Automating and abusing credential theft through host-based attacks
Custom tool design known as a Auto-Skimmer
Fuck Blockblasters
The tragic story of Blockblasters, the Argentine shithead, and Cancer Bro. Cancer Bro died and that Argentine hacker is not a very good one; he got doxxed and reported to ICE, and also was doxxed looking for a roommate if you want to throw him off a fall of 75 feet or higher. So that guideline for killing someone, any adult, instantly is to drop him from a height of about 75 feet or higher. That’s just over three stories for the buildings in the United States and Mexico. So it’s not really that high of a height, by the way.
https://finance.yahoo.com/news/wild-story-cancer-patient-meme-213210305.html
How was the attack pulled off?
Okay. So this is an additional bonus thing for host-based attacks. Previously, I said manual modification of extracting the wealth—for example, through an infostealer or doing carding on the victim host machine that you still have access to through a double pivot created via an SSH tunnel and possibly an OpenSSH server installed in the background via PowerShell on your victim’s machine—so that way you can grab the browser creds, which are protected by the Data Protection API (DPAPI). How the fuck did the Argentine piece of shit pull that off?
So crypto drainers are another form of host-based attack. It usually runs in user mode unless his victims are being tricked into running as admin; then it will have admin privileges, but wallets are not required to run with administrative privileges, okay. However, being able to hack a wallet is actually harder than you think, much like hacking the KeePassXC password manager. It’s the offline password manager that you can get for Windows and Linux. If you have not tried this, they actually XOR every character of your master key with a random XOR key. I’m not kidding. So if he can use a trace, it actually XORs every character of your master key when you open the vault.
But going back to host-based attacks: when you’re on the host, even what I just said can easily be bypassed—for example, waiting for the vault to unlock. And for this unfortunate game on Steam called Blockblasters, you can actually just add crypto drainers. I believe Marcus Hutchins just showed a detailed review of crypto drainers posing as job applications, I believe, because you don’t need to be admin. In fact, you can create a persistent crypto drainer by creating a hidden process. So you spawn your drainer executable as administrator and then you also spawn an r77 rootkit, which largely resides in the memory after executing from the registry. And it’s installable by 32-bit shellcode runners. That’s how it works.
So you install the rootkit, the rootkit fires off either the 32-bit or 64-bit DLL, and it has a list of processes to hide. And any process you choose, including your drainer, it also hides network traffic of that specific process. So using the drainer, and if your victim is a crypto bro that does all these smart contracts, you can actually redirect either the entire transaction in real time, because hooking and modifying arguments is like a fraction—a thousandth of a second—to modify an argument. So he may have thought he made a trade, but he actually sent money to you. So that’s a more sophisticated, persistent crypto drainer.
Auto-Skimmer Design
All right, so let’s go back towards some of my content that I’m producing about modern cybercrime. Okay, so um, it’s not exactly attributed to Trump, by the way. But regulations involving Monero, laundering through Monero has relaxed, although that’s largely because of financial institutions relaxing things on crypto. And because of that, it is feasible now to buy Monero. This includes fraudulently obtained credit card information, also known as a CVV or BIN dumps from your victims.
Now, in my previous article that I’m still writing, crypto drainers, we’re talking about how you can actually combine at least three separate malware types. A RAM skimmer, okay, also a RAM scraper or a credit card skimmer that works in memory, which we are reversing from Fast Point of Sale or FastPOS data exec. And we can combine that with a Zeus-like banking Trojan, but instead of banking websites, we’re going to take the information stolen from browser information, as well as anything sitting in RAM, through our Windows Hooks (SetWindowsHookEx) to grab credit card information on the victim. And we need to do this from the host of the victim, or the non-virtualized host, basically.
So first, we have a banking trojan like that’s actually a crypto banking Trojan, and then it also has elements of a standard credit card skimmer and info stealer, as well as—so it has an infostealer element, a credit card stealer element, somewhat of a banking Trojan element, and finally the fourth part is the crypto drainer. But it’s not exactly a crypto drainer. It could have elements of crypto drainers. It could have an alternative feature like crypto drainers because we’ve been seeing news on YouTube where people are getting hacked for job scams and they just snatched their MetaMask wallet and they just transacted all out to a sock address. So it has four elements, all right?
So going through the elements again:
Credit card skimmer
Info stealer
Banking Trojan
Crypto drainer
More ranting against that guy
And we could put all this together and we’re not going to be copy-pasting like that scriptkiddie Argentine hacker. That wasn’t actually very good when he stole $32,000 out of Cancer Bro’s account through a backdoored Steam game called Blockblasters. I have my own hatred, and unfortunately, it’s probably not the same kind of hatred that other people have. Outside of the abhorrent targeting of a cancer patient on Twitch, I’m just telling you how to fucking do this shit right. And the Argentine scriptkiddie didn’t do it right. What he did was he bought like a fucking piece of shit stealer called RedLine (or StealC), and then he wrote a bunch of bat scripts that dropped down to disk, which clearly left forensic evidence everywhere. It was just fucking multiple scripts that eventually ran StealC! He simply bought the damn payload!
https://www.gdatasoftware.com/blog/2025/09/38265-steam-blockblasters-game-downloads-malware
But my method is running entirely in memory and either could be turned into a Common Language Runtime or CLR shellcode, also known as Intermediate Language (IL) shellcode, or it could be reflectively loaded as a .NET assembly. So it contains four elements, okay? A RAM skimmer, a banking Trojan, an infostealer, and a crypto drainer. And the reason why is if we’re trying to automate a host-based attack, but there is an issue. So to evade modern fraud detection, we need a headless method of executing this malware in memory. And previously, the manual method of SSH tunnel double pivots from a victim where we can just log on manually is probably not the best option.
My internet is slow as shit right now. I don’t know fucking why. It’s almost as if, you know, come on. Holy fuck. Motherfucking third-worlders. Hold on. It’s probably because of the VPN. Let me just change the VPN to Mexico or something. Yeah, it’s nothing is reliable these days, you know? You have a bunch of idiot third-worlders like, some have to prove my notes. See, now I can finally fucking see. I’m gonna have to just prune my notes.
Playwright advantages in evading anti-fraud protection
So we’re gonna use a headless browser extension to do the automatic transaction. So you can use either Selenium or Playwright. Playwright is kind of like a proprietary version of Selenium. Selenium is open source. Playwright has the ability to spoof; it has better abilities in spoofing screen resolutions. Let me turn on Wi-Fi again on my phone. Okay, cool. And yes, it will temporarily use your temp directory for cookies, cache, and session storage. But we can also—we’ll get to that in a bit. There’s a lot of intricate details.
But if we use something like Playwright, you can fake high-definition resolution because most machines—I highly doubt you guys are using standard definition in 2025. You’re at least at high definition or 1920x1080 for most people these days, right? Or at least up to 4K or 8K resolution on their monitors. You also want to add a bit of lag because people don’t instantly just create a POST request containing credit card information to a shady exchange, which is then pointed to the static address of your Feather Wallet because Feather wallets are behind a couple of warning screens, but you have temporary addresses. You have permanent addresses.
So what you do is you use at least three wallets and you can do a triple churn. Churning is just another slang way of saying structuring. So we can launder stolen money; you take a $10,000 transaction, which is definitely going to be flagged by banks, but this is crypto, okay, and they have their own detection algorithms. And you take $10,000 and you split it into three instances of $3,000 and maybe $1,000 more, right? So that’s called structuring in standard money laundering talk.
Wallet number one, we’ll use our permanent address, which is behind several layers of warnings on Feather Wallet. And then we’ll use our next two wallets. Remember, these are being done over Tor over VPN. When you use Feather Wallet, you can use Netstat to verify that it’s actually listening on a special Torsocks port 9050 and automatically uses that. Even if you got to install Tor or start your Tor service, it actually is sending the requests and verifying the transactions on port 9050. Obviously, you want to do a VPN chain behind that. You only have to complete one request and a Monero wallet will do the rest.
So, launder stolen $10,000 that was done through our auto skimmer, I guess, right? Our combination of a RAM skimmer, infostealer, banking Trojan, and cryptodrainer? Something. I’m sorry, I’m just pissed off as fuck by this third-worlder management that can’t keep a data center up for my VPNs. I will go through the transcript and fix it, but so you do a triple churn just to make sure. So obviously use the first wallet as a permanent address and then you set it through the temporary wallet of the next address. So $10,000 landed on the permanent address of Wallet 1. Now you move $9,000 out of $10,000 into Wallet 2, but only to the temporary address, which breaks the chain of attribution behind Tor over VPN. Then you move from Wallet 2 to Wallet 3, $8,000 to Wallet 3 behind Tor over VPN. Now what you do is there actually are many options for, let’s see, spending Monero on a Feather Wallet. Holy fucking shit. Is it really the—is it my VPN or is it my fucking—hold on. Oh, it’s because my Raspberry Pi is slow as fuck, that’s why. Well, I’m still recording, you know. Um, let me just change it. Come on. Okay, connect back to my VPN.
Laundering the money back out
OK, I don’t know what the fuck happened. Um, now I connect back to another hotspot, put a VPN behind that, and for some reason it stops recording. Weird. All right. So we’re triple churning the bitch. All right. And let me just go back into my notes. What the fuck? Okay, so it’s pretty fucking trivial, all right, at this point, after a triple churn at least, behind Tor over VPN for virtual cards. I don’t know what the fuck’s going on. Mexicans don’t have as many assholes as the United States where they would harass you on your wireless hotspot. I’m pretty sure it’s because of the Totalplay router, because it’s like a piece of shit router behind the closet.
So after a triple churn, you launder the money, all right? And now you get basically a gift card. You can get a Cake Pay virtual card, like a no-KYC (Know Your Customer) information card, or you can get a Bitrefill card. Remember, you triple churned it, okay? So after the first wallet with the permanent address that you use and then transacted to a temporary address on wallet number two, out of $10,000, you have $8,000 on Wallet 3. They actually can’t see what’s beyond Wallet 2. That’s why you triple churn it or use the structuring method through crypto.
All right? So you’re actually more than okay with just using Bitrefill or using proxy cards or using Wirex or Bitpay as long as you don’t attribute it back to yourself. If you fucking said that one was connected to Wallet 3, which is now connected to your actual proxy card—well, then the whole point of laundering was lost.
Fuck infosec frauds that can’t maintain a server room
OK, first of all, I just want to point out, and I’ve been publicly announcing that I am living in Mexico and—first of all—this issue with Totalplay or Infinitum or Telmex fiber optics is not actually an issue. The real issue was, and I’m connected to a wireless network right now, all behind a VPN. The real issue is my VPN from fucking Mullvad. I’m not trashing Mullvad themselves. I’m trashing the third-worlder idiot piece of shit that can’t maintain a data center representing the Mullvad endpoint. OK, there’s nothing wrong with the Mexican fiber optics. It’s fucking nice as hell, and it’s cheap, but the idiot third-worlder that was probably somewhere in the data center in the United States, somebody who lied their way to a job with a fake degree, all right? Someone that all of you probably wanted to deport because I’m getting tired of these fucking scammers, all right? I’m getting fucking tired. I don’t give a fuck about them. I love my Mexican neighbors. I love Mexico, but I don’t give two fucks about India or wherever the fuck they fabricate IT certifications and degrees. They are causing the data centers to fuck shit up. And this is my personal dialogue.
Correctly spoofing human interaction
All right, so this is my Auto Skimmer design. An Auto Skimmer is a combination of a credit skimmer, a banking Trojan, a infostealer, and a crypto drainer. They use automation frameworks like Selenium or Playwright.NET to basically steal existing crypto out of a browser-based wallet or to reuse credentials and discovered payment information in a browser on Windows machines. It is .NET-based, unless that Linux machine also has a .NET runtime to automatically execute Monero transactions to an anonymous Monero wallet before it is then triple churned three times through three wallets over Tor over VPN.
Using this technique, if it is done this way, it is relatively hard to trace unless you re-attribute yourself to a gift card from the third Monero wallet. So using Auto Skimmers, we’re going to be sticking with Playwright.NET. It has many advantages, including simulating key presses. So let’s start with key presses. The fastest reaction time from visual cues of a human to a response on the finger—for example, firing a gun—takes at least one-third of a second; at least 300 milliseconds is required to actuate the trigger on a firearm, which is taught in many elite self-defense courses by people formally known for this technique in private dojos.
With that knowledge, you now know that professional killers do not kill people at execution range, like in those gangster movies, simply because of the fact that you can actually move faster and disarm your potential killer or throw off a shot. Because you can actually move faster than one-third of a second, or at least 300 milliseconds. I don’t recommend trying it, especially if you don’t know how to disarm people or you’re not even trained for it. But yes—every key press has to have at least a gap. Let’s say entering a password; each character of the password must be, I would say, 500 milliseconds per key press. It is impossible to hit a key or pull a trigger from the decision-making of your brain to the visual cues in under 400 to 500 milliseconds. That’s impossible; only a machine can do that.
But back to other elements of our Auto Skimmers—we’re not talking about self-defense. Let’s just keep going. The Auto Skimmer simulates key presses, but Playwright.NET has a specific advantage over Selenium: the ability to not only spoof screen resolutions. Modern browsers stop fraud by determining if they can actually draw a shape—for example, canvas fingerprinting—and it can also check if you’re actually behind a human screen. So the Monero transaction from your Auto Skimmer will not work without it.
Combine with my previous articles on automated privilege escalation via BYOVA (no BYOVD required)
All right, so sorry, but not sorry. OK, sorry, but not sorry—of all of the technical roadblocks that I was going through to write this article. So, Auto Skimmers, all right? An Auto Skimmer, which is just a term I made up, combines my previous article about using the Notepad++ (CVE-2025-49144) or Velociraptor automated Privilege Escalation exploits to gain administrative access. This would guarantee that you have the correct privileges to hook to other processes, although it does not require a kernel driver—and you need to put your thinking cap on.
Like, how many enterprise machines actually have credit cards stored on their machines? It’s really the irresponsibility of the employees in enterprise, but I would say that this does not necessarily require the final kernel driver attack to disable EDR and blind telemetry that I have been harping about before. So just to go back, like I said before, it’s actually four elements:
A standard credit card skimmer.
An infostealer.
A banking Trojan.
A crypto drainer.
Going back to number three that I listed, the banking Trojan—but it does not target banks. It grabs payment information from the browser protected by the Data Protection API (DPAPI). OK, and then from the DPAPI where you decrypt—which requires administrative access, by the way. That’s why we need administrator. So we need a combo: either the Notepad++ vulnerability or the Velociraptor vulnerability. And I think it really does look suspicious if you were to use a threat hunting tool like Velociraptor to auto-escalate privileges.
When we have a perfectly working installer—like any installer before or during this range—it can easily impersonate regsvr32.exe with a C# application to invoke another fileless attack chain. And the only thing that’s dropped to the disk was regsvr32.exe, which doesn’t actually do what the actual regsvr32.exe does (registration of COM objects), but it really works from the installer to automatically run commands as Admin. So yes, this is our bypass/skeleton key that we need for administrative access to use the Master Key from the Data Protection API.
Do NOT try to disarm by abusing human body mechanics for liability reasons! It was just a example!
I know that was some really cool shit I talked about. Adding self-defense: Please, for the love of fucking God, if you are not trained to take a gun, a club, or a knife from someone’s hands, please do not attempt to move faster than 300 milliseconds. OK? Because that’s actually a reflex, by the way. Your reflexes can move faster than someone making a decision to pull a trigger. That’s the only possible way that they can actually disarm someone at execution range. So please do not try to Jason Bourne someone; you’re probably going to get shot.