Attacker ID’ed After Infecting Own Computer With Malware

A threat actor that goes by the name of “La_Citrix” had a reputation for hacking into companies’ computer systems and stealing information before selling access to those compromised systems on the dark web.

That stellar reputation took a hit recently when the black hat hacker inadvertently infected his own computer, enabling threat intelligence researchers at Israeli cybersecurity company Hudson Rock to capture the data on it and eventually figure out his identity, down to his name, address and phone number.

AWS Builder Community Hub

That information is on its way to law enforcement agencies, the researchers wrote in a recent report.

Hudson Rock routinely grabs compromised credentials from black hat hackers and the dark web and then runs them through a product called Cavalier. Cavalier monitors threat intelligence and notifies cybersecurity pros about the information that has been stolen from their employees, partners and users.

The researchers knew of La_Citrix, who, since 2020, has stolen information from infected remote desktop protocol (RDP), VPN and Citrix servers and put them out for bids on Russian-language criminal forums.

“As it turns out, while infecting computers, La_Citrix accidentally infected his own computer and likely ended up selling it without noticing,” they wrote, adding that “it is not uncommon for hackers to accidentally get infected by infostealers, just as employees of highly technological companies often do.”

Hudson Rock pointed to the FBI’s seizure last year of RaidForums, a dark web marketplace for buying and selling stolen data run by a 21-year-old Portuguese citizen living in London who went by the moniker “Kevin Maradona” but whose real name is Diogo Santos Coelho.

More than 7,000 compromised users found on RaidForums also were in Hudson Rock’s database, and many of them were black hat hackers who themselves had been caught up in other threat actors’ activities.

They identified La_Citrix while looking at other hackers who were themselves infected by info-stealers and were on prominent cybercrime forums and initially assumed La_Citrix’s computer had been compromised in a similar fashion. However, what was odd about the data they found on the computer was that the API developed by Hudson Rock claimed the individual was an employee at almost 300 companies.

“After seeing the credentials he had stored on the computer, [we] realized why,” the researchers wrote. “Surprisingly, it was discovered that this threat actor orchestrated all of the hacking incidents using his personal computer, and browsers installed on that computer stored corporate credentials used for the various hacks.”

The evidence of his crimes was there on the computer. They determined that La_Citrix accessed companies though corporate credentials found on computers that had already been compromised by infostealers, most of which already were in Hudson Rock’s database.

“Data from La_Citrix’s computer such as ‘Installed Software’ reveals the real identity of the hacker, his address, phone, and other incriminating evidence such as ‘qTox’, prominent messenger used by ransomware groups, being installed on the computer,” they wrote.

“This is not the first time we’ve identified hackers who accidentally got compromised by infostealers, and we expect to see more as infostealer infections grow exponentially.”

That said, it’s likely not too common that the data used to identify a hacker came from the hacker themselves.

Avatar photo

Jeffrey Burt

Jeffrey Burt has been a journalist for more than three decades, writing about technology since 2000. He’s written for a variety of outlets, including eWEEK, The Next Platform, The Register, The New Stack, eSecurity Planet, and Channel Insider.

jeffrey-burt has 12 posts and counting.See all posts by jeffrey-burt