The life story of an IPT - Inept Persistent Threat actor

Thursday 5 October 09:00 - 09:30, Red room

Adam Haertlé (

This presentation will follow a Polish threat actor, known as 'Thomas', in his career as a wannabe cybercriminal from late 2011 until today. We will watch his first steps on HackForums, where friendly vendors and free tools helped him to build his first botnet. We will follow his phishing and spam campaigns visible in the media and correlate them with tool purchases on HF. We will see how his tools evolved and botnets grew despite his total lack of technical and language skills, and how he even managed to perform targeted attacks against state institutions. We will celebrate with him as he bragged about successes and commiserate with him over his failures, as he attempted to pivot into banking fraud and got scammed by others on multiple occasions. We will look at his business strategies and monetization vectors, including a botnet-as-a-service offering, while contemplating pricing strategies and ad design skills. We will watch him try to defraud competitors with a deceptive video demonstration of his own hacking tools, using the opportunity to get a glimpse of his desktop, and we'll look at an unsolicited interview he gave to a malware analyst while the latter reverse engineered one of his malware samples. Finally, we will discover his identity though multiple uncensored screenshots and end by trying to explain the legal hurdles which mean that, despite being well known to the law enforcement community, he remains at large. Every step of our journey through the timeline of his criminal career will be illustrated with relevant screenshots or videos, documenting his operations from both the victims' and perpetrator's points of view.


   Download slides    Read paper    Watch video






Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.