 150.

The Ultima Online Story

Greg claimed he created Sub7 to steal Ultima Online credentials:

“It’s a remote-access tool. It was a Trojan horse virus.”

He claimed he and friends discovered in-game vulnerabilities, stole items through exploits, and built websites showcasing their loot.

Problem: No Ultima Online references appear anywhere in Sub7’s code or documentation.

The AT&T Story

Greg claimed:

1. Received a $900 phone bill for calls he didn’t make (to Kansas and Arkansas)
2. AT&T refused to remove charges
3. He became determined: “I made this Sub7. I fucking own everything in Ultima Online… They think they’re smarter and better than me?”
4. He wardialed AT&T systems
5. Gained unauthorized access to unprotected PBX systems
6. A command he entered “crashed west coast telephone infrastructure”
7. Called AT&T, disclosed his access, gave his real name and phone number
8. Demanded the bill be fixed in exchange for explaining the breach

Status: Unverified. No evidence supports any of this.

The SWAT Arrest Story

Greg claimed:

1. FBI investigated for weeks
2. He arranged to surrender at girlfriend’s apartment
3. Encountered a SWAT team with weapons instead
4. Spent five months in jail
5. Public defender pressured him to plead guilty to third-degree felony
6. At restitution hearing, AT&T lawyers didn’t show up
7. Judge dismissed restitution requirements

Status: Unverified. Records show his birthday as October 27, and he cannot enter Canada (“They don’t want me to go to Canada” / “I know they don’t, ‘cause you have a record” - Real Mobman).

The McAfee Story

Greg claimed:

• After release, worked day labor
• Joined a poker software company as IT support
• Attended college
• Obtained multiple Microsoft certifications
• Started a cybersecurity company
• Sold it to John McAfee
• Settled in Huntsville, Alabama

Status: Unverified. No evidence of a McAfee acquisition.

Why The Story Seemed Believable

1. Detailed and specific
2. Included verifiable elements (DEFCON, conferences)
3. Matched hacker mythology
4. Darknet Diaries is a respected podcast
5. No one from the real Sub7 history came forward to dispute

The Investigation (Ill Will)

IllWill, a former Sub7 Crew member, spent years investigating the true authorship.

Why He Investigated

• Something about Episode 20 “didn’t sit right”
• As a former crew member, he knew the real history
• “A lot of people have made their start with this, and it’s not right to have somebody else take the credit”

Methods

1. OSINT Research: Years of hunting through old forums, cached pages, Wayback Machine
2. Code Analysis: Romanian phrases in source code
3. Archive Research: Original credits (“From Windsor, Ontario”)
4. Network Tracing: Tracking down email addresses

Finding Mobman

IllWill eventually found a potential email address and devised a clever verification method:

1. Created a password-protected zip file
2. Put personal details about Mobman inside (including a photo of his car)
3. Set the password to Mobman’s full legal name
4. Sent it to the email address

The Logic:

• If it’s really Mobman, he knows his own name → he can open the file
• When he opens it, he sees “I found you” (photo of car, personal details)
• This proves both that IllWill found the right person AND that the person is who they claim

Mobman’s Response

From Episode 150:

“He sent me a little zip file with a couple of details about me. He had a picture of my car. He was like, the password for the zip file is your full name. So, if it’s really you, then you should be able to open it.”

“I replied; I said, well, you’re right. You can be 100% sure now.”

Initial Hesitation

Mobman was initially reluctant:

“This was a long time ago. I don’t know if I really want to get back into any of that.”

IllWill convinced him by explaining that people’s careers were built on Sub7, and it wasn’t right for someone else to take credit.

Source Code Release

• September 30, 2023: IllWill presents “Finding Mobman” at BSides CT
• Announces release of official Sub7 2.1.2/3 source code
• Released on GitLab with Mobman’s blessing: gitlab.com/illwill/sub7
• First official source code release ever

Additional Technical Evidence (IllMob Investigation)

Ill Will’s investigation, documented at illmob.org/notmymobman/, uncovered additional technical evidence:

Timeline Inconsistencies:

ICQ Number Evidence:

Geographic Contradictions:

Source Code Evidence:

When asked to prove authorship, Greg provided:

• A password-protected file
• Password was “mobman”
• Contents: Only compiled binaries, no source code
• No proof of authorship - anyone could have renamed a downloaded file

This is critical: The real author would have source code. Greg never produced any.

Evidence IllWill Compiled

From the real Mobman:

• Multiple backup CDs with different development stages
• Original hoodie merchandise from when he sold Sub7 materials (with photographs)
• Handwritten development notes spanning ~4 years
• Complete source code (never released until IllWill’s GitLab)

The Confrontation (Episode 150)

On October 1, 2024, Darknet Diaries released Episode 150: “mobman 2” - featuring a three-way phone call between Jack Rhysider, Greg, and the real Mobman.

The Setup

Jack Rhysider (host) arranged the call after:

1. IllWill’s investigation
2. BSides CT presentation
3. Verification of real Mobman’s identity
4. Contacting both claimants

Key Exchanges

The Birthday Question

Jack asks Greg his birthday:

• Greg’s answer: October 27
• Master password contains: October 15, 1980
• Real Mobman’s birthday: October 15, 1980

Real Mobman: “I highly doubt that you’re born on October 15, 1980.”

The Windsor Question

Real Mobman: “The first five or six versions, the first thing that the About credits said was ‘From Windsor, Ontario’. Were you ever in Windsor, Ontario?”

Greg: “No. I haven’t been to Canada. They don’t…”

Real Mobman: “I know they don’t, ‘cause you have a record.”

The Delphi Question

Real Mobman challenged Greg on basic programming:

• “What does a Delphi function start and end with?”
• Greg struggled with basic terminology
• Real Mobman: “I doubt this guy even touched Delphi.”

The B.U.G. Mafia Question

Real Mobman: “How do you explain B.U.G. Mafia in the credits? Can you answer the question?”

Greg deflected: “Let me pull up the videos.”

The Source Code Question

Greg claimed to have source code but couldn’t produce it.

Real Mobman: “That [source code] has never left my hands until it was released by Ill Will on GitHub. Never.”

The Famous Quote

Real Mobman’s definitive statement:

“It’s quite obvious that the author is fucking Romanian, not some Greg guy from Florida.”

Greg’s Confession

When pressed with evidence:

• “I have a lot of that stuff, too.” (initially)
• “I’m not — I don’t have any proof. I’m gonna let it… let it go.” (when challenged)
• “I don’t claim it in person anymore to anybody.” (admission)

Greg characterized his actions as “social engineering” when confronted.

Aftermath

• Greg agreed to stop claiming to be the creator
• Episode 150 set the record straight
• Real Mobman acknowledged but remains relatively private
• Jack Rhysider acknowledged the credibility damage but noted the story’s value

Timeline of Events

1980s-1990s: Origins

1999-2003: Sub7 Era

2004-2017: The Void

2018-2024: Exposure

Primary Sources

Darknet Diaries Episodes

Technical Sources

Conference Presentations

Journalism & Media

Security Research

Cultural Sources

Verified Quotes

All quotes from Darknet Diaries Episode 150 unless otherwise noted.

Real Mobman

Mobman on the Master Password

Greg’s Admissions (Episode 150)

Verification Exchange

Areas of Creative License

The following elements in the album are creative interpretation or dramatization, not direct documentary claims:

What IS Documentary

Legal Notes

Public Figures

Both primary subjects are limited-purpose public figures:

• Real Mobman: Created globally distributed software, participated in public podcast
• Greg: Actively sought publicity at DEFCON, Rolling Stone, Darknet Diaries, job interviews

Source Authority

All primary sources are:

1. Publicly available - Anyone can verify
2. On the record - Subjects spoke willingly to journalists
3. Recorded - Audio evidence exists (Darknet Diaries)
4. Transcribed - Written transcripts available
5. Self-incriminating - Greg’s admissions are his own words

Truth as Defense

Every factual claim about Greg comes from:

1. His own public statements (Episode 20)
2. His own admissions under confrontation (Episode 150)
3. Published journalism he participated in (Rolling Stone)

Research compiled December 2024. Primary source: Darknet Diaries Episodes 20 & 150.