When Cybercriminals Get Tricked: A Classic Backstab
In a classic turn of irony, cybercriminals are now being targeted by a deceptive tool disguised as an OnlyFans checker. This tool, meant to assist hackers in stealing OnlyFans accounts, secretly infects them with Lumma Stealer, a notorious malware-as-a-service. It’s a vivid reminder of the “predator versus prey” dynamic within the hacker world.
The Lumma Stealer malware, active since 2022, has primarily been distributed through GitHub repositories, YouTube comments, and malvertising. In this case, the hacker community found themselves caught in their own net. What was advertised as a legitimate tool for verifying stolen OnlyFans credentials turned out to be a clever bait—designed to harvest sensitive data from hackers themselves. Talk about a double-cross!
How It Works: The Trap is Set
Hackers looking to verify large batches of stolen credentials would typically rely on “checker” tools, which automate the process of testing usernames and passwords against platforms like OnlyFans, Disney+, or Instagram. However, upon downloading and running what seemed like a helpful OnlyFans checker, they unknowingly executed Lumma Stealer on their own systems.
The Lumma Stealer malware is advanced, capable of stealing two-factor authentication (2FA) codes, browser-stored passwords, cryptocurrency wallets, and even credit card information. It can also restore expired Google session tokens, giving attackers prolonged access to their victims’ accounts. Ironically, hackers have now become the victims of their own ambition.
Wider Implications: A Growing Trend of Hacker-on-Hacker Crime
This isn’t the first time hackers have been tricked by their own tools. Veriti researchers discovered that the malicious GitHub repository hosting the OnlyFans checker also included fake tools for hacking Disney+ and Instagram accounts, as well as building a Mirai botnet.
This hacker-on-hacker crime trend is becoming more prevalent. In March 2022, cybercriminals were lured by malicious RAT (Remote Access Trojan) tools, and by the end of the year, backdoored malware was being used to steal cryptocurrency wallets and credentials from other hackers.
This latest trap reflects a deceptive ecosystem where cybercriminals turn against each other. It’s an ironic twist that’s both humorous and dangerous—hackers, it seems, must be just as wary of each other as their original targets.
The Broader Cybersecurity Lesson: Trust No One
The rising trend of cybercriminals targeting other hackers underscores a critical cybersecurity principle: trust no one. Even within the hacker underground, there are no allies. The promise of easy riches or free tools often hides an insidious backdoor designed to exploit unsuspecting cybercriminals.
For security professionals, this serves as an important reminder to always approach third-party tools and repositories with extreme caution. Whether you’re a hacker or a legitimate user, downloading and running unknown executables from unverified sources can spell disaster.
Examples of Deception: How Hackers Are Tricked
- Fake Checkers: The fake OnlyFans checker claimed to verify credentials but instead planted malware. This tactic isn’t new—hackers have long used fake RATs or botnet builders to dupe other criminals into infecting their own machines.
- GitHub Traps: The GitHub repository used in this operation contained other fake tools, such as a Disney+ checker and a supposed Mirai botnet builder. By appealing to hackers’ greed, the malware creators effectively widened their net to ensnare more victims.
What Makes Lumma Stealer So Effective?
Lumma Stealer stands out for several reasons:
- Multi-purpose Malware: It’s not just a stealer; Lumma also acts as a loader, enabling it to introduce additional malware or run PowerShell scripts.
- Evasion Tactics: The malware uses sophisticated evasion techniques, making it harder for traditional antivirus software to detect.
- Versatile Targets: From cryptocurrency wallets to 2FA tokens and browser-stored credentials, Lumma can target a wide range of sensitive data.
The Takeaway: Who Can Hack the Hackers?
This scenario serves as a reminder that cybercrime is a risky game, even for those who believe they’re the predators. Hackers constantly look for tools to exploit others, but sometimes, those tools end up backfiring—leaving the hackers themselves as the victims.
For businesses and individuals alike, the best defense is awareness and a healthy skepticism of too-good-to-be-true offers, whether it’s a free checker tool or any other software promising easy rewards. As cybercriminals continue to evolve, so too must the vigilance of those defending against them.
Looking Forward: Strengthening Defenses
As cybercriminals evolve, so must the defense mechanisms of both individuals and organizations. Cybersecurity professionals should keep abreast of the latest threat intelligence reports, remain cautious of third-party tools, and enforce robust security measures such as multi-factor authentication (MFA) and privileged access management (PAM).
While the cybercriminal underworld may prey on itself, it’s crucial for defenders to be prepared for these evolving tactics—because as hackers innovate, so should the defenders.
