Introduction
Nobitex—Iran’s largest cryptocurrency exchange—suffered a coordinated breach in June 2025 that exposed both technical weaknesses and geopolitical stakes. Blending infostealer-driven credential theft with on-chain sabotage, the attack caused financial loss and symbolic disruption.
Infostealer-harvested employee credentials enabled privileged access.
Use of leaked code and automation assets to map internal systems.
Over $90M drained from hot wallets into unrecoverable burner addresses.
Brief account anomalies, anomalous signing activity, and possible infostealer traces consistent with dark-market activity.
Incident Analysis
A silent infostealer infection against two privileged employees escalated into a full-scale compromise, bleeding over $81 million from its hot wallets.
drained from hot wallets
Two privileged employees
Stealthy foothold, fast monetization
Forensic review confirms the adversaries’ foothold came from two infostealer infections
RedLine
(Sep 2023)
and
StealC
(Sep 2024).
From these infections, the attackers exfiltrated the affected employees’ credential sets and
artifacts.
- Corporate webmail logins & session cookies
- Jira/API tokens and internal tooling auth
- Administrative credentials and vault artifacts
- Internal testnet accounts and service keys
With those credentials in hand, the adversaries didn’t need zero-days or advanced exploits; the infostealers had already delivered the keys to the kingdom, enabling a controlled dismantling of Nobitex’s internal defenses.
Attribution and Statements
On June 18, 2025, the group Gonjeshke Darande (Predatory Sparrow) issued a public statement via X, claiming responsibility for the Nobitex breach. In their post, the group threatened to leak Nobitex’s source code and internal network data within 24 hours, warning that any remaining assets would be at risk.
Official statement from Nobitex
Following the initial breach and public claim of responsibility by Gonjeshke Darande on June 18, 2025, Nobitex issued a series of official updates via their X platform to communicate their response and recovery roadmap to users.
The first statement, published on June 24, 2025, acknowledged the scope of the incident and emphasized the exchange’s commitment to restoring services in a secure and stable manner. Nobitex outlined operational challenges delaying recovery efforts, including regional tensions, restricted physical access to data centers, unstable internet infrastructure, and late delivery of critical components from third-party providers. Despite these constraints, the exchange presented a phased service restoration plan, structured as follows:
- Phase 1 (June 25): Mandatory re-authentication for all accounts via the web platform, with most features temporarily disabled.
- Phase 2 (June 28): Gradual reactivation of account access for verified users.
- Phase 3: Progressive re-enablement of withdrawals, deposits, and trading services once stability checks were complete.
On June 29, 2025, Nobitex followed up with another update, focusing on the step-by-step restoration of wallet access. The process began with verified users and spot wallets, with balances reappearing in phases. Nobitex underscored the importance of the ongoing identity verification process as a prerequisite for access and warned customers against using old deposit addresses, as the migration to a new wallet system had rendered them invalid. Any deposits to legacy addresses risked permanent loss of funds — a clear sign of how deeply the breach had forced Nobitex to restructure its wallet infrastructure.
Leak Analysis
When the Nobitex source code surfaced, it offered a rare chance to dissect not only an exchange’s architecture, but also the mindset of its builders.
What we found was a paradox: a fortress designed for resilience, yet undermined by its own complexity and operational gaps.
Multi-Wallet Architecture & Internal Reachability
Nobitex operated a multi-wallet infrastructure, with hot and cold wallets segregated across blockchains. The cold wallet was managed through an internal network server, which means it may have been potentially reachable by the threat actors once they gained access to Nobitex’s internal environment.
Domestic Fiat Integration as a Strategic Lever
The platform’s integration with Iran’s Shetab banking system and Toman gateways allowed frictionless conversion between fiat and crypto. This positioned Nobitex as a bridge between sanctioned domestic finance and global crypto rails—an asset that adversaries could exploit or disrupt.
Trading Engine & Third-Party Connectivity
The leaked code revealed a sophisticated trading core: configurable order logic, fraud detection, SegWit support, dynamic fees, and feature flags. Nobitex’s reach extended across dozens of blockchains (BTC, ETH, TON, SOL, XRP, DOGE, and more), with ties into BlockCypher, CovalentHQ, Moralis, and Etherscan. This interconnectedness amplified liquidity—yet also expanded the attack surface exponentially.
Snippet source code
Secrets, Encryption & Configuration Hygiene
To its credit, Nobitex encrypted many secrets with Fernet, drawing keys from runtime environments rather than hardcoding. Yet cracks emerged: Telegram bot tokens and KYC service credentials lingered in plaintext in development configs. Cold storage may have been conceptually air-gapped, but OPSEC oversights handed adversaries potential pivots they should never have had.
Privacy Engineering & Compliance Evasion
Most revealing was the presence of modules engineered for obfuscation: stealth address generation, mixers, and routing logic explicitly designed to frustrate blockchain analytics. Moreover, VIP accounts were exempted from compliance workflows, raising the possibility of sanctioned actors transacting with institutional impunity.
Scalability With Fragility
The modularity of the codebase—wallet daemons, fiat adapters, compliance gates, mixers—showed a system built for scale. But that same modularity made it highly forkable: this playbook could be replicated elsewhere, fueling the rise of shadow exchanges across the region.
Akatsuki Assessment
This incident is more than a theft; it is a demonstration of how credential compromise and stealth tooling remain the favored weapons of advanced actors. Even with cold wallets intact, a single point of OPSEC neglect can ripple outward into catastrophic financial ruin.
Behind the Breach
The Akatsuki research team uncovered critical details of the Nobitex breach, confirming that two employees with elevated server access had been compromised through separate infostealer campaigns.
What is an infostealer?
Infostealers are lightweight malware families designed to covertly extract sensitive data from infected endpoints. Once executed, they quietly harvest browser-stored credentials, MFA tokens, session cookies, cryptocurrency wallet files, and other valuable artifacts, then exfiltrate them to attacker-controlled servers. The resulting dumps hand adversaries direct access to corporate systems without needing to defeat perimeter controls.
Drawing on Hudson Rock’s initial report on exposed infostealer infections, the Akatsuki team validated and extended these findings, directly correlating leaked employee credentials with Nobitex’s internal systems. Forensic cross-referencing confirmed the exposed employees were not junior staff, but personnel with privileged access to core server environments — amplifying the blast radius of the compromise.
Families Observed
Commodity stealer seen in the wild since 2020s; targets browsers, crypto wallets, and app credentials with quick exfiltration to C2.
Successor-style stealer with active development; focuses on session tokens and wallet artifacts, enabling turnkey account takeover.
Why this mattered
- Credential sets mapped directly to internal services (corporate webmail, issue tracking, admin portals).
- Session cookies and tokens enabled immediate access without brute force or exploits.
- Privileges on affected accounts extended to core server environments, compounding impact.
What comes next?
Before reconstructing the infections chronologically, we establish working definitions for malware stealers and summarize the two families above. We then dissect, in order, each employee’s activity trail to show how their endpoints were infiltrated. Particular attention is given to cracked or potentially malicious software recovered from their machines — the most probable delivery mechanism — which ultimately enabled credential capture tied to Nobitex’s critical infrastructure.
Understanding Stealers: RedLine and StealC
Information stealers (commonly called infostealers) are a class of malware designed to operate covertly on a victim’s device, harvesting sensitive data without the user’s knowledge. Their primary purpose is to extract authentication material, personal information, and system details that can later be monetized or used to escalate intrusions.
Credential & Token Artifacts
- System and browser-stored usernames/passwords
- Session cookies & authentication tokens
- MFA backup/recovery codes
- VPN / FTP client credentials
- API keys, secret keys (where present)
Browser & Wallet Artifacts
- Saved payment cards, form data, and history
- Search records and autofill details
- Cryptocurrency materials (private keys, wallet files)
- System profile and environment details
Families in Focus
Commodity stealer known for broad browser credential collection and quick exfiltration of session material and wallet artifacts.
Actively developed stealer family with emphasis on token/session theft and crypto-wallet data, enabling streamlined account takeover.
RedLine
RedLine Stealer, also known as RECORDSTEALER, is an information stealer sold on underground forums — available either as a one-off purchase or via subscription.
Operator Panel
As part of our analysis, we examined the RedLine Stealer panel to understand how threat actors organize and manage stolen data. The panel provides a centralized interface where exfiltrated logs are catalogued and made accessible. Each entry typically includes:
- Hardware IDs (HWID)
- IP addresses & geolocation
- Build IDs / campaign tags
- Log dates & freshness indicators
Rather than dumping logs chaotically, RedLine categorizes stolen information, turning a single infection into a structured intelligence package — credentials, system reconnaissance, and visual proof — ready for immediate exploitation or resale.
Operator Features
- Seen-before flag, checkmarks, and credential counts per log
- Wallet checker and log sorter for prioritization
- Loader tasks enabling follow-on malware delivery from the same panel
StealC
Thanks to the detailed work of TRAC Labs, we can outline the key developments surrounding StealC. First observed in early 2023, StealC is a C++-based information stealer that quickly rose in popularity as a malware-as-a-service (MaaS) platform within underground communities.
Version 2 — 2025 Evolution
In March 2025, its developers introduced StealC v2, significantly expanding capability and stealth. Decryption and brute-force tasks are offloaded to attacker infrastructure: browser cookies and saved credentials—especially from Chromium-based browsers—are decrypted server-side, and cryptographic plugin brute-forcing is handled remotely. This reduces host footprint and increases operational stealth. C2 communications are additionally protected by RC4, complicating network detection and analysis.
Anti-Analysis & Evasion
- Regional and temporal checks (e.g., CIS-locale gating) to inhibit execution.
- Self-termination if sandbox indicators or duplicate instances are detected.
- Operational design focused on persistence and silent data collection.
Malware Infection Chain Leading To Nobitex Heist
Infected employee #1 — RedLine
On , a Nobitex employee was infected with RedLine Stealer, a common infostealer malware. The infection occurred on a Windows 10 Enterprise [x64] system with Windows Defender as the active antivirus, suggesting the malware either bypassed or evaded detection.
Network / Geo
- IP
- 95.*.*.*
- Country
- IR
- Local Time
- 17/9/2023 07:12:38
Host
- OS
- Windows 10 Enterprise [x64]
- AV
- Windows Defender
- Computer
- [REDACTED]
- User
- ASUS
Execution
- Malware Path
- C:\Users\ASUS\AppData\Local\99711bd1-b6c0-471d-8c36-ef85dfd112e1\build2.exe
- Work Dir
- In memory
- Display
- 1536×864
- Languages
- en-US; Persian (IR)
Analysis of the exfiltrated data confirmed that the compromised host belonged to a Nobitex employee and contained corporate credentials linked to the company’s internal network, highlighting the risk of unauthorized access to sensitive infrastructure.
Installed Software & High-Risk Downloads
To determine root cause, the Akatsuki team parsed stealer artifacts: 172 installed applications were inventoried and cross-referenced with browser download history. A subset aligns with known RedLine delivery via cracked repos.
- Bandicam 6.0.6.2034
- Adobe Photoshop CC 2019 20.0.5
- PowerISO 8.0
- Nero 8 Lite 8.3.2.1 8.3.2.1
- Nero Update 20.0.1006
- Nero Core 1.2.00200
- Nero KnowHow PLUS 1.3.5005
- Nero ControlCenter 11.4.2006
- Nero Core Components 11.8.1010
- Nero Launcher 20.1.2013
- KMPlayer 4.2.2.27
- Foxit PDF Editor 12.0.0.12394
- Hot Copy Paste 9.3.0.0
- FastPaste 3.18
- StopUpdates10 3.5.115
- Tomb Raider GOTY Edition
Cracked Software Sources (Observed)
Given the employee’s elevated access and RedLine’s capability to exfiltrate credentials, authentication cookies, and browser data, this incident likely exposed sensitive Nobitex systems and expanded adversary opportunities for credential misuse and lateral movement.
Infected employee #2 — StealC
On , a Nobitex developer was infected with StealC. The infection occurred on a Windows 10 Pro [x64] workstation.
Network / Geo
- IP
- 46.*.*.*
- Country
- IR
- Local Time
- 2024/09/20 08:04:57
- UTC Offset
- +3
Host
- OS
- Windows 10 Pro
- Architecture
- x64
- Computer
- *****
- User
- ****
- Language
- en-US
- Keyboards
- English (US) / Persian (IR)
Execution / Hardware
- Running Path
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
- CPU
- 11th Gen Intel® Core™ i5-1135G7 @ 2.40GHz
- Cores / Threads
- 4 / 8
- RAM
- 16078 MB
- Display
- 1536×864
- GPU
- Intel® Iris® Xe Graphics
Linkage Evidence
The exfiltrated data linked this workstation to the corporate account [REDACTED], with system identifiers such as [REDACTED] and [REDACTED]. Browser artifacts and cookies confirm the user’s developer/infrastructure engineering role within Nobitex’s operations:
-
Regular access to blockchain explorers and crypto gateways for transaction verification and API integration.Etherscan Subscan BscScan
-
Activity related to internal ticketing and debugging, including transaction history, deposit tracking, and customer-facing troubleshooting metadata.Issue Tracking Debug Logs Deposits
-
Direct ties to Nobitex’s internal development domains, highlighting elevated trust and access privileges.dev* testnet* internal*
Methodology & Observations
Using the same methodology as with RedLine, we analyzed stealer-exfiltrated system data and browser activity. The inventory indicated broad software usage and risky download patterns consistent with StealC delivery in the wild.
Risky Source Ecosystem
The compromised machine showed repeated visits to piracy ecosystems and cracked repositories:
Movie / warez domains present in cookies (trojanized installers):
Execution Trace
The recorded execution path reinforces this assessment: the malware ran under the guise of a legitimate Windows utility, indicating bundling within a repacked installer rather than traditional phishing.
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exePattern mirrors numerous StealC cases in the region/campaings
Impact Context
Although the affected user held a privileged developer role, their browsing and installation habits closely reflected those of the RedLine-infected employee, providing a direct path for operator intrusion. In this case, the impact was heightened by the system’s proximity to Nobitex’s backend development and blockchain infrastructure.
Akatsuki Synthesis
The parallel cases show that Nobitex’s breach surface expanded not through exotic zero-days, but through cracked software usage. RedLine (2023) and StealC (2024) both arrived via repacked installers and warez ecosystems, granting adversaries credential and session access.
Logs revealed unauthorized reach into critical components, demonstrating how quickly an opportunistic endpoint infection can cascade across backend services, staging environments, and sensitive workflows.
Ultimately, the cultural tolerance of pirated software within high-privilege environments became a direct enabler of adversary tradecraft. By blending low-effort social vectors with credential-harvesting malware, attackers converted individual negligence into systemic vulnerability.
Hidden Threats in the Blockchain Ecosystem
Introduction
The blockchain ecosystem is often seen as secure and transparent, yet beneath the surface lie nuanced attack vectors and risks. This section explores vanity addresses, null addresses, their psychological appeal, the risks they introduce to exchanges and users, and advanced vectors like VEA (Vanity Exploitation Attack) that can weaponize these concepts.
What is a Vanity Address?
A vanity address is a blockchain address that begins with a custom, human-readable pattern. These are generated with high compute tools (e.g., Vanitygen++, ETHVanity).
Example (illustrative): 0xSENSIE…abcd or bc1psparrow…zzz. In prior ops, groups have used provocative strings in burn-related addresses to amplify psychological pressure.
What is a Null Address?
- A fixed, hardcoded address (often zero-filled or patterned).
- Purpose: Token burns / sending assets to an unreachable sink.
- Custom strings: Not possible — cannot contain readable words.
- Private key: None — funds sent here are permanently lost.
| Feature | Vanity Address | Null Address |
|---|---|---|
| Custom String (e.g., SENSIE) | Yes | No |
| Private Key Exists | Yes (unless intentionally destroyed) | No |
| Can Spend Funds | Yes | No |
| Trustless Burn (guaranteed) | No (trust-based) | Yes |
| Common Use Cases | Branding, trolling, intimidation, lures | Token burns, protocol logic |
Psychological Appeal & Social Engineering
Vanity addresses can create a false sense of identity and trust. Adversaries exploit this by:
- Using familiar strings to trick users (e.g., 0xNOBITEX… look-alikes).
- Embedding political or emotional phrases to intimidate or influence.
- Crafting random-looking but strategically chosen prefixes that appear legitimate at a glance.
The Threat: Vanity Exploitation Attacks (VEA)
A Vanity Exploitation Attack (VEA) is when an attacker creates a vanity address designed to manipulate, impersonate, or psychologically affect individuals or organizations.
VEA Attack Scenario
Impersonation Flow-
1
Attacker creates a vanity address like 0xNOBITEX…
-
2
Posts it on Telegram / Reddit / Discord as “official support”.
-
3
Victim, seeing the familiar prefix, sends funds believing it’s safe.
-
4
Attacker withdraws funds using their private key.
Used by hacktivist groups for digital propaganda.
Deployed in high-value social engineering attacks.
Abuses AI/bot traders that misread vanity prefixes as legit.
Real-World Examples & Threats
Case studiesVanity addresses mimicking NFT project wallets tricked users into sending ETH/NFTs.
Bots scanning vanity prefixes auto-bought honeypots; attackers drained value at scale.
“Burn” vanity address as message and test; reuse of the private key could reclaim funds.
Why VEA Matters in the Real World
- Corporate Exploits: Vanity look-alikes for treasury/payout interception.
- Regulatory Exploits: Fake compliance wallets used for evasion/misreporting.
- Investor Fraud: “Burn” addresses secretly controlled by insiders.
- Impersonation Risks: Exchange-prefix mimics.
- Rug Pull Plans: Vanity exits masked as community events.
- Bot/AI Confusion: Human-readable patterns mislead automated flows.
The Predatory Sparrow Case: Burn or Message?
- Technically a vanity address, not a null address.
- Creation implies possession of a private key.
- Funds left untouched to send a statement—but could be reclaimed if the key leaks.
Proposed Mitigation Techniques
Conclusion
Vanity addresses add style and symbolism—but also enable social engineering, impersonation, and theft. Distinguishing vanity from null, and recognizing VEA patterns, is essential to secure decentralized systems. The community must innovate in trust frameworks, not just technology.
Threat Hunting
Threat hunting is a proactive discipline, not a log-reading ritual. It pursues the faint artifacts adversaries try to hide—odd headers, off-pattern status codes, misfit TLS banners, or those telltale ports that shouldn’t be open. Families like RedLine and StealC blend into routine user activity while siphoning credentials, wallets, and sessions. The hunter’s job is to surface what was designed to be invisible: the malformed response, the unexpected 1911/1912 HTTP service beside RDP 3389, or the cookie trail that betrays an ongoing campaign.
Platforms Used
This investigation leveraged visibility from Validin and Hunt.io. Their telemetry enabled the Akatsuki Legion to dissect, trace, and expose modern infostealer operations—turning raw signal into actionable intelligence.
- Wide-scan exposure of HTTP/RDP surfaces
- Banner fingerprinting (Microsoft-HTTPAPI)
- Port heuristics (1911/1912) discovery
- Rapid pivots from single hit → infra cluster
- Correlation of repeated ports/banners
- IOC deduping with low false positives
RedLine C2
C2 ActivityActive since March 2021, RedLine remains one of the most pervasive infostealers. Activity continues through 2025, with recurring peaks of new indicators of compromise (IOCs) observed in August 2025 — totaling 11,500+ IOCs across its lifespan.
Detection Fingerprint
Heuristics- Windows hosts presenting RedLine panels
- Panel exposure on HTTP 1911 HTTP 1912
- RDP 3389 left open
- Banner match: Microsoft-HTTPAPI
- Repeated ports/banners across separate IPs ⇒ campaign clustering
Verification
Attribution CheckCluster analysis confirms that repeated use of identical ports, banners, and services aligns with coordinated RedLine operations, enabling high-precision attribution while minimizing false positives.
- Matching banners: Microsoft-HTTPAPI
- Consistent services: HTTP 1911 HTTP 1912 RDP 3389
- High-confidence infrastructure grouping
- Reduced false positives via multi-signal correlation
This confirmation demonstrates that the detection rule is finely tuned, yielding precise results and exposing genuine RedLine infrastructure exactly as intended.
The status of the default panel port returned HTTP 200 — an excellent pivot point to enumerate additional RedLine servers.
Cluster Results
16 IOCsUsing our tuned hunting rule, we surfaced a cluster of 16 RedLine-related IOCs. The snapshot highlights multiple hosts exposing HTTP services on port 1911.
In this case, we also leveraged a new platform called Hunt.io, which proved to be invaluable and here is the motivation
Hunt.io — C2 Listings & Pivots
Live DataThe platform includes a dedicated C2 listing section, where active command-and-control servers can be identified and analyzed. What makes Hunt.io unique is its live C2 server data and rich pivoting options, enabling deeper exploration of connected infrastructure.
- Discovery is step one — verification turns hits into IOCs.
- Live data supports time-bound attribution & decays stale leads.
- Pivot graph = infrastructure context beyond single IPs.
Service Fingerprints
As we probed deeper into the exposed infrastructure, certain hosts revealed distinct service fingerprints. In some cases, we identified a unique signature that appears to be exclusively associated with RedLine, providing a strong indicator for attribution.
Validin — RedLine Tracking
Live IntelValidin actively tracks RedLine Stealer activity across the internet. The platform aggregates intelligence on RedLine infrastructure — including domains, IPv4 addresses, malware strings, and indicators of compromise — and exposes pivots that accelerate analyst workflows.
Let's review one of the active query!
Common Name (CN) Reuse
Attribution SignalThis CN was reused across multiple hosts — a strong operational mistake by the adversaries, enabling direct correlation between servers. The timeline view shows activity spanning several weeks (June → August 2025), indicating an ongoing infrastructure set rather than transient hosts.
Pivot: 45.137.22[.]254 → RootLayerNet
AS51447Pivoting from 45.137.22[.]254 revealed several related servers hosted within RootLayerNet (AS51447).
Attribution Conclusion
Coordinated CampaignThe clustering of servers with identical banners, recurring ports, and shared ASN ownership strongly indicates a coordinated RedLine campaign rather than isolated systems. Of particular importance is port 55615, independently noted by ThreatFox as an active hosting port for RedLine panels — further validating our attribution.
Observed panel exposure on 55615/tcp matches ThreatFox-reported hosting behavior for RedLine, strengthening infrastructure attribution.
StealC C2
StealC campaigns rely on agile, low-noise command-and-control (C2) infrastructure: short-lived hosts, rotating subdomains, and minimal UI panels. Typical signals include ephemeral TLS certificates, sparse HTTP endpoints, and high-port services paired with standard 80/443.
Rotating subdomains, mixed 80/443 with sporadic high ports.
Short-lived TLS certs, generic CNs, frequent re-issuance.
Sparse panels, minimal titles, predictable health/status routes.
Detection Fingerprint — StealC
Heuristics- HTTP(S) on 80/443 plus intermittent high ports
- Generic panel titles / login routes
- Consistent favicon/title reuse across siblings
- Short validity certs & recycled CNs
- Bursty uptime aligned with campaign waves
- ASN/netblock clustering across related hosts
Verification
Clustering on shared ports, recycled CNs, and cert lifetimes — combined with repeated panel artifacts — supports attribution to StealC campaigns while keeping false positives low.
FOFA → Validin
StealC HuntingTo hunt StealC effectively, we adapted an existing FOFA rule and translated it into a Validin query, achieving the same results with greater precision.
Key Indicator — 403 on: 80 or 443
StealC Panel HeuristicOne of the key indicators we observed was the classic “403 Forbidden” response on port 80 — appearing in both the HTTP status and the page TITLE. This banner behavior strongly aligns with StealC panels. By pivoting on these fingerprints, Validin expanded the hunt and uncovered additional C2 servers tied to StealC operations.
URLScan.io Heuristic — StealC Panel Fingerprint
High ConfidenceUsing URLScan.io, we crafted a custom regex to detect StealC’s telltale behavior: C2 panels frequently rely on randomized 16-character .php filenames (e.g., jh3k2l9s8q1w7e4d.php). When URLScan observes traffic matching this pattern, the activity is flagged as StealC. Confidence is very high, as IOCs from URLScan are directly cross-validated with external threat intelligence.
(?:^|/)[A-Za-z0-9]{16}\.php(?:$|[\?#])Matches a path segment that is exactly 16 alphanumeric chars ending in .php (end of URL, query, or fragment).
- https://IP/jh3k2l9s8q1w7e4d.php
- http://DOMAIN/AbC123xYz90QweRt.php
- Use as a pivot to enumerate related hosts/subnets.
- Cross-check with CN reuse, short-lived certs, and title 403 behaviors.
Cross-Family Signals — StealC & RedLine
Hunting ParityWe applied our hunting rules across both families, noting similar hosting patterns and service exposure. StealC also defaults to ports 80/443. An interesting overlap surfaced in labeling: the name “Bulletproof” — historically seen on RedLine infra — is now present on StealC-tagged hosts.
- StealC: 80, 443 (default exposure)
- RedLine: 80, 443 (+ panels commonly at 1911/1912)
The label “Bulletproof” reappears on StealC infrastructure and was used as a RedLine label in prior campaigns — a useful pivot for cross-family correlation.
Hunt.io — Additional StealC IOCs
IOC ExpansionUsing Hunt.io, we identified additional StealC IOCs by pivoting on shared traits (service exposure, titles, and cert reuse), expanding the infrastructure graph beyond initial seeds.
Hunt.io — SQL Editor Pivot
cert-hash → C2We tested Hunt.io’s SQL Editor to customize our hunting queries. Pivoting on a certificate hash revealed two unique IPs with uncommon ports — both confirmed as active StealC servers.
Conclusions
The Nobitex breach stemmed from two high-privilege employees infected by infostealers — RedLine and StealC. Stolen credentials and session artifacts enabled direct access to internal systems, leading to an impact exceeding $81M. No exotic exploits were required: the malware delivered the keys. The root cause combined risky behavior (cracked software) with weak operational security. The lesson is clear: credential protection and endpoint hardening are as critical as perimeter defenses.
Key Takeaways
- Credential theft, not 0-days: RedLine/StealC provided direct access.
- $81M loss: Stolen sessions and passwords enabled monetization.
- Human risk: Pirated software + weak OPSEC widened the breach surface.
- Priority reset: Endpoint hardening and identity security first-class.
Strategic Imperatives
- Identity is the ignition source. Harden OAuth governance, require verified publishers, and alert on high-risk scopes.
- Cloud control planes are the fuel. Treat automation/workflows and service principals as privileged infrastructure.
- Crypto rails accelerate monetization. Prepare blockchain telemetry and partnerships ahead of time; practice drills with simulated peel-chains and bridge hops.
- Hunting beats hindsight. Prioritize the detections provided here and run them continuously post-incident.
Need help validating detections?