Liam Amarku

I went and I bought a car, I talked to the attackers, tried to engage them as much as possible to see if their English was good and tried to talk about different hours of the day to see when they might be awake and not.

And I recorded this entire thing and ended up being successful buying this car and going all the way through with the transaction to the point where they send me information about a money mule where I was meant to send my money.

And that was where I stopped.

I didn't actually go through and send any money.

But at that point, I had victim information.

I knew exactly how the threat worked.

I knew exactly how much money they were making.

And I understood how the whole thing worked.

And more importantly, I had a video of exactly how it would work from beginning to end.

And what I did was I published that

a blog saying, here's the threat, here's how it works, here's how you can protect yourself, here's what it looks like, here's a video of me buying a car, here's a video of me talking to the attackers and publish that.

So they would name their command and control servers, various different things.

They picked random names for the URLs of their command and control servers, but then they started putting my name in there.

So they had domain names like gayassoleem.com, tinycockleem.com, leemthemule.com, thankyouleem.com.

Yeah, a variety of different names.

variations of that over the years.

And then also, because there was a little encrypted section underneath that, they could also leave a message in the malware that they knew only I would see or someone who was analyzing the malware would see.

And then they left messages in there like, Semantic does group masturbation was one of them.

So just over years, they would leave these messages in there for me.

And of course, when I saw that, that made me more interested in understanding what was going on.