Back in August 2019 Avast anti-virus released a technical write-up about a malicious worm named “Retadup” that infected a total of 850,000 computers, mainly in South America[1]

The researchers from Avast were able to locate the C&C server, hack it on behalf of the French National Gendarmerie, and drain the botnet from all the infected machines.

They also managed to estimate the amount of revenue the person who was operating the botnet made by installing Monero[2] miners on the victims computers.

Essentially, in 1 month he made about $5000 from 1 pool (he probably had more) and this is just from mining Monero which is likely not the only monetization method he had for this operation.

it was also reported by TrendMicro that this guy infected hospitals in Israel[3] and that he had 11,337 infected computers in Israel which is an insanely high amount considering there are only 8.7 million people living in the country[4]:

I thought it was strange that he was so eager to harm Israel and decided to go ahead and look at the C&C servers that Avast revealed he owned:

For each one I tried to see if I can find doxxable information, and indeed, I quickly identified that the hacker forgot to block his whois record for the domain Newblackage(.)com:

This revealed to me the name (fake), E-mail and phone number of the hacker, it even turned out he was from Israel 😈!

I quickly looked up the phone number on Google along with the word “Facebook” and found this:

A Facebook page with the attached phone number and his real name!

I looked into the Facebook profile and was amazed to see how public the hacker was about his operations:

Newage is also one of the domains listed in the C&C servers

A video in which he showed his botnet operating, we can see a bunch of infected computers in his client

He even mentions how he was adding new features to the Botnet, we can assume he was selling the program as well:

I wish I could show more photos from his Facebook page but it got deleted and I’m only left with the evidences I gathered back in 2019.

Anyways, within minutes of Avast posting their write-up, I found all this information and posted it on Twitter, asking Law Enforcement to contact me so I can give them the details of the hacker, and indeed I got contacted and handed the relevant information but was not updated whether an arrest occurred or not.

The only piece of evidence I have to support the claim that he did get arrested is that the Telegram account linked to his phone number which was very active when I first found him, hasn’t been active since December:

It is now everyone’s guess whether the hacker is behind bars or already operating a new, more sophisticated botnet we haven’t yet found…

Connect with me — https://www.linkedin.com/in/alon-gal-utb/

References: