vx-underground
Woke up people questioning the validity of our findings and suggesting Block Blasters isn't malware. They are asserting we've incorrectly blamed an indie game dev as malicious. I've got the game archived. Do you wanna run it and test it out?
Well, the C2 infrastructure is purged, so nothing would happen. But I giggle at the idea of someone trying to disprove us by getting cryptodrained and their login credentials stolen
π€£84β€9π₯°5π4π1π’1
vx-underground
Here is an image of a Threat Actor trying to lure prominent cryptocurrency holders into downloading a cryptodrainer masquerading as a Steam video game. In this image they tried to spearphish NoKapRich but failed.
As others pointed out, this Xitter account was compromised from Threat Actors. This is not the Threat Actors personal account.
I'm sharing the tactic they used to lure people.
I'm sharing the tactic they used to lure people.
π40π±8β€7π4π’1
Last post about Block Blasters for now.
The cryptodrainer, which masqueraded as a legitimate video game on Steam, was identified by GDATA over a week ago. It was reported to Steam. However, no action was taken.
Here is a great report:
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
The cryptodrainer, which masqueraded as a legitimate video game on Steam, was identified by GDATA over a week ago. It was reported to Steam. However, no action was taken.
Here is a great report:
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
Gdatasoftware
Infected Steam game downloads malware disguised as patch
A 2D platformer game called BlockBlasters has recently started showing signs of malicious activity after a patch release on August 30. While the user is playing the game, various bits of information are lifted from the PC the game is running on - includingβ¦
π’60π€―14β€13π―4π±2π1π€£1π«‘1
This media is not supported in your browser
VIEW IN TELEGRAM
π₯°52π’16π±9β€6β€βπ₯1π₯1
People are asking how the OSINT nerds found the guy that drained the cancer bro.
Well, it's very shrimple
The shitty malware sent all the stolen data to a Telegram the scammers made.
We connected to the Telegram channel using the same credentials that were inside of the shitty malware
Inside the channel was the scammer(s)
We got their Telegram IDs
OSINT nerds used their Telegram IDs to see if they were in any other public facing chatrooms.
One of the scammers in there was in several fraud chatrooms. He advertised looking for a video game programmer to make a basic 2D game. He also advertised needing help with some malware stuff.
In a different chatroom he talked about how much he likes skateboarding.
In a different channel he shared his Instagram and was sharing photos of himself next to expensive cars
Then, OSINT nerds looked at his Instagram which had a LinkTree. His LinkTree linked to literally everything about the guy including his YouTube, PayPal, Kick, Twitter, etc.
So either he is a master of disguise, and ran a year long detrace campaign to throw off OSINT nerds in the event he's caught scamming
Or alternatively, he wasn't aware public Telegram chatrooms are public and could be searched easily.
Well, it's very shrimple
The shitty malware sent all the stolen data to a Telegram the scammers made.
We connected to the Telegram channel using the same credentials that were inside of the shitty malware
Inside the channel was the scammer(s)
We got their Telegram IDs
OSINT nerds used their Telegram IDs to see if they were in any other public facing chatrooms.
One of the scammers in there was in several fraud chatrooms. He advertised looking for a video game programmer to make a basic 2D game. He also advertised needing help with some malware stuff.
In a different chatroom he talked about how much he likes skateboarding.
In a different channel he shared his Instagram and was sharing photos of himself next to expensive cars
Then, OSINT nerds looked at his Instagram which had a LinkTree. His LinkTree linked to literally everything about the guy including his YouTube, PayPal, Kick, Twitter, etc.
So either he is a master of disguise, and ran a year long detrace campaign to throw off OSINT nerds in the event he's caught scamming
Or alternatively, he wasn't aware public Telegram chatrooms are public and could be searched easily.
π€£169π43β€30π2π’1
I honestly expected to just reverse engineer this shitty ass fuckin Block Blaster drainer bullshit and go on about my day
The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit
What the fuck is crypto bro
The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit
What the fuck is crypto bro
π₯62π―18π’17β€5π€£4π1π1
vx-underground
I honestly expected to just reverse engineer this shitty ass fuckin Block Blaster drainer bullshit and go on about my day The past 2 days has been fucking insane with victims coming forward, people being extorted and threatened, all sorts of shit What theβ¦
I was in some weird ass chat with drainers arguing and going schizo on each other. Seeing people dox and threaten violence on others
I have no fucking idea wtf is going on dawg I just like malware and cats wtf am I doing here bro
I have no fucking idea wtf is going on dawg I just like malware and cats wtf am I doing here bro
π₯°65β€12π11π€£6π₯4π1π€―1π’1π―1π1
I received a message today from an ex-affiliate of Lockbit ransomware group who is currently on FBI's Most Wanted.
He told me he thought it was disgusting someone would cryptodrain a cancer patient.
dawg this guy ransomed elementary schools. even he thought it was too lowπ
He told me he thought it was disgusting someone would cryptodrain a cancer patient.
dawg this guy ransomed elementary schools. even he thought it was too lowπ
π€£185β€30π16π±4π3π€3π’3π₯°2π«‘1
vx-underground
I received a message today from an ex-affiliate of Lockbit ransomware group who is currently on FBI's Most Wanted. He told me he thought it was disgusting someone would cryptodrain a cancer patient. dawg this guy ransomed elementary schools. even he thoughtβ¦
this guy extorted elementary schools, governments, businesses (large, medium, small), even shit like police stations
bro said, "wtf why he rob a cancer patient?" ππ
bro said, "wtf why he rob a cancer patient?" ππ
β€79π32π€£17π’9π6π₯2π€2π₯°1π€1
I forgot there is a huge chunk of people who aren't in information security and missed the entire VXUG TMZ era where we met people from FBI Most Wanted, the Taliban, got electronics from North Korea, and got sent cat pictures from the FBI
2022 - 2023 VXUG was crazy
2022 - 2023 VXUG was crazy
β€76π₯34π8π€6π₯°4π―3π€£2π1π±1π’1
vx-underground
I forgot there is a huge chunk of people who aren't in information security and missed the entire VXUG TMZ era where we met people from FBI Most Wanted, the Taliban, got electronics from North Korea, and got sent cat pictures from the FBI 2022 - 2023 VXUGβ¦
Image 1. Sending FBI Lockbit rewards a cat picture on Telegram. It is designated for anonymous tips.
Image 2. Tablet from North Korea received
Image 3. Autograph from Mikhail Matveev
Image 2. Tablet from North Korea received
Image 3. Autograph from Mikhail Matveev
β€95π€£41π₯°16π₯9π6π1π’1
Bad news for docker torrent nerds today.
Hotio docker container thingy for Linux torrent stuff was poisoned and contains an XMR miner (XMRig). One of the developers memed intentionally poisoning it last year (???)
Chat, what is going on?
https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/
Hotio docker container thingy for Linux torrent stuff was poisoned and contains an XMR miner (XMRig). One of the developers memed intentionally poisoning it last year (???)
Chat, what is going on?
https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/
Apogliaghi
Crypto Miner in hotio/qbittorrent
Short investigation into a stealth crypto miner running in a qbittorrent container
π±46π15β€6π€£3π1
vx-underground
I received a message today from an ex-affiliate of Lockbit ransomware group who is currently on FBI's Most Wanted. He told me he thought it was disgusting someone would cryptodrain a cancer patient. dawg this guy ransomed elementary schools. even he thoughtβ¦
There appears to be some confusion about this post and how groups such as Lockbit operate.
Lockbit offers a "service" of ransomware. He gives you a pretty panel, some tools for making ransomware (his), a chatroom to harass victims and bully them, etc.
In exchange for him providing this service he takes a cut of any money you receive from ransoming companies.
Lockbit ransomware group did ransom hospitals. However, it was not "Lockbit" the "service" provider. Rather, it was someone who used his service.
The people who use this service are called "affiliates".
At Lockbits peak they had over 100 affiliates. Some affiliates did ransom hospitals. This particular affiliate who messaged me, who is FBI Most Wanted, believed it was unethical to ransom healthcare because it could potentially endanger someone's life. Although, he was still a criminal and harassed, bullied, and extorted companies of all sizes including public schools. One time he ransomed a car wash. He didn't care.
Anyway
Lockbit themselves (the "service" provider) allowed affiliates to ransom hospitals because ... they didn't really care. Lockbit (the service provider) approved of schools, churches, non profits, hospitals, doctors, government agencies, etc. to all be victims of ransomware. He didn't really have exclude anything. Nothing was off limits.
Lockbit (the service provider) made an estimated $1,000,000,000 from their crimes as providing this service and facilitating ransomware all across the planet.
One administrator resides in Russia. The other (ex administrator) was located in Israel. However, he was arrested and deported to the United States some time ago when the FBI found him.
Lockbit offers a "service" of ransomware. He gives you a pretty panel, some tools for making ransomware (his), a chatroom to harass victims and bully them, etc.
In exchange for him providing this service he takes a cut of any money you receive from ransoming companies.
Lockbit ransomware group did ransom hospitals. However, it was not "Lockbit" the "service" provider. Rather, it was someone who used his service.
The people who use this service are called "affiliates".
At Lockbits peak they had over 100 affiliates. Some affiliates did ransom hospitals. This particular affiliate who messaged me, who is FBI Most Wanted, believed it was unethical to ransom healthcare because it could potentially endanger someone's life. Although, he was still a criminal and harassed, bullied, and extorted companies of all sizes including public schools. One time he ransomed a car wash. He didn't care.
Anyway
Lockbit themselves (the "service" provider) allowed affiliates to ransom hospitals because ... they didn't really care. Lockbit (the service provider) approved of schools, churches, non profits, hospitals, doctors, government agencies, etc. to all be victims of ransomware. He didn't really have exclude anything. Nothing was off limits.
Lockbit (the service provider) made an estimated $1,000,000,000 from their crimes as providing this service and facilitating ransomware all across the planet.
One administrator resides in Russia. The other (ex administrator) was located in Israel. However, he was arrested and deported to the United States some time ago when the FBI found him.
π€£66β€22π₯°11π2π2π€1π’1π«‘1
Yesterday someone was being very silly and defaced Nintendo's topics page. Nintendo has restored the deface.
No data was stolen.
Archive: https://archive.ph/n5Lgp
No data was stolen.
Archive: https://archive.ph/n5Lgp
archive.ph
x_o
archived 24 Sep 2025 02:06:21 UTC
π46π₯°11β€7π₯3π1π’1