NetWire Remote Access Trojan Maker Arrested

From Brian Krebs:

A Croatian national has been arrested for allegedly operating NetWire, a Remote Access Trojan (RAT) marketed on cybercrime forums since 2012 as a stealthy way to spy on infected systems and siphon passwords. The arrest coincided with a seizure of the NetWire sales website by the U.S. Federal Bureau of Investigation (FBI). While the defendant in this case hasn’t yet been named publicly, the NetWire website has been leaking information about the likely true identity and location of its owner for the past 11 years.

The article details the mistakes that led to the person’s address.

Posted on March 14, 2023 at 7:23 AM2 Comments


Clive Robinson March 14, 2023 11:07 AM

@ ALL,

I guess the question many will ask is,

“11 Years, Why so long?”

As for the “mistakes” the use of a password “123456xx” is not exactly an uncommon password as indicated,

“Running a reverse search on this password in Constella Intelligence shows there are more than 450 email addresses known to have used this credential…”

However it should tell cyber-crooks they have two choices,

1, Use a totally random password for one account only.
2, Use passwords from the top of the password cracker lists.

But at the end of the day the usual ways crooks are caught,

1, They flap their gums.
2, They leave a money trail.
3, They get “grassed-up” by an accomplase.
4, They do the same thing over and over.

When the identity of the actual person detained becomes confirmed we can see if there are other mistakes they may have made.

It’s not impossible to be a cyber-crook, and earn a living at it, you just have to know a lot about how you can trip up.

It was not that long ago that people thought they could not be traced via crypto-coins. Even an FBI officer who stole some thought that… Mostly we know better.

But the point is that what ever system you think secure today will not be on a few months or years, then at some point an early tap on the door with a breaching-ram tells you that you’ve made a mistake.

Thus I would expect that some slightly smarter crooks will work out how to set-up one or two patsies / scapegoats to act as “fire-breaks” or “canaries”. So when the authorities go for the patsies the actual crooks get a warning and can fade.

Winter March 14, 2023 2:24 PM


However it should tell cyber-crooks they have two choices,

If you read Brian’s stories the repeating theme is that criminals are caught because they seem to slide into crime haphazardly.

They register some domain names for criminal and non-criminal use with a single email address, or use an existing email address to register a new domain or account for criminal purposes. Or they reuse a username for a different account or email address.

When you become successful, you may find it difficult to cut off all the ties with the past without losing your customers or suppliers. You have a brand name that took effort to set up.

Investigators trace back the accounts and domains as well as the email addresses used until they find something with a real name on it, often a Facebook account.

Reused passwords are a good way to confirm the identity behind all the personas.

It is often a fascinating read when Brian follows the track of such criminals.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.