Twitch was breached and a 125 GB torrent posted to 4chan exposed the platform’s entire source code, creator payouts going back to 2019, internal red team tools, and source code for an unreleased Amazon Steam competitor called Vapor — while the Freakout botnet was hijacking surveillance DVRs for Monero mining and the MyKings botnet had quietly accumulated $24.7 million in crypto since its first appearance five years earlier.
Stories Covered
Freakout Botnet Hijacks Surveillance DVRs for Monero Mining Using a Polymorphic Python Bot
Juniper Threat Labs researchers documented a new campaign by the Freakout botnet — active since at least January 2021 — targeting Visual Tools DVR VX16 devices used in surveillance systems. The malware component is NecroPython, a Python IRC bot that exploits multiple CVEs across different platforms including CVE-2021-29000 (Genexis), CVE-2020-15568 (TerraMaster TOS before 4.1.29), CVE-2020-25494 (Xen OS), CVE-2020-28188 (TerraMaster TOS up to 4.2.0), and CVE-2019-12725 (Zeroshell 3.9.0). Surveillance DVRs make attractive mining targets because they run continuously, are rarely monitored for performance anomalies, and are often left unpatched. Once compromised, the bot deploys XMRig, a Monero miner configured to send earnings to an attacker-controlled wallet. Monero is specifically preferred by criminal crypto mining operations because its privacy features make transaction tracing significantly harder than Bitcoin. NecroPython includes a polymorphic engine that mutates the malware’s code signature on each execution, complicating signature-based antivirus detection. For persistence across network changes, it uses a domain generation algorithm — attempting to contact a rotating set of programmatically derived domains until it finds its command-and-control server. Detection at the network level is possible by monitoring for machines generating abnormally high volumes of DNS requests in short windows — an indicator consistent with DGA behavior that does not match any normal user activity pattern.
Call of Duty’s Ricochet Anti-Cheat Kernel Driver: Security Concerns at Scale
Activision announced Ricochet, a kernel-level anti-cheat driver for Call of Duty: Warzone and Vanguard. The security concern with kernel-level drivers is not specific to Ricochet — it applies to any software operating at kernel privilege. Kernel drivers have deeply integrated access to the operating system, and any vulnerability in the driver represents an attack surface that operates at the highest privilege level on the machine. Call of Duty has approximately 100 million players; even if only a quarter play on PC, that represents roughly 25 million machines with this driver installed. A critical vulnerability in Ricochet would create a fleet of 25 million potentially exploitable systems attributable to a single driver from a single company. Activision stated the driver is not always-on and only inspects software interacting with Call of Duty, though those constraints are policy rather than architectural guarantees. The second concern is false positives: Ricochet reportedly intends to use machine learning to identify cheat patterns in server data. Machine learning classifiers are not perfectly accurate, and at the scale of tens of millions of players, even a half-percent false positive rate produces hundreds of thousands of incorrectly flagged accounts. Without a transparent appeal process and human review, automated enforcement at that scale creates accountability problems that the gaming community is right to scrutinize before accepting a kernel-level agent on their machines.
MyKings Botnet: $24.7 Million in Crypto, Clipboard Hijacking, and Steam Trade URL Manipulation
Avast Threat Labs documented the MyKings botnet, which has been active for roughly five years and remains operational. The Avast analysis found wallets linked to MyKings operations holding approximately $24.7 million in accumulated cryptocurrency — a figure reflecting the sustained revenue from a long-running operation rather than a single campaign. MyKings is notable for the breadth of its toolkit: it deploys bootkits (which install in the boot sector, making them extremely difficult to remove without a full system wipe), cryptocurrency miners, droppers for additional payload delivery, and clipboard stealers. The clipboard stealer is particularly effective against cryptocurrency users: it monitors the clipboard for wallet addresses and substitutes the attacker’s wallet when a user copies and pastes an address for a transaction, diverting funds without the victim noticing until they check their transaction history. The latest version extended this clipboard manipulation to Steam item trade URLs, hijacking trade offers so that the attacker receives the items instead of the intended recipient. A separate module uses Yandex Disk cloud storage as a delivery mechanism: compressed archives hosted there are made to appear as photo files and spread through social engineering, with victims unzipping what they believe is a legitimate file and executing the embedded malware instead.
Twitch Hack: 125 GB Leak Exposes Source Code, Creator Payouts, Red Team Tools, and Amazon’s Steam Competitor
An anonymous actor posted a 125 GB torrent to 4chan in October 2021 containing data described as the entirety of Twitch’s internal infrastructure. The leaked dataset included the complete Twitch source code with commit history going back to the platform’s early days, creator payout data from 2019 onward, mobile, desktop, and console clients, proprietary SDKs, internal AWS service configurations, IGDB and CurseForge properties, and — notably — source code for an unreleased Amazon Game Studios project codenamed Vapor described as a Steam competitor. The leak also included Twitch’s internal red team penetration testing tools, meaning the same attacker toolkit Twitch uses internally for its own security assessments was now in public circulation. Multiple sources confirmed the data was authentic. The hacker stated their motivation as disrupting the platform over what they described as a toxic community culture rather than financial gain, which makes this breach unusual: the attacker had access to data valuable enough to sell but chose to dump it publicly instead. For Twitch users: change your password if you have not done so since October 2021. The exposed data enables attackers with knowledge of creator identities and payout figures to craft targeted social engineering attacks against high-earning streamers.
Leave a Reply