Thanh Hoa Provincial Police Department said on March 25 that they had worked with the Ministry of Public Security to dismantle a transnational cybercrime network responsible for large-scale data theft.
Authorities said the operation was led by a high school student based in Thanh Hoa, who orchestrated the distribution of malware targeting internet users globally.
Police working with the student (Photo: Thanh Hoa Police).
The student began self-studying programming in 2023, learning languages such as Python and C++. Initially focused on experimentation, he later developed a deeper understanding of operating system structures and data storage mechanisms.
By 2024, he had created malware capable of accessing and extracting browser-stored data, including login cookies, passwords and autofill information. The malicious code was designed to bypass basic security protections.
Stolen data was packaged and automatically transmitted to servers set up by the suspect for further exploitation.
In July 2024, the student connected via Telegram with Le Thanh Cong, 28, from Ha Tinh Province. The pair agreed to collaborate, with the student writing malware and Cong distributing it to harvest login credentials, particularly commercially valuable Facebook accounts.
Cong later introduced him to Phan Xuan Anh, 21, from Nghe An Province. The student was then commissioned to develop an upgraded malware strain known as “PXA Stealers”, capable of gaining administrative control over infected devices. He reportedly received 15 per cent of the profits from each operation.
Police escorting Phan Xuan Anh to the investigative agency (Photo: Thanh Hoa Police).
Within the network, the student was responsible for coding, updating and enhancing the malware, while other members handled distribution and data exploitation.
To increase effectiveness, the group purchased source code for remote access software known as “Pure RAT”, integrating it into their malware. When victims opened infected files, both the malware and remote control software were installed, allowing attackers to access and control devices remotely.
The student also accepted separate commissions from an individual identified as Nguyen Thanh Truong, operating under the Telegram alias “Adonis”, to develop additional malware for USD 500, along with a profit-sharing agreement of 50 to 100 USDT per data extraction.
The group used various sophisticated distribution methods, including mass email campaigns with malicious attachments. They sourced or purchased email lists from underground forums before launching large-scale dissemination.
Malicious files were often disguised as PDF or document files but were in fact executable “.exe” files. Once downloaded and opened, the malware would install silently and operate in the background.
After infecting devices, the malware collected sensitive information such as cookies, passwords and IP addresses, which were sent to servers or Telegram bots for sorting and exploitation.
Using remote access tools and virtual private servers, the group was able to directly control victims’ computers.
Police inspecting evidence from the case (Photo: Thanh Hoa Police).
Investigators said more than 94,000 computers across multiple countries, mainly in Europe, the Americas and parts of Asia, had been infected.
The stolen data was primarily used to take over social media accounts, especially Facebook accounts with advertising capabilities. These were then used for online business activities, commission-based schemes, or sold to third parties. Initial estimates suggest the group earned illicit profits worth tens of billions of VND.
Authorities have charged 12 suspects with producing, trading or distributing software tools for illegal purposes, and unlawfully accessing computer and telecommunications networks or electronic devices.