Scammers Compromised by Own Malware, Expose $4.67M Operation

CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of victims. The operation’s secrets were revealed when the scammers themselves were compromised.

Cybersecurity intelligence firm CloudSEK has uncovered a sophisticated, family-run multi-million-dollar cybercrime operation based out of Pakistan. CloudSEK’s TRIAD team’s investigation revealed a syndicate that’s been active for at least five years.

Reportedly, the group’s primary strategy was to exploit people looking for free, pirated software. They used SEO poisoning and forum spam to post links on legitimate online communities and search engines that led to malicious websites.

Here’s an example from the official HONOR UK community forum here a post titled “Adobe After Effects Crack Free Download Full Version 2024” was used as a lure.

And, another one:

These sites tricked users into downloading popular cracked software like Adobe After Effects, but in reality, they were installing dangerous infostealer malware, including strains like Lumma, AMOS and Meta. It also stole personal data, from passwords and browser information to cryptocurrency wallet details.

The scale of the operation is large. The report reveals that the network generated over 449 million clicks and more than 1.88 million malware installs. This immense volume brought in an estimated lifetime revenue of at least $4.67 million. CloudSEK estimates the network may have impacted over 10 million victims globally, as stolen data was sold for about $0.47 per credential.

The investigation also explains the group’s internal structure, which was based on two interconnected Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia/Installstera. These systems managed a vast network of 5,239 affiliates, who were paid for each successful malware installation.

Moreover, CloudSEK found that while the operators were based in Pakistan’s Bahawalpur and Faisalabad, their victims were located worldwide. A key finding was the operators’ use of traditional financial services like Payoneer for payments, which is a rare move for a group of this nature. Also, operators shared the same last name, suggesting the criminal enterprise was a multi-generational effort.

A critical turning point in the investigation happened by chance. The operators were ironically infected by their own malware, which allowed CloudSEK’s team to access their private logs.

These logs contained a trove of information, including financial records, internal communications, and admin credentials, which provided the detailed evidence needed to expose the entire network.

“The breakthrough in the investigation came ironically: the threat actors themselves were compromised by infostealer malware. The exfiltrated logs from their own machines provided unprecedented insight into their identities, command structure, infrastructure, communications, and finances, ultimately leading to their unmasking.”

“Four principal operators—M** H, M S, Z I, and N I/H/A* along with S* H*** – are identified as key figures in this multiactor network.”

CloudSEK

The report goes on to show how these groups are using everyday marketing tactics and even legitimate financial services to carry out their illegal activities in plain sight. Therefore, user awareness is crucial. Please avoid downloading cracked software, as it remains an easily exploitable avenue for cybercriminals.