Post Av8bRPJrTXd1nN3n16 by knitcode@infosec.exchange
(DIR) More posts by knitcode@infosec.exchange
(DIR) Post #Av8bRJvDXjwd3UUXPU by knitcode@infosec.exchange
2025-06-14T16:37:38Z
0 likes, 1 repeats
The Russians aren't coming, they are already here. Without most anyone realizing, they've created an entire malicious adtech industry whose story is just as complex as the Chinese organized crime we're now realizing from their ventures into pig butchering. VexTrio is just one Russian organized crime group in the malicious adtech world, but they are a critical one. They have a very "special" relationship with website hackers that defies logic. I'd put my money on a contractual one. all your bases belong to russian adtech hackers.Today we've released the first piece of research that may eventually prove whether I am right. This paper is hard. i've been told. I know. We've condensed thousands of hours of research into about 30 pages. @briankrebs tried to make the main points a lot more consumable -- and wrote a fabulous complimentary article : read both! There's so much more to say... but at the same time, between ourselves and Brian, we've released a lot of lead material ... and there's more to come. I've emphasized the Russian (technically Eastern European) crime here, but as Brian's article points out there is a whole Italian side too. and more. We've given SURBL, Spamhaus, Cloudflare, Domain Tools, several registrars, and many security companies over 100k domains. They are also posted on our open github.Super thanks to our collaborators at Qurium, GoDaddy Sucuri Security, and elsewhere. #threatintel #scam #tds #vextrio #cybercrime #cybersecurity #infosec #dns #infoblox #InfobloxThreatIntel #malware #phishing #spam https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/https://krebsonsecurity.com/2025/06/inside-a-dark-adtech-empire-fed-by-fake-captchas/
(DIR) Post #Av8bRPJrTXd1nN3n16 by knitcode@infosec.exchange
2025-06-14T17:05:27Z
0 likes, 0 repeats
Comments on Brian's article said that these companies are Ukrainian, not Russian. We haven't studied the individuals behind the more recently discovered companies, but VexTrio folks are not Ukrainian. They are Russian-Belarussian and Italian for the most part. This doesn't mean they are pro-Putin. indeed, from what we've seen on social media they seem to be against Putin's invasion. They also target Russian citizens a lot -- Russia and the US are the top targets (they pay out the most in the affiliate network and have the most traffic). We know all the true identities of the main players of VexTrio going back to 2004... no Ukrainians. But Push House, RichAds, PushBro, Monetizer may be different. They definitely all speak Russian.
(DIR) Post #Av8bRPOTCPJa1fDTCS by knitcode@infosec.exchange
2025-06-14T16:41:02Z
0 likes, 0 repeats
Trying to make a tough read snackable. (1/N)About 40% of all compromised websites that led to a TDS in 2024, according to Sucuri/GoDaddy, went to VexTrio. Then they all flipped to HelpTDS in late-2024. Let's suppose the website malware actors are just random publishing affiliates of VexTrio -- this timeline is very interesting. Why do the malware actors prepare to move off Los Pollos (VexTrio) links before Los Pollos announces that it is pausing push monetization? :thinkingShady adtech is full of options for the shady publisher. Why do all the different malware actors move to the Help TDS? :reallythinkingIn a free market economy, how does a company like Los Pollos gain the lion's share of black traffic from compromised sites? :reallyreallythinkingthis timeline doesn't include all the actors that shifted from VexTrio to Help TDS.