cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

A MadCat eat dog world: Threat actor steals from other hackers

A new ransomware group has been observed attempting to scam other cyber criminal groups through the sale of thousands of fake passports.

user icon Daniel Croft
Fri, 24 Nov 2023
A MadCat eat dog world: Threat actor steals from other hackers
expand image

Reports have shown the MadCat ransomware group has been observed luring in other cyber criminals by selling fake stolen data, according to findings by Karol Paciorek, a cyber investigator, whose team at CSIRT KNF made the discovery on 30 October.

“Our latest investigation has successfully identified the members of the MadCat ransomware group, linked to the bizarre case involving the fake sale of a quarter million passports,” he wrote on X on 21 November.

According to Paciorek, the MadCat group’s scam is linked to a number of dark web accounts, such as @Rooted, @WhiteVendor and @Plessy, which advertise the sale of 246,000 screenshots of Polish passport pages and other travel documents.

According to @Plessy, those interested could buy the entire collection for US$3,400.

The CSIRT report also made ties between @Plessy and @WhiteVendor that indicate that it could be the same user. It also said it believes @Rooted to be the same person on BreachForums.

When searching the @Plessy name on Telegram, links to an account called @MadCatR can be found, which has links to a discussion channel with a share link called @MadCatRansom, which the CIRT report concludes could mean this is the work of a ransomware group by that name.

“Such conclusions are based on observation of the writing style, methods of creating threads, and the sales profile, which focuses on identity documents, including passports and IDs.”

Following the appearance of the scam, cyber criminals have come forward complaining about the actions of the MadCat group, including one who said they had been scammed out of $3,000 worth of Monero (XMR) cryptocurrency, which is about 20.

“I pay xmr, he ask more, I pay that 4 day ago,” the affected cyber criminal wrote on hacking forum BreachForums.

“He now not talk, not give data.”

Cyber security expert Dominic Alvieri has since shared a post on X (formerly Twitter) with an image suggesting the group would launch on 30 November.

The actions of MadCat have quickly earned it a reputation among other cyber criminals. Responding to Alvieri’s post, Paciorek has said that MadCat’s career as a ransomware operator could be short-lived.

“A group that set their interest on deception from the start,” tweeted Paciorek in response to Alvieri’s original post. “I foresee a downfall as swift as [fellow newbie gang] RansomedVC.”

It is also worth noting that the users named above seem to have ditched their accounts following the negative response by other cyber criminals.

“It was noted that in the face of negative feedback regarding the attempt to sell documents from China and Japan, user WhiteVendor abandoned the use of his account and started a new online business under the pseudonym @Plessy – also as a scammer,” added CSIRT.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.