Behind the Firewall: Inside Handala's Origin Server, Hidden Domains, and the Architecture They Built to Outlast Every Ban | Intercept Cell

Handala's DDoS-Guard protection has a hole in it. The www. subdomain was never routed through the CDN. Hitting the origin server directly — 185.208.156.82, Global-Data System IT Corporation, Zürich — returns a live WordPress installation with its REST API wide open. From there: a complete operational timeline dating to December 18, 2023, a predecessor domain (handala.cx) that predates the known infrastructure by seven months, a dedicated bounty platform (handala-redwanted.to) running Microsoft IIS on Windows Server in Amsterdam, a Telegram persona named Akhira, and a four-month operational blackout in 2025 that ended exactly when their n8n automation server came online. We went through the firewall. Here is what was behind it.

DDoS-Guard protects handala-hack.to — its edge node at 185.178.208.137 (Rostov-na-Donu, Russia) terminates external connections and geoblocks by IP, blocking our server, blocking Tor exit nodes, blocking everything it classifies as non-civilian traffic. The protection has one gap. www.handala-hack.to resolves to **185.208.156.82** — a separate IP that bypasses DDoS-Guard entirely. This is a standard DNS misconfiguration: the operator pointed the apex domain through DDoS-Guard but forgot the www. record. The origin server sits fully exposed. The TLS certificate on 185.208.156.82 covers *.handala-hack.to and handala-hack.to — issued by Let's Encrypt (R12), valid through March 17, 2026. Sending HTTP requests to the IP with Host: handala-hack.to returns the full site without challenge. **185.208.156.82** — Zürich, Switzerland — **AS42624, Global-Data System IT Corporation**. LiteSpeed web server. WordPress 6.9.1. One identified plugin: top-bar. The WordPress REST API (/wp-json/) is fully accessible without authentication. The xmlrpc.php endpoint is blocked (403). User enumeration via /wp-json/wp/v2/users returns one registered account: