HudsonRock, an Israeli cybercrime intelligence company has published a story about an (as yet) un-named hacker who managed to accidentally infect their own PC with InfoStealer malware and then offer it for sale on a dark web forum.
Big mistake
The threat actor who goes by the online name La_Citrix is fairly promenant in the information stealing world of the dark web and is well known for selling access to organisations Citrix servers for others to abuse.
During an investigation on other hackers, researchers at HudsonRock identified information belonging to La_Citrix and started to deep-dive into the data to try to uncover the secretive hacker.
After accessing the computer offered for sale by La_Citrix, analysts found a number of files which suggested that the machine wasn’t a compromised victim device, but rather that of the hacker themselves.
Data retrieved from the machine identified that the hacker was a member of multiple cybercrime forums using variants of the same username.
The analysts ran the collected data from La_Citrix’s machine through an automated system developed by HudsonRock programmers and discovered that the hacker appeared to be an employee at over 290 companies.
Investigating this data, the analysts found that this wasn’t the case, but rather that La_Citrix has the cached credentials of employees at those companies stored in their browser.
Further investigations into the data retrieved from the device identified all the installed software on the machine, but most importantly personal data which revealed the user behind the La_Citrix name.
HudsonRock have now passed all this information on to the relevant law enforcement agencies for them to take action.
