On security researcher’s newsletter, exposing cybercriminals behind ransomware
On July 22, a security researcher who goes by the handle pancak3 and whose Twitter account is @pancak3stack received a warning they’d violated the platform’s rules against posting private information. The message included a screenshot of a tweet sent earlier that day containing the name, nickname, date of birth and passport of the alleged developer behind Predator the Thief, credential stealing malware dating back to 2018.
Twitter temporarily locked the account, turning it back over 12 hours later, pancak3 told CyberScoop in an online chat. After the suspension, someone suggested pancak3 instead post the information on the newsletter platform Substack, “and I thought it was a good retention plan.”
They launched “Who’s Behind The Keyboard?” on July 24, a newsletter dedicated to doxxing people allegedly associated with cybercrimes. The site contains only a few posts so far and includes information on ransomware affiliates, initial access brokers and two of the REvil suspects arrested in January by Russian authorities and a Brazilian hacker affiliated with the NetSec group. (Editor’s note: Shortly after publication, pancak3 told CyberScoop that Substack suspended their account.)
Investigating and outing some of the world’s most active and notorious cybercriminals is a risky endeavor, one that has resulted in more than a few death threats for pancak3, a security researcher who did not reveal their real identity to CyberScoop and asked to be referred to by the pronoun they.
“People don’t really like their real-life identity being posted on the internet, especially criminals,” pancak3 said. But the danger is worth it, they said, and could begin to make it easier for law enforcement to go after attacker once their identity is revealed. “Uncovering the person behind the keyboard, the person responsible for the crimes, is my ultimate goal,” they said. “I feel like too many of these people think [they’re] invisible or invincible, but they’re not.”
The photos and detailed personal information about the ransomware operators and other nefarious hackers offers a window into the lives of criminal hackers who routinely boast of extorting millions of dollars from victims around the world under the protection or with the tacit approval of various state entities.
“Ransomware actors, especially those who live in Russia, have existed in this weird space where they are not nation-state actors, but they carry out attacks that have the same or worse impact than many nation state attacks,” said Allan Liska, a threat intelligence analyst with Recorded Future.
Unfortunately, he said, ransomware operators typically don’t suffer consequences for their actions, and even as law enforcement is “starting to figure out how to deal with these groups, it can be slow and frustrating to victims and defenders alike. What [pancak3] is doing is demonstrating that these actors are not as untouchable as they think they are.”
Pictures of the suspects in the newsletter look to be taken from social media sites as they smile into the camera, or pose alongside nice cars. The information is “all open-source,” pancak3 said, noting that both the Conti leaks and the much larger leaks from TrickBot helped “tremendously.”
One entry focused on a Conti ransomware crew developer who goes by the alias “van” includes photos of him standing next to a car, lying on a beach and sitting next to a person whose face has been cropped out. Also included are screenshots showing what pancak3 says is van’s computer while “he was infected with an Agent Tesla trojan between February 2021 and October 2021.”
Liska said he’s not sure how this activity affects investigations but added that “I think it’s easier for [law enforcement] to confirm already published information than start a new investigation.”
This kind of naming and shaming is not unprecedented. At least twice after the shadowy research group Intrusion Truth named Chinese hackers associated with state activity, the Department of Justice indicted the exposed hackers, cybersecurity journalist Kim Zetter reported in March.
Justice issued new requirements for federal prosecutors last summer in the wake of the ransomware attacks on Colonial Pipeline and food distributor JBS, highlighting the growing intensity and focus on these kinds of hackers.
Neither the DOJ or the FBI immediately commented on how private naming and shaming effected prosecutions.
The U.S. and Russian governments cooperated to a limited degree on ransomware prosecution over the summer and into fall, culminating in the January arrest of more than a dozen REvil associates by Russian authorities. Cooperation between the governments stopped after the Russian invasion of Ukraine, and it’s unclear whether the prosecutions will proceed.
pancak3 told CyberScoop they’ve been in the cybersecurity world “for a while,” gravitating first toward malware analysis “because it seemed to be as close as I could get to an actual person.” Over time, with additional skills, they got more into open source intelligence, or OSINT. “People will always be the weakest link and a lot of times their egos or just pure carelessness will cause them to make [operational security] mistakes which I, and many others, graciously take advantage of.”
pancak3 said they aren’t sure how many people they’ve doxxed in total, they said, but “but in the past few months, well over 150,” which includes people in the U.S., South America, Africa, Europe, Canada and elsewhere. “I don’t really care where they’re from,” they said.
William Thomas, a security researcher who’s worked with pancak3 as part of a collective of threat intelligence researchers known as Curated Intelligence, said pancak3 is “pretty brave” to be doing this kind of work “considering the cybercriminals likely want to come after [them].” That said, “cybercrime is pretty unstoppable. Many of these people are untouchable criminals,” Thomas said. “If this makes their life a bit harder, I’m for it.”
Ultimately, pancak3 said, this kind of work is a chance to have a more direct impact on information security.
“To me, you can gather all the IOCs, detect all the TTPs, patch all the systems — literally do everything right and you’re still going to get attacked. Why? Cause there’s a person behind that keyboard trying to f— you,” they said. “If we ID and remove the person, we remove the crime. I’m not stupid enough to think we can remove all cybercrime, but I hope to make a dent somewhere, somehow.”
Updated, 7/29/22: To include the correct Twitter handle for pancak3, @pancak3stack.