Based on intelligence indicating the threat actors behind the platform were based in the nation, the Royal Malaysia Police announced the operation, which was carried out on November 6, 2023, with cooperation from the Australian Federal Police (AFP) and the U.S. Federal Bureau of Investigation (FBI).
During the course of the operation, eight individuals between the age of 29 and 56, including the mastermind of the syndicate, have been detained at various places in Sabah, Selangor, Perak, and Kuala Lumpur.
Also, the authorities have seized servers, computers, jewelry, automobiles, and crypto wallets containing nearly $213,000.
BulletProofLink
BulletProofLink, also known as BulletProftLink, is well-known for providing other actors with ready-to-use phishing templates for credential harvesting campaigns on a subscription basis. The login pages of popular services including American Express, Bank of America, DHL, Microsoft, and Naver are imitated by these templates.
As per an analysis by Microsoft conducted back in September 2021, BulletProofLink is also involved in ‘double theft,’ where a threat actor steals credentials then transferring it to both the core developers and their clients, creating extra revenue streams.
According to a report by cybersecurity firm Intel471, "BulletProftLink is associated with the threat actor AnthraxBP who also went by the online nicknames TheGreenMY and AnthraxLinkers."
"The actor maintained an active website advertising phishing services. The actor has an extensive underground footprint and operated on a number of clear web underground forums and Telegram channels using multiple handles."
According to experts, BulletProftLink’s online storefront has been active since at least 2015, and as of April 2023, have approximately 8,138 active clients and 327 phishing pages templates.
Intel 471 adds that, "PhaaS schemes like BulletProftLink provide the fuel for further attacks[…]Stolen login credentials are one of the primary ways that malicious hackers gain access to organizations."
An additional indicator of threat actors' ongoing adaptation to disruptions and their adoption of more sophisticated strategies is the use of intermediary links by AiTM attacks to documents hosted on file-sharing services such as DRACOON, which contain URLs pointing to infrastructure controlled by adversaries.
"This new method can bypass email security mitigations since the initial link appears to be from a legitimate source and no files are delivered to the victim's endpoint as the hosted document containing the link can be interacted with via the file-sharing server within the browser," says Trend Micro.
The development occurs after Milomir Desnica, a 33-year-old citizen of Serbia and Croatia, entered a guilty plea in the United States for running a drug trafficking platform on the dark web called Monopoly Market and for planning to supply over 30 kilograms of methamphetamine to clients in the United States.
The discovery coincides with the plea deal that 33-year-old Milomir Desnica, a citizen of Serbia and Croatia, entered into for running a drug trafficking platform on the dark web called Monopoly Market and for planning to supply over 30 kilograms of methamphetamine to consumers in the US.