It's entirely possible the people in the semi-redacted pictures were acting like idiots because they're idiots.

It's also possible the real criminals are using those accounts as patsies.

We, sitting here, can't know the real facts.

However, philosophically, we can say that the first option is a least hypothesis, while still remaining open to a more complex explanation.

Believe it or not, you don't have to come to a firm conclusion based on incomplete evidence.

To be clear, I am not calling for (rhetorically) dropping the charges against them, I'm just calling for "maybe we shouldn't halfway-dox people who _might_ be innocent and uninvolved parties". You know, an "innocent until proven guilty" sort of thing.

I'd have forwarded this to law enforcement, sure. Blog post about how to dismantle poorly coded operations, fine. But posting poorly redacted names and photos? There isn't even a guarantee that the individuals in question are the same people who created the github accounts.

As someone who was a victim of pretty serious bullying as a kid (including having other people make fake social media accounts with my name and picture to post horrific things that I wholeheartedly reject to harm my reputation and attempt to get me in legal trouble), I just want to remind everyone that these kind of situtations aren't always what they initially look like.

Cybercriminals do stuff like this to security researchers all the time - you need look no further than Brian Krebs being repeatedly swatted and routinely harassed/trolled by cybercriminals around the world, with major database breaches often being publicly attributed to him by the cybercriminals. There was even a carding website / marketplace set up with his name and likeness - all to harm the reputation of someone working to ethically stamp out their crimes.