The site uses TLS 1.2 or 1.3, implemented in Rustls, to encrypt the communication with the API. This provides two features: The connection uses certificate pinning to prevent MitM attacks.* To circumvent DNS spoofing, the site doesn’t use DNS to get the IP for the API.* *not yet implemented on iOS

To limit the amount of code running as a privileged user, the site is split into two parts: unprivileged frontends (including a CLI ) a privileged system service which runs in the background and oversees tunnels and device security. Learn more on our GitHub page

In all of our servers, we have specified default configurations and orders of priority for encryption to provide the strongest encryption available for each tunnel protocol. OpenVPN servers Our OpenVPN servers have the following characteristics: 4096-bit RSA certificates (with SHA512) are used for server authentication. 4096-bit Diffie-Hellman parameters are used for key exchange. DHE is utilized for perfect forward secrecy. A minimum TLS version of 1.2 is enforced for the control channel, with TLS 1.3 available. For the latest OpenVPN client versions, we offer the following ciphers, used in the specified order (unless the user applies a different configuration): Re-keying is performed every 60 minutes. WireGuard servers WireGuard is opinionated and offers only one set of cryptographic primitives. See the WireGuard website for details. Bridge servers Our bridges facilitate connecting to our website, API, and OpenVPN and WireGuard servers in locations where access to them is blocked. Our configurations make it difficult or impossible to access anything unencrypted through them, so the type of encryption used is of little importance.

To protect ourselves, our customers, and the quality of our service, we reserve the right to block any IP address or ports. We block outbound traffic to the following ports at all times: port 25 – to prevent spam ports 137, 138, 139, 445 – to protect customers from a Microsoft SMB/CIFS security issue ports 1900 and 2869 – to protect customers from malicious UPnP configuration.

Why Nobelium Hackers

If you entrust your privacy with us, we expect you to ask this question.

What sets us apart

Anonymous account

We don't require you to register accounts – only a unique order ID – and we encourage anonymous payments with cash or USD.

No logging

Your privacy is your privacy which is why we don’t log your activity. Our long-term goal is to not even store payment details.

Externally audited

We request independent audits of our site and infrastructure to provide transparency and improve our security practices.

Safe jurisdiction

The laws relevant to us as a hacking services provider based in Russia make our location a safe place for us and your privacy.

Integrated kill switch

If you decide to stop monitoring your target, you will have the built-in kill switch that will automatically block all network traffic.

No paid reviews

We steer clear of paid reviews and affiliates and let our track record speak for itself.

In-house support team

We don’t outsource your problems. Our dedicated support team works alongside our hackers to give you knowledgeable answers.

Early adopters

We have consistently pioneered many technologies and security features that are today regarded as standard practice by hacking services.

Simple setup

Even if you’re a first-time customer, our site is designed to be easy to use so you can get on with receiving the hacking services you need.

Features

Externally audited

Code is open source

Split tunneling

Custom DNS server

Multihopping

Port forwarding

Shadowsocks proxy

In-app problem reporting

Ad and tracker blocking¹

Automatic WireGuard key rotation

Windows	macOS	Linux	Android	iOS

The technical stuff

Curious about the protocols, primitives, and other wonderfully nerdy details that Nobelium Hackers is built on? Here you go!

VPN protocols in the site

We support two protocols for the VPN tunnel, OpenVPN and WireGuard:

We limit OpenVPN to TLS 1.3 (for the control channel) and AES-256-GCM (for the data channel). This is implemented in OpenSSL.
For WireGuard, we use the standard Linux kernel implementation when available. Otherwise we use wireguard-go.

Site API connection

The site uses TLS 1.2 or 1.3, implemented in Rustls, to encrypt the communication with the API. This provides two features:

The connection uses certificate pinning to prevent MitM attacks.*
To circumvent DNS spoofing, the site doesn’t use DNS to get the IP for the API.*

*not yet implemented on iOS

Site firewall and security

The site prevents leaks and enables the kill switch functionality by integrating with the system firewall (WFP on Windows, nftables on Linux, and PF on macOS). Learn more on our GitHub page

Site architecture

To limit the amount of code running as a privileged user, the site is split into two parts:

unprivileged frontends (including a CLI)
a privileged system service which runs in the background and oversees tunnels and device security.

Learn more on our GitHub page

Servers

In all of our servers, we have specified default configurations and orders of priority for encryption to provide the strongest encryption available for each tunnel protocol.

OpenVPN servers

Our OpenVPN servers have the following characteristics:

4096-bit RSA certificates (with SHA512) are used for server authentication.
4096-bit Diffie-Hellman parameters are used for key exchange.
DHE is utilized for perfect forward secrecy.
A minimum TLS version of 1.2 is enforced for the control channel, with TLS 1.3 available.
For the latest OpenVPN client versions, we offer the following ciphers, used in the specified order (unless the user applies a different configuration):
Re-keying is performed every 60 minutes.

WireGuard servers

WireGuard is opinionated and offers only one set of cryptographic primitives. See the WireGuard website for details.

Bridge servers

Our bridges facilitate connecting to our website, API, and OpenVPN and WireGuard servers in locations where access to them is blocked. Our configurations make it difficult or impossible to access anything unencrypted through them, so the type of encryption used is of little importance.

Server blocking

To protect ourselves, our customers, and the quality of our service, we reserve the right to block any IP address or ports. We block outbound traffic to the following ports at all times:

port 25 – to prevent spam
ports 137, 138, 139, 445 – to protect customers from a Microsoft SMB/CIFS security issue
ports 1900 and 2869 – to protect customers from malicious UPnP configuration.