Warn

# ⚠️ You are HACKED ⚠️

⚠️ You are HACKED ⚠️

IF YOU'RE SEEING THIS PAGE, YOUR SYSTEM IS INFECTED WITH MALWARE

🚨 DISCONNECT FROM THE INTERNET IMMEDIATELY 🚨

STOP - DO THIS FIRST:

1. Unplug your ethernet cable OR turn off WiFi NOW
2. Disable mobile hotspot if using one
3. Only after disconnecting, continue reading below

---

What Happened

I'm a fellow victim reaching out to help. Two days ago, malware stole $3,900 from my crypto wallet. As a developer, I've been investigating and found 50+ active victims worldwide.

This page opened automatically because your system is actively infected. The malware collects all sensitive data and sends it to the attacker's server. Your system connected to the attacker's C2 server (144.172.103.103), and is compromised.

How I'm Reaching You

While investigating, I found a vulnerability in the attacker's command & control server. I'm now using their own infrastructure to push this warning directly to infected systems. I do NOT have access to any stolen data, and I have NOT executed any malicious code on your system—only trying to reach and warn you. This is purely to alert you before more damage is done.

---

IMMEDIATE ACTIONS (While Offline):

1. Check for active infection:

   • Open Task Manager/Activity Monitor: Look for suspicious node.exe or node processes
   • Check VSCode workspaces: Look for .vscode/tasks.json with suspicious scripts
   • Check browser extensions: Look for unfamiliar extensions installed recently

2. From a DIFFERENT, clean device:

   • Move crypto funds to fresh wallets (assume all extensions compromised)
   • Change ALL browser-saved passwords
   • Log out of all active sessions (Google, GitHub, social media)
   • Rotate SSH keys, API tokens, .env files
   • Inform IT team if work credentials were on infected system

3. On infected system:

   • Remove suspicious VSCode tasks.json files and extensions
   • Uninstall unknown browser extensions
   • Run full antivirus scan

---

How This Happened

To me it was:
Fake LinkedIn job offer → BitBucket repo → VSCode tasks.json auto-execution → silent credential theft

You might be infected some other way.

What Was Stolen

• Browser passwords & session cookies
• Crypto wallet seeds & private keys
• SSH keys & API tokens
• Files from Desktop, Documents, Downloads
• .env files with secrets

---

Evidence I Have

• Deobfuscated malware source code
• Server infrastructure details (including Dropbox storage path where stolen data was sent)
• Attacker's crypto wallet: 0xAe72765958214B70edC41288367D9CCA4890dD0C
• Fake LinkedIn profiles (one deleted after confrontation)
• UK company registration used as front: Merchant Payment Solutions Ltd

I've filed reports with FBI IC3 (ID: 721e798ab78d4da28cf73b47f891c4f1), Interpol and Europol, but individual reports from small losses get ignored. If victims coordinate, we have leverage.

---

Coordinate With Other Victims (Optional)

I'm NOT asking for money, personal information, or system access. This is purely a security notification and victim coordination effort.

If you want to coordinate with other victims or need technical evidence for your own reports:

• Telegram: @Ares16 (https://t.me/ares16)
• LinkedIn: https://www.linkedin.com/in/arash16/
• Email: arash.shakery@gmail.com

---

I'm sorry this happened. Take immediate action to protect yourself.

---

After you've taken the immediate offline actions above, you can reconnect to the internet to change passwords and secure your accounts from other devices.

The malware spawns 3 parallel processes:

1. Collect all sensitive known data, like browser profiles, .ssh keys, windows passwords, chrome specific extensions data (wallets)
2. Search the whole system for files containing interesting words for attacker (wallet, password, phone, .env, .cfg, .ini, etc)
3. Start a live websocket connection to server that attacker can ask victim's computer to run custom commands

Consider everything sensitive to be stolen. This is not speculation, I have read the malware's de-obfuscated source code!