Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. The operation, discovered by Veriti Researchconstitutes a characteristic example of the blurred lines between being a predator or prey in the world of cybercrime, where ironic twists and backstabs are abundant.
OnlyFans is an extremely popular subscription-based adult content platform where creators can earn money from users referred to as "fans" who pay for access to their content. Creators can share videos, images, messages, and live streams with their subscribers, while hack pay a recurring fee or one-time payments for exclusive content.
MITRE ATTACK
Given its popularity, OnlyFans accounts often become targets of threat actors who attempt to hijack them to steal fan payments, extort the account owner to pay a ransom, or simply leak private photos. Checker tools are designed to help validate large sets of stolen login credentials usernames and passwordschecking if the login details match any OnlyFans accounts and whether they're still valid.
Without those tools, cybercriminals would have to manually test out thousands of credential pairs, an impractical and tedious process that would render the scheme nonviable. However, these tools are commonly created by other cybercriminals, causing hackers to trust that they are safe to use, and in some cases, this backfires.
Veriti discovered a case of an OnlyFans checker promising to verify credentials, check account balances, verify payment onlyfans, and determine creator privileges but instead installed the Lumma information-stealing malware. The payload, named read article. It is an advanced hack stealer with innovative evasion mechanisms and the ability to hack expired Google session tokens.
It is mostly known for stealing two-factor authentication codes, cryptocurrency wallets, and passwords, cookies, and credit cards stored on a victim's browser and file system. Lumma also doubles as a loader itself, capable of introducing additional payloads onto the compromised system and executing PowerShell scripts. Veriti found that when the Lumma Stealer payload is launched, it will connect to a GitHub account under the name "UserBesty," which the cybercriminal behind this campaign uses to host other malicious payloads.
Digging deeper into the malware's communications, Veriti's researchers found a set of ". This campaign is not the first time threat actors have targeted other cybercriminals in hack attacks. In Marchhackers targeted hackers with clipboard stealers onlyfans as cracked RATs and malware-building tools to steal cryptocurrency. Later that year, a malware pixxarmom onlyfans backdoored their own malware to steal credentials, cryptocurrency wallets, and VPN onlyfans data from other hackers.
Ukrainian pleads guilty to operating Raccoon Stealer malware. Police arrest four suspects linked to LockBit ransomware gang. Germany seizes 47 crypto exchanges used hack ransomware gangs. Not a member yet?
Ben Wodecki
Register Now. Read our posting guidelinese to learn what content is prohibited. September 5, AM 1. Threat actor's checker ad on a onlyfans forum Source: Veriti. Malicious GitHub repository Source: Veriti.
The Brutal Irony: A Hacker Ecosystem Cannibalizing Itself
Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. Previous Article Next Article. DyingCrow - 1 month ago. You may also like:. Popular Stories.
Intellectual Property Magazine
Sponsor Posts. Automate all things security in the Blink of AI. Protecting against password attacks. Login Username. Remember Me. Sign in anonymously. Sign in with Twitter Not a member yet? Reporter Help us understand the problem. What is going on onlyfans this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited.