h1k.sh/I3p0Kw0 [ home ] [ history ] [ latest ]
revision-2 [ revision-1 ] [ revision-3 ] [ diff revision-1→revision-2 ] sha256:6d1f2e89b51f4416b6a11567d47dee01058fa58c9939ae6140ed151c7efb2acd not latest (revision-6)
This report is being edited by multiple groups due to the affected user(s) containing information that may effect them. The following report is to allow for these groups to determine the security impact and any potential leaks/attack vectors.
The report is still ongoing. First draft including the M14-PassSync methodology (by Beau J. Goodwin) can be found through: https://hostz.lol
- heliosfr (hi@sleepy.cv)
- Nysco Network Authority (soc@nysco.ai)
- Pyca Ireland (security@pyca.ie)
- Python Ireland (admin@python.ie)
- HISC (cs.incidents@helios.ac)
- Syscan.cc (systems@syscan.cc)
- Rustsussy (org@rustsussy.com)
- Marketing14 Archive (musab@redirects.cv)
SOC (Security Ops) includes the following team members in assistance to respond against this attack, 24/7 monitoring has been put in effect on potential accounts that may be targeted.
- heliosfr
- Musab Idrees (samuraixeon2)
- Piotr St. (pitust)
- Avery (woke002)
Portable24 passwords are being switched to M14-PassSync, due to the PC compromise we can assume that Portable24 has been also compromised.
============
Timeline of events (GMT+1)
============
#1 (25 Apr 2026 @ 11:42PM)
heliosfr (Desktop: AB - MARKETING14 LTD) installed a file "fabric_1.21.11.jar" from a non-official source. The URL was not saved in the logs.
#2 (25 Apr 2026 @ 12:20AM)
A login was alerted to adamback2020@gmail.com from email: no-reply@notifications.sumup.com on heliosfr's UK bank account from SumUp Limited. The location was not based in Ireland hence the urgent email was sent. IP traces to a london datacenter, assuming a VPS.
#3 (25 Apr 2026 @ 12:48AM)
SumUp Limited account password was changed under the Portable24 methodology, all sessions were signed out, primary card was frozen and has been changed to a new one including the five digit security pin for bank transfers.
#4 (25 Apr 2026 @ 12:58AM)
Primary point of contact accounts with trusted members on platforms such as: Discord, Telegram and various messaging portals went an immediate password reset (under Portable24).
#5 (25 Apr 2026 @ 1:10AM)
heliosfr (Desktop: AB - MARKETING14 LTD) was now confirmed compromised. The PC was disconnected from all attack vectors (including: external drives, ethernet, bluetooth and WiFi) hence entering a state of "Limbo". Close monitoring on high target accounts were now being monitored closely. Everything stored on this device was to be assumed lost and compromised. An SOC response was initiated with trusted members.
#6 (25 Apr 2026 @ 3:30PM)
All important files were offloaded to a fresh 4TB external hard drive, after this process the internal hard drive containing all data from ("AB - MARKETING14 LTD") would be removed and the drive would be smashed. All content on that drive was deemed loss anyway. A fresh Windows 11 from a USB was installed. Alongside this, UFEI was being monitored.
#7 (25 Apr 2026 @ 6:21PM)
heliosfr (new desktop: helios01k) would be reconnected back to the internet and external devices, exiting the state of "Limbo". WireShark would monitor all network activity for the next three hours to confirm any connections were made. This was to determine if the PC was deemed clear for usage or not. No connections were made during the monitoring period.
#8 (27 Apr 2026 @ 5:59PM)
The file installed (fabric_1.21.11.jar) that contained the virus was ready for analysis. A SOC joint analysis under the lead of security@pyca.ie would undergo today. The malware was installed on an isolated computer and then was ran on a monitoring software. The malware traces back to a MaaS tool called "WeedHack" which allows us to determine multiple things. The POC (point of contact) is not just one singular person rather linked to the MaaS owners. We can confirm that the MaaS stole all cookies, attempted automated logins to live.com, and bypassed a CVE to escalate permissions allowing to bypass Windows Defender. Scored 1/42 on Malwarebytes, Scored 0 on ANY.RUN. The source website (where the install happened) was also found and an report to the ICANN domain registry and its reverse proxy (Cloudfare) was sent for takedown.
#9 (28 Apr 2026 @ 9:01PM)
IntelX (OSINT tool) alongside automated detections on BreachForums found a hit on leaks. The following email was hit: adamdungbell@gmail.com. Response to this was to reset the password, reset all sessions alongside enable hardware keys only.
#10 (30 Apr 2026 @ 11:03AM)
Roblox account "adamlolxd9731" (valued at 2500 USD) was compromised. The access vector was through Roblox's session cookies. The account age (prev set to 21+) was now set to (9-13 years old) allowing the attacker to enable parental controls, hence linking the account to juhana8870@dickensmail.com making recovery usually hard. Email (adamback2020@gamil.com), Phone (+353 087 612 0146) were unlinked and sessions were signed out. No transactions were made and no items were lost, however the attacker did play the following games: "da hood", "Grand Piece Online" and "Adopt Me". We might just have a generic "com script kiddie" on our hands for this. It should also be noted that this login was made on an Android from IP: 188.146.164.31 based in Warsaw, Poland.
#11 (30 Apr 2026 @ 9:14PM)
The attack was eventually noticed, however the attacker had approx 9 hours of free time to do whatever, hence the urgency involved. Roblox support was contacted, alongside this a reverse login was made through a previous password (they forgot to reset the password, this allowed us to know they do not know the password). Age was set back to 21+ through ID allowing for the parental controls to be disabled. The account was secured using the following details: Portable24 password, email: security@pyca.ie, phone: none. Roblox support reset any other varying changes that they found. This prompted to the SOC team to be more vigilant and to ensure no further attacks happened.
#12 (30 Apr 2026 @ 11:10PM)
Further analysis on the "dickensmail.com" domain traces back to a Russian domain registry based in Moscow. Hypothesis for the usage was confirmed when this registry allows for cryptocurrency payments making it hard to trace back to the buyer. The server host for dickensmail.com was an EU based hosting platform, also based in Moscow. DNS records tracing the email pointers seem to be in-house.
#13 (1 May 2026 @ 11:53PM)
Meta (Instagram & Facebook) automatically locked out all sessions in response to a unknown login from a unusual IP address, this login was also blocked. Meta requested an automatic new password to be made to unlock the account from a trusted device.
#14 (2 May 2026 @ 12:16AM)
Here we go again. Outlook email: adamdungbell@outlook.com was compromised by a attacker. IP 45.157.210.85 traces back to the United States on a VPS server. The response took 13 minutes to begin meaning the attacker had 13 minutes of free time on a critical email. Every email in this account was to be deemed lost and compromised. A password reset alongside all session logout started. Passwordless login was also enabled which means a Passkey or MFA security key was needed to login from now on.
#15 (2 May 2026 @ Time Unknown)
Steam account "rtadam990" (valued at 1750 USD) was compromised. A session cookie was used to bypass password, 2FA, MFA, and Steam Gaurd. The session key was authorised by the actual owner (heliosfr) on 2nd Feb 2026 @ 4:35AM and was used to login. The location: LA, United States. Device: Chrome, Windows
#16 (3 May 2026 @ 12:42PM)
TikTok account @heliosfr was compromised. The access vector (yet again) was from a session cookie. An immediate logout and password change was done. SOC agreed to set the email address of this account to security@pyca.ie for security reasons. It is hypothesised that this attack origins from a session dump from Breachforuns, as the movement seems too automated compared to previous attacks on other accounts. The attacker commented on 18 TikTok videos (all 250K+ in likes and actively popular) comments like "CHECK MYYY REPOSTTT" or "CHECK MY REPOST :3" or "LOOK MY REPOSTTTTTSSS". They reposted bypassed videos that included porn and a link to some sketchy website. All comments/reposts were cleared alongside this, it was also assumed any information sent through DMs may've been compromised.
#17 (4 May 2026 @ 2:11PM)
ChatGPT/OpenAI alerted an automatic account lockdown after an attempt to buy $400 credits on the API was issued using the primary bank account linked to the business account. Due to this, the "helios operations" workspace on OpenAI has undergone an emergency security response. This is more of a serious problem as imagined due to the fact this workspace links multiple other accounts unrelated to heliosfr. Advanced security protection mode has been enabled and logins through FIFO2 security keys are the only allowed option.
#18 (5 May 2026 @ 4:11PM)
Spotify account (@heliosfr) was compromised. The access vector (yet again..) was from a session cookie. Same process happened, logouts, resets, etc. The attacker listened to 50+ songs from the same artist, hypothesis is the account links to a botnet of spotify accounts to play songs by artists (whom they've been paid to do so) in order to receive ad profit by Spotify. Can I also mention that this artist music sucks? Airbuds (a social app based around Spotify - tracked all the songs, etc they played).
#19 (5 May 2026 8:02PM)
We can assume that files on the old hardrive of AB - MARKETING14 LTD were compromised. This included private code workspaces in multiple github repos and orgs, reset keys and api secrets are being changed, local developer secrets and tokens were also exposed at this point. further monitoring on vercel, railway, github, etc are in place.
Further events are expected to happen.