Rey, the "sophisticated" threat actor from Hellcat ransomware and Scattered LAPSUS$ Shiny Hunters, has stolen his OWN MOM'S identity
Whilst working on our research into unraveling the scattered web behind SLSH, we found ourselves thinking about Rey's mom, as one is apt to do. Lovely mysterious Zaina with the two gmail accounts, which got us thinking. What is the purpose? Is Rey's Mom a super spy, a threat actor, or is she cheating on us? No, it's much more simple than that.
Teenage Saif Aldeen ("the faith") Khader, whilst casually committing cybercrime on his parent's computer, needs a crypto account to funnel his ill gotten gains into. Does this sophisticated threat actor hire a KYC service on the dark web or buy a coinbase account on telegram or use one of the 67 million leaked passports? No, he simply implicates his own mother by stealing her identity.
Let us dive into the details, with the help of our friends at Whiteintel.io
First, let's look at one of the strong complex passwords used by Rey:
Username: cybero5tdev@proton.me
Password: saif1313
(Sophisticated threat actors use long, random, complex and strong passwords to thwart brute force password cracking)
Rey's stronger passwords include MRVNgdg99ZQ3E29, which was published in the Krebs article. Others include c@AU(rractSV_?7 and q!Wab+8QCnQcqs-, all of which are 15 character alphanumeric with special characters.
Now lets take a look at Rey's mom. We will ignore her personal account because it holds no relevance to our discussion and we normally do not involve a threat actors family. "Her" second gmail address zainakhader111@gmail(.)com is of importance here.
zainakhader111@gmail(.)com uses Rey's same super strong saif1313 password for 7 different accounts. What a coincidence. It seems that Rey's Mom has stronger password hygeine because she has 19 different accounts with stronger passwords such as 7maKU5DQW.zShfm, uPkEf!PL8JeMkY$, {qcXuKDuy{N.2b*. All of which happen to be 15 character alphanumeric with special characters
Rey's Mom is also very computer literate, because she is registered on such services as:
- DataDogHQ
- IPStack.com
- RingCentral
- Censys
- IntelX
- CriminalIP.com
- Telesign.com
- Netlas.io
- IXRemote.net
This email address also holds accounts at multiple crypto currency exchanges.
For now it is unknown what these crypto currency exchange accounts were used for, what funds if any were funneled through them and if Rey used his Moms information for the Know Your Customer portion for these accounts.
Our analysis supports the fact that Rey stole his own mother's identity for his cybercrime, and speculation suggests that Rey used his Moms KYC information for these crypto exchange accounts.
If you feel inspired to support our ongoing work, we graciously accept monero:
8AVbmNAmWjS9jEHKKr29oxTxrBPgQL2o661egbDb26hxF5NbCwUdq2dFAzKZcYTiZ7jckQE6iiRdTPpmUCT4ohWGAYDxuPS
If you like this article you will love our X Account
Continuing articles in this series will be published promptly