iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
A new ransomware group has been observed attempting to scam other cyber criminal groups through the sale of thousands of fake passports.
Reports have shown the MadCat ransomware group has been observed luring in other cyber criminals by selling fake stolen data, according to findings by Karol Paciorek, a cyber investigator, whose team at CSIRT KNF made the discovery on 30 October.
“Our latest investigation has successfully identified the members of the MadCat ransomware group, linked to the bizarre case involving the fake sale of a quarter million passports,” he wrote on X on 21 November.
Our latest investigation 🕵️♂️ has successfully identified the members of the 'MadCat Ransomware' group 💻, linked to the bizarre case involving the fake sale of a quarter million passports. 🛂📉
🔍 Full analysis: https://t.co/XCzjRrC8r6 https://t.co/MY0CdVppfh pic.twitter.com/dVgHnEmbYX— Karol Paciorek (@karol_paciorek) November 21, 2023========================
According to Paciorek, the MadCat group’s scam is linked to a number of dark web accounts, such as @Rooted, @WhiteVendor and @Plessy, which advertise the sale of 246,000 screenshots of Polish passport pages and other travel documents.
According to @Plessy, those interested could buy the entire collection for US$3,400.
The CSIRT report also made ties between @Plessy and @WhiteVendor that indicate that it could be the same user. It also said it believes @Rooted to be the same person on BreachForums.
When searching the @Plessy name on Telegram, links to an account called @MadCatR can be found, which has links to a discussion channel with a share link called @MadCatRansom, which the CIRT report concludes could mean this is the work of a ransomware group by that name.
“Such conclusions are based on observation of the writing style, methods of creating threads, and the sales profile, which focuses on identity documents, including passports and IDs.”
Following the appearance of the scam, cyber criminals have come forward complaining about the actions of the MadCat group, including one who said they had been scammed out of $3,000 worth of Monero (XMR) cryptocurrency, which is about 20.
“I pay xmr, he ask more, I pay that 4 day ago,” the affected cyber criminal wrote on hacking forum BreachForums.
“He now not talk, not give data.”
Cyber security expert Dominic Alvieri has since shared a post on X (formerly Twitter) with an image suggesting the group would launch on 30 November.
New MadCat Ransomware leak site.
— Dominic Alvieri (@AlvieriD) November 23, 2023
//i2gc52bwm2vu2wnohwi3cli7t7hj3y2q7qj3th2bs64h2eej7z5jcgqd[.]onion pic.twitter.com/fKN12f1C3d
The actions of MadCat have quickly earned it a reputation among other cyber criminals. Responding to Alvieri’s post, Paciorek has said that MadCat’s career as a ransomware operator could be short-lived.
“A group that set their interest on deception from the start,” tweeted Paciorek in response to Alvieri’s original post. “I foresee a downfall as swift as [fellow newbie gang] RansomedVC.”
It is also worth noting that the users named above seem to have ditched their accounts following the negative response by other cyber criminals.
“It was noted that in the face of negative feedback regarding the attempt to sell documents from China and Japan, user WhiteVendor abandoned the use of his account and started a new online business under the pseudonym @Plessy – also as a scammer,” added CSIRT.
Be the first to hear the latest developments in the cyber industry.
