The digital underground is a sprawling, shadow economy, and few operations have achieved the scale and brazenness of KingSodaViper Premium LEAKS. Operating primarily on Telegram, this network was not merely a repository of illicit content but a highly organized, commercial enterprise built on the systematic exploitation of private lives. For a modest fee — ranging from 300 PHP to 400 PHP for “Lifetime access” — subscribers were granted entry into a vast archive of hacked and leaked private photos and videos. The operation was segmented, offering tiers like the “Mega Collectors” package for high-volume buyers and the “KingSoda Premium” tier, which boasted all-access entry to an astonishing 25 separate Telegram groups.

• KingSoda Premium — all-access to over 25 Telegram groups of leaks.
• Mega Collectors — tailored for resellers or collectors of “premium” content.

This was not a fringe player KingSodaViper was a recognized pillar of the leak ecosystem, frequently cited and recommended by other major channels, including the notorious Team Lapagan PH. The collaboration between these entities was deep, with the owners of both the KingSodaViper and Team Lapagan operations being demonstrably connected, forming a powerful, interconnected cartel that dominated the trade in private content. This level of organization and market dominance made the network a critical target for disruption.

This case study details the methodical application of Open-Source Intelligence (OSINT) to penetrate this seemingly impenetrable digital fortress. By treating the leak channels as a commercial entity, we moved beyond the content itself to analyze the operational security, payment infrastructure, and cross-platform digital footprint of the individuals running it. This investigation transformed a complex, anonymous threat into a traceable human target, demonstrating how publicly available data can be weaponized to unmask the architects of large-scale digital exploitation and hold them accountable.

This investigation was conducted under the leadership of OSINT BASTION in collaboration with Social Links, leveraging advanced CrimeWall OSINT tools to trace identities, connections, and financial infrastructure across multiple platforms. The methodologies demonstrated here are offered to the global digital investigation community as a blueprint for combating large-scale image-based sexual exploitation.

Methodology

This investigation moved beyond traditional content moderation approaches by treating the leak channels as a legitimate commercial entity. The methodology focused on three core pillars:

• Operational Security (OpSec) Analysis: Examining the target’s digital hygiene and cross-platform username reuse.
• Financial Forensics: Analyzing payment gateways (GCash/Maya) to bridge the gap between digital aliases and real-world identities.
• Digital Footprint Mapping: Tracing the target’s promotional activities across surface web social media platforms (TikTok, Facebook) to identify slip-ups in anonymity.

Initial Contact & Intelligence Gathering

Investigators initiated contact with the primary administrator, identified by the username @Sodaviperr, under the guise of a potential customer. This engagement yielded a direct menu of services and pricing structures, confirming the commercial intent of the operation.

Documented Pricing Structure:

• PREMIUM CANDY: P250 (Includes “Free 2GC”)
• PLATINUM EDITION: P150 (“Budgetmeal Teens”)
• ULTIMATE COLLECTOR: P300 (Access to 25 GC All Fresh Hack)
• UNLI GC: P500 (Unreleased sets, rare content)

Crucially, the operator provided specific payment destinations, creating the first bridge to the physical world:

• GCash No: 09818142478
• Maya No: 09126132255

Transaction and Access

A controlled purchase of the “Ultimate Collector” package (300 PHP) was executed via GCash. Upon processing the transaction, the GCash platform revealed the masked recipient name: “YV*N DA*E L.”.

Following payment confirmation, the administrator provided a direct invite link (https://t.me/+******) granting access to the premium network. This confirmed that the payment recipient was directly controlling access rights to the illicit material.

Content Analysis

Access to the “KING SODAVIPER PREMIUM” network revealed a vast repository of exploited material. The scale of the archive was substantial:

Group Name: KING SODAVIPER PREMIUM
Total Members:821
Photos: 10,115
Videos: 7,120
Shared Links: 246

The content was categorized into disturbing segments including “TEENS,” “SHS V2” (Senior High School), “RARE,” and “BOSO” (Voyeurism), indicating the involvement of Child Sexual Abuse Material (CSAM) and non-consensual intimate imagery.

Network Architecture: The 25-Channel Infrastructure

The premium access unlocked a sophisticated multi-channel distribution network comprising 25 distinct Telegram groups, each specialized by content category. This segmentation strategy served both organizational efficiency and risk mitigation purposes. The documented channel structure included:

Channel Taxonomy (25 Groups):

1. Vivamax — Pirated content from Filipino streaming platform
2. Announcement — Updates on new leaks and operational notices
3. TEENS — Suspected CSAM content targeting minors
4. TEAM LAPAGAN V2 — Collaborative content sharing with partner network
5. SHS V2 — Senior High School students (minors)
6. RARE FIN3SHYT — High-value leaked material
7. TEENS PREMIUM — Premium-tier TEENS content
8. SUPER RARE — Exclusive leaked content
9. TRACKING ID — Victim identification database
10. BIGO — Content from Bigo Live streaming platform
11. BOSO — Voyeuristic content (Filipino term for “peeping”)
12. SHS — Senior High School content (minors)
13. TBON — Pirated content from Filipino streaming platform
14. GENERAL — Mixed content repository
15. MOVIE MARATHON — Extended video compilations
16. PINAY RARE ATABS (MINOR/OSAEC) — Online Sexual Abuse and Exploitation of Children
17. RARE SETS — Curated collections
18. TEENS_V2 — Secondary minor-focused channel
19. KOREAN SX — Korean sexual content
20. R.APE — Sexual assault content
21. RAPSANET TV — Video streaming channel
22. +4 deleted channels

Inter-Cartel Collaboration: Team Lapagan PH Connection

Critical evidence of operational collaboration emerged from analysis of the “TEAM LAPAGAN V2” channel within the KingSodaViper network. This channel contained 231 ZIP archive files representing aggregated leak collections. The presence of a dedicated Team Lapagan channel within the SodaViper infrastructure indicated not merely content sharing, but deep operational integration between the two networks.

Cross-Network Content Analysis: A comparative analysis of leaked material across multiple Telegram leak operations revealed that approximately 30% of content originated from KingSodaViper operations, with the remaining 70% distributed between Team Lapagan PH and other operators. This distribution pattern suggests KingSodaViper functioned as a primary content producer, while Team Lapagan operated as both producer and aggregator.

Operational Evidence: The Announcement Channel

The “Announcement” channel served as the operational nerve center, providing insight into the tradecraft and business practices of the operation. A critical post dated December 7, 5:07 PM exemplifies this:

Posted Content: A 25-second instructional video captioned “HOW TO SEARCH CODENAME” demonstrating the internal filing system used to categorize victims. The term “codename” refers to the alphanumeric identifier assigned to each victim’s leaked material, allowing subscribers to search for specific individuals within the archive.

This post reveals a systematized approach to victim exploitation, transforming individual privacy violations into searchable database entries.

Direct Evidence of Cartel Coordination

The most compelling evidence of inter-operator collaboration was discovered in the chat history within the KingSodaViper groups. The account @KingTeamLapagan (confirmed administrator of the Team Lapagan PH network) appeared as a pinned user in multiple channels operated by @Sodaviperr.

Direct Communication Evidence:
Date: November 10, 2025
Participants: @Sodaviperr and @KingTeamLapagan
Message Content: KingTeamLapagan responds with “Ok Brother” to operational coordination from Sodaviperr.

Network Analysis: The evidence establishes that KingSodaViper and Team Lapagan PH (operated by the individual behind @KingTeamLapagan) are not competing entities but rather collaborative partners forming a consolidated cartel that controls the largest segment of the Filipino leak ecosystem on Telegram. The relationship is characterized by:

• Mutual content sharing and cross-promotion
• Integrated distribution infrastructure (dedicated channels within each other’s networks)
• Direct operational communication and coordination
• Shared subscriber bases and market dominance

Public Channels Network Analysis

Further investigation into the operator’s network revealed an extensive ecosystem of public-facing Telegram channels used for advertisement and sample distribution. Analysis of the “ADDLIST” folder structure uncovered multiple channels associated with the SodaViper/KingChuck operation:

• CHUCK LEAKS — Deleted, 7,898 subscribers
• KUPALOGS V2 — Deleted (Telegram violations)
• BAPE APE LAPAGAN — Active, 6,859 subscribers
• OBS PR3MIUM — Deleted channel
• FULL SETS SAMSARA — Deleted channel
• MEGA COLLECTORS SAMPLES — 676 members
• MCDONALD’$ — 3,837 subscribers
• SODAVIPER SAMPLES — Active
• KUPALOGS NEW GC — 656 members

Operational Timeline & Scale Assessment:

The figures documented above represent only a snapshot of the operation at the time of investigation and do not reflect the total historical reach of the SodaViper/KingChuck network. Continuous monitoring conducted over an 2-year period (2023–2025) indicates that this operation has been persistently active in the distribution of leaked and hacked private content.

Multiple channels and groups operated by this network have been repeatedly taken down by Telegram’s Trust & Safety team for violations of platform policies. The operator demonstrated resilience and adaptability by immediately creating replacement channels, indicating a sophisticated understanding of platform circumvention tactics. The deleted channels listed above previously contained thousands of additional subscribers whose exact numbers could not be recovered post-deletion.

Key Operational Characteristics:

• Active engagement in hacking private cloud storage and social media accounts
• Distribution of “unreleased sets” (newly compromised material)
• Rapid channel migration and reconstitution following platform enforcement actions
• Use of sample channels as marketing funnels to drive paid subscriptions

The true cumulative subscriber base across all active and deleted channels is estimated to be in the tens of thousands, making this one of the largest documented leak operations targeting Filipino victims.

Alias Compilation and Cross-Platform Investigation

Using the Crimewall OSINT platform, investigators aggregated known aliases associated with the subject to broaden the search parameters. The primary handle variations identified were:

• sodaviperr
• Sodaviperchucks
• KingSodaViper
• Sodaviper
• KingSodaViperr
• Random Pin4y Clips

TikTok Discovery

A search of these aliases on major social platforms yielded a positive match on TikTok. The account @sodaviperr (Display Name: “Random Pin4y Clips”) was identified as a promotional funnel for the Telegram operation.

The bio explicitly linked the two identities: “𝐏𝐌 𝐊𝐀𝐋𝐀𝐍𝐆 𝐃𝐈𝐓𝐎👇 TElgram NAME: @Sodaviperr”. The account contained over 40 videos promoting the leaks, with 18.9K likes and 2,671 followers, demonstrating active recruitment of new subscribers from the public surface web.

Attribution Through Social Network Analysis

Analysis of the TikTok account’s social graph (followers/following) revealed a personal account with the username @yvannn13. This account was both following and followed by the @sodaviperr promotional account.

scrutinized the content of @yvannn13. A photo carousel posted on the account (URL:https://www.tiktok.com/@yvannn13/photo/7381350094857178373) provided critical evidence.

Evidence Item #7: The 7th photo in the sequence depicted the subject wearing a jersey with the surname “Lastimoso” printed on the back.

Identity Confirmation

The investigation synthesized three key data points:

1. The masked GCash name: “YV*N DA*E L.”
2. The connected personal username: “yvannn13”
3. The surname from the jersey: “Lastimoso”

Combining these elements suggested the name “Yvan Dale Lastimoso”. A targeted search on Facebook for “Yvan Dale Lastimoso” confirmed the existence of a profile matching the visual appearance of the subject in the TikTok videos. The full name perfectly satisfies the masking pattern provided by the payment processor:

YV*N DA*E L. → YVAN DALE LASTIMOSO

Secondary Payment Method Analysis

Initial financial reconnaissance involved the analysis of associated digital payment methods. The investigation followed a specific workflow to uncover identity details masked by redaction protocols.

• PayMaya Analysis: An examination of the PayMaya payment method was conducted. No specific name yielding inconclusive results for direct attribution.
• Cross-Platform Verification (GCash): To resolve the identity ambiguity, the investigation pivoted to check for an associated GCash account using the same identifier/number.
• Result: A valid GCash account was discovered associated with the target. The account displayed the redacted name: “ME**A L.”

Social Media Family Connection

Concurrent with the financial analysis, a social media investigation was conducted on the Facebook profile identified as “Yvan Dale Lastimoso.”

The most recent activity on the subject’s timeline was analyzed to gather intelligence on connections and potential aliases

Caption: “Two decades down, many more to go!”
Engagement
112 Reactions
96 Comments

Comment Analysis & Lead Discovery

A review digging deeper of the 96 comments on the aforementioned post was conducted to identify close relations that might match the financial data (“ME**A L.”).

A significant comment was identified from a user named “Melba Lastimoso”.

Comment Content:
“Happy birthday my dear kuya🎂, May all ur dreams come true ..love you always😘💖 God bless…”

Findings Correlation

The discovery of the user “Melba Lastimoso” provides a strong alphanumeric match to the redacted GCash identifier “ME**A L.”

• Redacted Name: M E * * A L.
• Identified Name: M E L B A L. (Lastimoso)

Subject Relationship Verification

Further analysis of the profile “Melba Lastimoso” was conducted to confirm the relationship to the subject, Yvan Dale Lastimoso.

Based on the context of the comment (“dear kuya” often used affectionately for an eldest son) and visual analysis of the profile content:

• Relationship: Melba Lastimoso is identified as the mother of the subject.
• Family Structure: Analysis of Melba Lastimoso’s cover photo indicates she has three (3) daughter’s and (1) one son.

Conclusion: Unmasking the Mastermind

This investigation successfully demonstrated that even the most sophisticated digital exploitation networks are vulnerable to methodical OSINT tradecraft. The KingSodaViper Premium LEAKS operation — spanning 25 specialized Telegram channels, servicing hundreds of subscribers, and distributing tens of thousands of illegally obtained intimate images and videos — was ultimately compromised by the fundamental principle that digital anonymity is fragile and operational security requires absolute discipline.

4.1. The Anatomy of Attribution

The breakthrough in this case was not the result of a single critical error, but rather the convergence of multiple investigative vectors that collectively pierced the veil of anonymity:

• Financial Infrastructure as the Achilles’ Heel: The requirement to monetize the operation through legitimate payment gateways (GCash/PayMaya) created an irreversible bridge between the subject’s anonymous digital persona and his real-world identity. The redacted name “YV*N DA*E L.” became the Rosetta Stone that unlocked the entire network.
• Cross-Platform Username Reuse: The operator’s decision to use consistent aliases (@sodaviperr, @yvannn13) across operational and personal accounts demonstrated a catastrophic failure in compartmentalization, allowing investigators to traverse from criminal infrastructure to personal social media.
• Social Engineering Through Open Access: By maintaining public-facing promotional channels on platforms like TikTok, the operator inadvertently created a publicly accessible attack surface that led directly to his personal identity through social graph analysis.
• Family Connections as Corroborating Evidence: The secondary GCash account (“ME**A L.”) linked to Melba Lastimoso — identified through Facebook birthday interactions — provided independent corroboration of the primary attribution, transforming a strong hypothesis into a near-certainty.

4.2. Network Architecture & Scale of Impact

The investigation revealed not merely an individual perpetrator, but a sophisticated criminal cartel. The documented collaboration between KingSodaViper and Team Lapagan PH — evidenced by direct operational communications, integrated content-sharing infrastructure, and mutual cross-promotion — indicates a coordinated enterprise controlling the dominant share of the Filipino leak ecosystem on Telegram.

The scale of victimization is staggering:

• Over 17,000 images and videos archived within the premium network alone
• 821 active premium subscribers at the time of investigation
• Estimated tens of thousands of cumulative subscribers across all active and deleted channels
• Content categories indicating the presence of CSAM, voyeuristic material, and non-consensually obtained intimate imagery
• A victim identification database (“TRACKING ID” channel) suggesting systematic cataloging of exploited individuals

The operational resilience demonstrated by the network — immediately reconstituting channels following Telegram enforcement actions — underscores the need for attribution-focused investigations that target the human operators rather than merely removing content.

4.3. The Power of OSINT in Combating Digital Exploitation

This case study exemplifies the transformative potential of OSINT when applied with rigor and creativity. By treating the leak channels as a business entity rather than an anonymous criminal phantom, investigators were able to exploit the inherent tension between operational security and commercial viability. Every customer interaction, every promotional post, and every financial transaction created potential intelligence opportunities that, when aggregated and analyzed, converged to reveal the human being behind the operation.

The investigative methodology employed here — combining financial forensics, social network analysis, and cross-platform digital footprint mapping — provides a replicable framework for law enforcement, platform trust and safety teams, and victim advocacy organizations seeking to dismantle similar operations.

4.4. Final Assessment

The myth of digital anonymity — particularly within commercial criminal enterprises — is precisely that: a myth. The convergence of financial necessity, promotional ambition, and human error creates an environment where attribution is not only possible but inevitable when investigators possess the tools, training, and tenacity to pursue the evidence wherever it leads.

The unmasking of Yvan Dale Lastimoso serves as a stark reminder to operators of similar networks: your operational security is only as strong as your weakest mistake, and in the digital age, every interaction leaves a trail.

For the victims whose privacy and dignity have been systematically violated by this operation, this investigation offers not closure — that may never come — but the knowledge that their exploitation has not gone unnoticed, and that those responsible can, and will, be identified and held accountable.

Disclaimer and Next Steps

If you are an unsatisfied reader of this case study, please note that this is only a summary of the report and not the full version. We will only disclose the full, detailed report to the appropriate law enforcement agencies.

Are you waiting for Team Lapagan Unmasked? After we publish this case study, there will be a next OSINT case study: Part 2 of Unmasking the Mastermind.

Call to Action for Victims

If you are a victim of leaks, whether minor or not, WE PRIORITY YOU.
Please immediately contact US or Law Enforcement agencies. If you are a victim of the Team Lapagan or Sodaviperchucks operations, we urge you to cooperate with us. We need more complainants to expedite this case for law enforcement actions.

You can send a direct message or email to us: [email protected]
We will provide more details for the formal report.

Thanks for reading and don’t forget #OPSEC is hard!

SIGNED BY OSINT BASTION CEO