MadCat ransom gang caught stealing from other criminals

A new strain of ransomware called MadCat has been linked by security researchers to suspected scammers who pretend to sell passport details on the dark web so they can rip off their fellow crooks.

On November 23rd, cybersecurity pundit Dominic Alvieri posted on X, formerly Twitter, what appeared to be an announcement, complete with a logo declaring the debut of the new ransomware group Mad Cat in one week’s time.

But all is not quite as it seems. A recent investigation by other cybersecurity professionals suggested that the people behind MadCat are, in fact, scammers who have targeted their fellow criminals with fake offers of stolen passport details.

Cyber investigator Karol Paciorek took to X on November 21st to announce the findings of an investigation that links Mad Cat to @plessy, @rooted, and @whitevendor, dark web accounts associated with the bogus sale of 246,000 screenshotted Polish passport pages and similar dubious offers of purloined travel documents from other countries.

Scam offer of stolen passport details
Bogus offer of stolen credentials used to lure other criminals on dark web

“Our latest investigation has successfully identified the members of the MadCat ransomware group, linked to the bizarre case involving the fake sale of a quarter million passports,” tweeted Paciorek.

Paciorek and his team at CSIRT KNF cybersecurity firm discovered the scam on October 30th, under which @plessy pretended to offer the “entirety of this illegal collection” to anyone willing to cough up $3,400.

The CSIRT report said its analysis “showed significant indications suggesting that Plessy and WhiteVendor users may be the same person.”

“Such conclusions are based on observation of the writing style, methods of creating threads, and the sales profile, which focuses on identity documents, including passports and IDs,” it added.

Another dissatisfied crook, er, customer…

Meanwhile, on the cybercriminal platform BreachForums, one disgruntled criminal complained of being conned out of nearly 20 units of Monero (XMR) cryptocurrency (worth around $3,000) by @rooted in a similar ploy that claimed to offer stolen Japanese and Chinese passport details.

“I pay xmr, he ask more, I pay that 4 day ago [sic]. He now not talk, not give data,” posted “onesandzeroes” on the crime forum on October 27th.

Criminal complains online about being scammed
Criminal complains on BreachForums about being scammed

The CSIRT report says it believes @rooted to be the name taken by @whitevendor on BreachForums.

Paciorek’s investigation also connected the Plessy, WhiteVendor, and Rooted aliases with a web address – However, when Cybernews typed the address into a search engine, we were simply directed to a Telegram channel under the name @shinyenigma, also connected to @plessy handle.

“Looking for information about the user who was linked on plessy[.]eu, one can find a profile on with the same name,” added the CSIRT report.

Cybernews checked the link, but at the time of writing, the account appears to have been largely dormant since contributing a remote access trojan last year, apart from an update of the latter posted three weeks ago.

The @plessy Telegram username was also found to be associated with @MadCatR, which in turn linked to a discussion channel that referenced a share link called @MadCatRansom, which then linked back to @plessy – “the only user” of the channel, according to CSIRT.

“The name of the channel itself suggests it may be a ransomware group,” added the report.

Nine lives already used up?

Now the actors behind MadCat have been outed, they look unlikely to have a successful career in ransomware, given their apparent recent history of conning other cybercriminals.

“A group that set their interest on deception from the start,” tweeted Paciorek in response to Alvieri’s original post. “I foresee a downfall as swift as [fellow newbie gang] RansomedVC.”

A link provided by Alvieri to the Mad Cat ransomware site also appeared to be dead at the time of writing – whether this is in response to Paciorek and his team’s work or a coincidence is unclear.

“It was noted that in the face of negative feedback regarding the attempt to sell documents from China and Japan, user WhiteVendor abandoned the use of his account and started a new online business under the pseudonym @Plessy – also as a scammer,” said CSIRT.

It added: “Further evidence irrefutably points to a link between the two users and the MadCat ransomware group. In particular, the victims are contacted through the @WhiteVendor Telegram account, highlighting the link between these identities and the group’s criminal activity.”

More from Cybernews:

App used by hundreds of schools leaking children's data

Tri Counties Bank breach exposes user financial data

UK commissioner warns top websites: allow “Reject All” cookies or else

Five days of war at OpenAI: whatever this was, is it really over?

Ingo Money claimed by Inc ransomware

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked