tl;dr of today
> rastalandTV gets crypto drained
> he has stage 4 cancer
> hes targeted specifically for his cancer treatment money
> loses $32,000
> nerds band together
> ZssBecker donates $30,000 to him
> malware nerds come together
> drainer infra found
> pull all victim data from infra
> victims will be notified
> all malware flagged
> osint nerds come together
> find drainers info from their telegram ids
> find info from their steam ids
tl;dr tl;dr stage 4 cancer bro gets fucked over, 50+ nerds band together to undo the damage
fuck cancer
> rastalandTV gets crypto drained
> he has stage 4 cancer
> hes targeted specifically for his cancer treatment money
> loses $32,000
> nerds band together
> ZssBecker donates $30,000 to him
> malware nerds come together
> drainer infra found
> pull all victim data from infra
> victims will be notified
> all malware flagged
> osint nerds come together
> find drainers info from their telegram ids
> find info from their steam ids
tl;dr tl;dr stage 4 cancer bro gets fucked over, 50+ nerds band together to undo the damage
fuck cancer
β€280π₯39β€βπ₯17π₯°10π«‘9π8π€©2π1π’1π―1
Hello,
I've received a bunch of notifications today about the "Block Blaster" ... pseudo-takedown that occurred in response to a group of individuals spearphishing and cryptodraining a cancer patient.
I appreciate everyone thanking me or giving me a congratulations.
I am not fully responsible for the actions which occurred. I did reverse engineer the malware and identify infrastructure, however any work done was accelerated due to a group of people.
When I announced I was going to look at the video game closer to determine if it was malware (it was malware), a person contacted me and spun up a group of like minded people interested in examining Block Blaster closer.
Here are the cool and badass people I worked with:
- zachxbt
- 1989
- andreee_eeeeee
- escrow_
- C4L38
- defidownsin
- "J"
- Random nerds who provided "tips" to us
I've never really spoken with these people before, omit ZachXBT, but each of us was angry from what we had seen.
Before I get off for the evening I want to note that I am uploading Block Blaster to the malware library.
"./Samples/Families/Block Blaster"
I have also synced all samples in Triage and VirusTotal if you want to examine them closer. I noted the SHA256 hashes in a previous post.
I've received a bunch of notifications today about the "Block Blaster" ... pseudo-takedown that occurred in response to a group of individuals spearphishing and cryptodraining a cancer patient.
I appreciate everyone thanking me or giving me a congratulations.
I am not fully responsible for the actions which occurred. I did reverse engineer the malware and identify infrastructure, however any work done was accelerated due to a group of people.
When I announced I was going to look at the video game closer to determine if it was malware (it was malware), a person contacted me and spun up a group of like minded people interested in examining Block Blaster closer.
Here are the cool and badass people I worked with:
- zachxbt
- 1989
- andreee_eeeeee
- escrow_
- C4L38
- defidownsin
- "J"
- Random nerds who provided "tips" to us
I've never really spoken with these people before, omit ZachXBT, but each of us was angry from what we had seen.
Before I get off for the evening I want to note that I am uploading Block Blaster to the malware library.
"./Samples/Families/Block Blaster"
I have also synced all samples in Triage and VirusTotal if you want to examine them closer. I noted the SHA256 hashes in a previous post.
β€126π8π€£5π₯°3π₯2π’1
vx-underground
Hello, I've received a bunch of notifications today about the "Block Blaster" ... pseudo-takedown that occurred in response to a group of individuals spearphishing and cryptodraining a cancer patient. I appreciate everyone thanking me or giving me a congratulations.β¦
tl;dr unironically got really angry at something, spazzed out for like, 4 hours on a Sunday
β€86π₯16β€βπ₯9π5π1π1π’1
If you're curious about "Block Blaster", the crypto-draining malware that masqueraded as a legitimate Steam video game, 1989 and some other nerds did a brief write-up on the malware.
tl;dr slop
You can read it here:
https://vx-underground.org/Malware%20Analysis/2025/2025-09-21%20-%20Block%20Blasters%20-%20Forensic%20Report/Paper
tl;dr slop
You can read it here:
https://vx-underground.org/Malware%20Analysis/2025/2025-09-21%20-%20Block%20Blasters%20-%20Forensic%20Report/Paper
β€52π₯°11π₯2π―2π1π’1
dawg, OSINT nerds found the guy who drained the cancer bro. hes an immigrant on a VISA from argentina currently living in miami, florida, USA
the OSINT nerds reported him to ICE π
omfg ππ
the OSINT nerds reported him to ICE π
omfg ππ
π₯172π€£86β€21π«‘12π7π€―6π’4β€βπ₯1π1π―1
vx-underground
dawg, OSINT nerds found the guy who drained the cancer bro. hes an immigrant on a VISA from argentina currently living in miami, florida, USA the OSINT nerds reported him to ICE π omfg ππ
theyre gonna send his ass to CECOT lmfao omg
π₯°92π€£42β€14π«‘7π₯5π’4π1π―1
vx-underground
Woke up people questioning the validity of our findings and suggesting Block Blasters isn't malware. They are asserting we've incorrectly blamed an indie game dev as malicious. I've got the game archived. Do you wanna run it and test it out?
Well, the C2 infrastructure is purged, so nothing would happen. But I giggle at the idea of someone trying to disprove us by getting cryptodrained and their login credentials stolen
π€£84β€9π₯°5π4π1π’1
vx-underground
Here is an image of a Threat Actor trying to lure prominent cryptocurrency holders into downloading a cryptodrainer masquerading as a Steam video game. In this image they tried to spearphish NoKapRich but failed.
As others pointed out, this Xitter account was compromised from Threat Actors. This is not the Threat Actors personal account.
I'm sharing the tactic they used to lure people.
I'm sharing the tactic they used to lure people.
π40π±8β€7π4π’1
Last post about Block Blasters for now.
The cryptodrainer, which masqueraded as a legitimate video game on Steam, was identified by GDATA over a week ago. It was reported to Steam. However, no action was taken.
Here is a great report:
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
The cryptodrainer, which masqueraded as a legitimate video game on Steam, was identified by GDATA over a week ago. It was reported to Steam. However, no action was taken.
Here is a great report:
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
Gdatasoftware
Infected Steam game downloads malware disguised as patch
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - includingβ¦
π’60π€―14β€13π―4π±2π1π€£1π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π₯°52π’16π±9β€6β€βπ₯1π₯1
People are asking how the OSINT nerds found the guy that drained the cancer bro.
Well, it's very shrimple
The shitty malware sent all the stolen data to a Telegram the scammers made.
We connected to the Telegram channel using the same credentials that were inside of the shitty malware
Inside the channel was the scammer(s)
We got their Telegram IDs
OSINT nerds used their Telegram IDs to see if they were in any other public facing chatrooms.
One of the scammers in there was in several fraud chatrooms. He advertised looking for a video game programmer to make a basic 2D game. He also advertised needing help with some malware stuff.
In a different chatroom he talked about how much he likes skateboarding.
In a different channel he shared his Instagram and was sharing photos of himself next to expensive cars
Then, OSINT nerds looked at his Instagram which had a LinkTree. His LinkTree linked to literally everything about the guy including his YouTube, PayPal, Kick, Twitter, etc.
So either he is a master of disguise, and ran a year long detrace campaign to throw off OSINT nerds in the event he's caught scamming
Or alternatively, he wasn't aware public Telegram chatrooms are public and could be searched easily.
Well, it's very shrimple
The shitty malware sent all the stolen data to a Telegram the scammers made.
We connected to the Telegram channel using the same credentials that were inside of the shitty malware
Inside the channel was the scammer(s)
We got their Telegram IDs
OSINT nerds used their Telegram IDs to see if they were in any other public facing chatrooms.
One of the scammers in there was in several fraud chatrooms. He advertised looking for a video game programmer to make a basic 2D game. He also advertised needing help with some malware stuff.
In a different chatroom he talked about how much he likes skateboarding.
In a different channel he shared his Instagram and was sharing photos of himself next to expensive cars
Then, OSINT nerds looked at his Instagram which had a LinkTree. His LinkTree linked to literally everything about the guy including his YouTube, PayPal, Kick, Twitter, etc.
So either he is a master of disguise, and ran a year long detrace campaign to throw off OSINT nerds in the event he's caught scamming
Or alternatively, he wasn't aware public Telegram chatrooms are public and could be searched easily.
π€£169π43β€30π2π’1
I honestly expected to just reverse engineer this shitty ass fuckin Block Blaster drainer bullshit and go on about my day
The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit
What the fuck is crypto bro
The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit
What the fuck is crypto bro
π₯62π―18π’17β€5π€£4π1π1
vx-underground
I honestly expected to just reverse engineer this shitty ass fuckin Block Blaster drainer bullshit and go on about my day The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit What theβ¦
I was in some weird ass chat with drainers arguing and going schizo on each other. Seeing people dox and threaten violence on others
I have no fucking idea wtf is going on dawg I just like malware and cats wtf am I doing here bro
I have no fucking idea wtf is going on dawg I just like malware and cats wtf am I doing here bro
π₯°65β€12π11π€£6π₯4π1π€―1π’1π―1π1
I received a message today from an ex-affiliate of Lockbit ransomware group who is currently on FBI's Most Wanted.
He told me he thought it was disgusting someone would cryptodrain a cancer patient.
dawg this guy ransomed elementary schools. even he thought it was too lowπ
He told me he thought it was disgusting someone would cryptodrain a cancer patient.
dawg this guy ransomed elementary schools. even he thought it was too lowπ
π€£185β€30π16π±4π3π€3π’3π₯°2π«‘1
vx-underground
I received a message today from an ex-affiliate of Lockbit ransomware group who is currently on FBI's Most Wanted. He told me he thought it was disgusting someone would cryptodrain a cancer patient. dawg this guy ransomed elementary schools. even he thoughtβ¦
this guy extorted elementary schools, governments, businesses (large, medium, small), even shit like police stations
bro said, "wtf why he rob a cancer patient?" ππ
bro said, "wtf why he rob a cancer patient?" ππ
β€79π32π€£17π’9π6π₯2π€2π₯°1π€1
I forgot there is a huge chunk of people who aren't in information security and missed the entire VXUG TMZ era where we met people from FBI Most Wanted, the Taliban, got electronics from North Korea, and got sent cat pictures from the FBI
2022 - 2023 VXUG was crazy
2022 - 2023 VXUG was crazy
β€76π₯34π8π€6π₯°4π―3π€£2π1π±1π’1
vx-underground
I forgot there is a huge chunk of people who aren't in information security and missed the entire VXUG TMZ era where we met people from FBI Most Wanted, the Taliban, got electronics from North Korea, and got sent cat pictures from the FBI 2022 - 2023 VXUGβ¦
Image 1. Sending FBI Lockbit rewards a cat picture on Telegram. It is designated for anonymous tips.
Image 2. Tablet from North Korea received
Image 3. Autograph from Mikhail Matveev
Image 2. Tablet from North Korea received
Image 3. Autograph from Mikhail Matveev
β€95π€£41π₯°16π₯9π6π1π’1