Scammer Infects His Own Machine With Spyware, Reveals True Identity

An operational slip-up led security researchers to an attacker associated with Nigerian letter scams and malware distribution, after he infected himself with Agent Tesla.

In what can only be described as a case of karmic irony, a Nigerian scammer responsible for stealing more than 800,000 credentials from some 28,000 victims over the past several years recently infected his own machine with info-stealing malware that resulted in his identity being exposed.
Researchers from Malwarebytes got on his trail when they identified a group they track as Nigerian Tesla among numerous threat actors targeting Ukrainian entities. Malwarebytes had tracked the group for years initially while it was engaged in a string of so-called 419 advance fee fraud (aka
Nigerian letter scams
), where victims receive emails promising them a generous commission for facilitating a money transfer involving a large sum.
Over the past two years, Malwarebytes researchers had observed the threat actor switching from 419 scams to distributing Agent Tesla, a widely used remote-access Trojan (RAT) for stealing personal data from infected systems.
Malwarebytes recently identified Nigerian Tesla
attempting to distribute the malware via an email with a subject header titled Final Payment in Ukrainian. Recipients who clicked on the link in the email were directed to a file-sharing site, which then downloaded the Agent Tesla binary to the users system.
The attack chain involved the command-and-control server (C2) sending a message to Agent Tesla on infected systems, designed to confirm that the malware had been properly configured for remote communication. In examining the campaign, researchers detected an oddity — multiple messages containing the text Test successful coming from the attackers own machine. Theres only one logical conclusion: The attacker had somehow managed to self-inflict Agent Tesla malware.
A member of Malwarebytes threat intelligence team tells Dark Reading that the threat actor made several mistakes: The biggest one was to infect his own computer with the Agent Tesla stealer, he says. By doing so, all the credentials from their machine, stored in common applications such as browsers, were collected and exfiltrated. In a sense, they became just another victim, but in this case of their own malware.
An examination of the test emails exposed the attackers IP address, which then led the researchers down a path that ultimately revealed to them the attackers real identity, address, photos, and a copy of his Nigerian drivers license.
A Trail of Bread Crumbs
One of the first things Malwarebytes discovered when investigating the threat actors IP address was that he had sent more than two dozen additional emails from the same IP address. The researchers were unable to figure how the attacker had managed to infect his own system. But the emails revealed several other services that the threat actor used as part of his attack infrastructure.
These included a service that could be used as a source for victim emails, another for extracting emails from compromised systems, file hosting and storage services, virtual private servers, and VPN and DNS services. The researchers also discovered several assumed names that the Nigerian Tesla group used in past email scams, along with numerous email accounts that were used in phishing scams and data theft campaigns.
An investigation of the emails and the personae associated with them showed that the Nigerian Tesla group had been engaged in criminal cyber activities going back to at least 2014. At that time the group was primarily engaged in
419 scams
involving emails from fictitious people going by names such as Rita Bent, Lee Chen, and John Cooper. Malwarebytes found the threat making a switch to malware distribution in 2020, and identified the tools the attacker used to obfuscate their binaries and to test whether they could be detected.
During their investigation Malwarebytes researchers found a couple of photos of the individual that appeared to have started the operation, as well as the Agent Tesla-infected persons drivers license. Malwarebytes identified the individual only as E.K and as someone born in 1985.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Scammer Infects His Own Machine With Spyware, Reveals True Identity