In a recent investigation, Veriti's cyber research team uncovered a deceptive operation targeting aspiring OnlyFans hackers. A user on a notorious hacking forum, Bilalkhanicom, offered a tool to "check" OnlyFans accounts.
However, what appeared to be an opportunity for cybercriminals was actually a trap. The supposed hacking tool was, in fact, malware known as Lummac stealer, designed to infect the devices of those attempting to use it.
OnlyFans is an online platform that allows content creators to monetize their content by offering paid subscriptions to their followers. While it hosts various types of content, its primarily known for adult and sexually explicit material. Creators can share photos, videos, and live streams with paying subscribers, keeping a significant portion of the earnings. The platform gained widespread popularity during the COVID-19 pandemic and has sparked discussions about online sex work and content monetization.
This news highlights the ruthlessness of the cybercrime underworld, where would-be predators are quickly turned into prey. Veriti's findings serve as a reminder that engaging in illegal activity often comes with significant risks—especially when dealing with tools from questionable sources.
"I think this is as simple as there is no honor among thieves," said Richard Halm, Senior Attorney at Clark Hill PLC. "On the cybersecurity side, it reinforces the need to only download or run items from trusted sources. On the hacker side, it reinforces the need for OPSEC."
Lummac stealer is a sophisticated form of malware that collects sensitive data, including passwords, banking details, and more. While it was originally deployed by Bilalkhanicom to target OnlyFans hackers, it can also infect unsuspecting users, demonstrating the widespread danger it poses.
The Veriti research underscores the cyclical and often self-destructive nature of cybercrime. The incident is a powerful example of how the digital underworld operates and a reminder for organizations to remain vigilant in their cybersecurity defenses.
Veriti's researchers played a pivotal role in exposing the scheme. By infiltrating the hacking forum and engaging with Bilalkhanicom, they were able to identify the malicious tool and analyze its functionality. This investigation allowed Veriti to warn potential victims and disrupt the distribution of the Lummac stealer.
For a deeper technical dive, check out this Veriti blog post, including:
"In a twist that adds layers of intrigue to an already complex narrative, our researchers uncovered a potential geopolitical link hidden in the malware’s architecture. The folder names used in the malware’s file structure paint a picture of global influences:
• 'Hiyang' and 'Reyung' whisper of East Asian connections
• 'Zuka' echoes African influences
• 'Lir' invokes Celtic mythology
• 'Popisaya' hints at Indigenous Latin American roots
Our investigation didn't stop there. We traced the malware's communication back to a series of recently created .shop domains, all with high detection rates. These domains, such as caffegclasiqwp/.shop and ponintnykqwm/.shop, serve as command-and-control (C2) servers, orchestrating the malware's activities across infected machines."
The incident serves as a reminder that even those who seek to exploit others can fall victim to cybercrime themselves. It highlights the importance of exercising caution when downloading tools from untrusted sources, no matter how tempting they may seem.
"That serves them right; you live by the sword, you die by the sword!" said Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, Spencer Fane LLP, of the aspiring hackers.
To protect against similar threats, Veriti recommends:
- Only download software from trusted sources;
- Be wary of unsolicited offers or promises of easy profits;
- Keep your security software up-to-date;
- Be cautious about clicking on links or opening attachments from unknown senders.
And maybe stay off porn sites.
