The life story of an IPT - Inept Persistent Threat actor

Thursday 5 October 09:00 - 09:30, Red room

Adam Haertlé (BadCyber.com)

This presentation will follow a Polish threat actor, known as 'Thomas', in his career as a wannabe cybercriminal from late 2011 until today. We will watch his first steps on HackForums, where friendly vendors and free tools helped him to build his first botnet. We will follow his phishing and spam campaigns visible in the media and correlate them with tool purchases on HF. We will see how his tools evolved and botnets grew despite his total lack of technical and language skills, and how he even managed to perform targeted attacks against state institutions. We will celebrate with him as he bragged about successes and commiserate with him over his failures, as he attempted to pivot into banking fraud and got scammed by others on multiple occasions. We will look at his business strategies and monetization vectors, including a botnet-as-a-service offering, while contemplating pricing strategies and ad design skills. We will watch him try to defraud competitors with a deceptive video demonstration of his own hacking tools, using the opportunity to get a glimpse of his desktop, and we'll look at an unsolicited interview he gave to a malware analyst while the latter reverse engineered one of his malware samples. Finally, we will discover his identity though multiple uncensored screenshots and end by trying to explain the legal hurdles which mean that, despite being well known to the law enforcement community, he remains at large. Every step of our journey through the timeline of his criminal career will be illustrated with relevant screenshots or videos, documenting his operations from both the victims' and perpetrator's points of view.