From Telegram to Handcuffs: How OSINT Unmasked the Developer Behind Valkyrie, Prysmax, and Packit Stealers + Video

Listen to this Post

Featured Image

Introduction

In a landmark threat intelligence operation, DeXpose’s threat intel team successfully de-anonymized “Lawxsz”, the developer of three major info-stealers (Valkyrie, Prysmax, and Packit Stealer), by tracing a single Telegram account through phone number OSINT, breach data from multiple forum compromises, GitHub commit metadata, and platform-specific enumeration. This exercise demonstrates how seemingly disconnected aliases across underground forums can be collapsed into a single confirmed identity using open-source intelligence techniques and cross-referenced breach data.

Learning Objectives

  • Master OSINT techniques to trace threat actors across Telegram, GitHub, and underground forums using phone numbers, commit metadata, and breach corpus analysis.
  • Apply Linux and Windows command-line tools to automate alias correlation, metadata extraction, and credential aggregation.
  • Implement defensive countermeasures to detect and mitigate info-stealer infrastructure, phishing kits, and FUD malware distribution.

You Should Know

  1. Phone Number OSINT: From Telegram Handle to Real-World Identity
    The first step in unmasking Lawxsz was extracting a phone number from his Telegram account. Telegram’s privacy settings often leak phone numbers via “Find by Phone Number” if the user hasn’t disabled it. Using tools like `telegram-phone-number-checker` or manual `tg-cli` scripting, investigators can correlate a phone number with breach databases.

Step‑by‑Step Guide (Linux):

  1. Install `telegram-cli` or use `mtprotoproxy` to interact with Telegram’s API.
  2. Use a disposable phone number or API key to query the target’s public info:
    tg -s "resolve_username lawxsz"
    
  3. Extract associated phone number (if exposed) via debug output or using telegram-phone-number-checker:
    git clone https://github.com/tejado/telegram-phone-number-checker
    cd telegram-phone-number-checker
    pip install -r requirements.txt
    python checker.py --username lawxsz
    
  4. Cross-reference the phone number with `dehashed.com` or `snusbase` using API:
    curl -u "API_KEY:EMAIL" https://api.dehashed.com/search?query=phone:+1234567890
    
  5. Use `phoneinfoga` for advanced carrier and geolocation data:
    docker run -it sundowndev/phoneinfoga scan -n "+1234567890"
    

Windows Alternative:

  • Use `whois` on phone number via `osintgram` or `PhoneInfoga.exe` (precompiled binary).
  • Leverage `PowerShell` to call DeHashed REST API with Invoke-RestMethod.

2. Breach Data Correlation from Multiple Forum Compromises

Lawxsz reused credentials across Nulled, Cracked, RaidForums (archived), and Exploit.in. By aggregating breach dumps (e.g., “Collection 1-5”, “Anti Public”), investigators found matching hashed passwords and email addresses.

Step‑by‑Step Breach Analysis (Linux):

  1. Download breach corpus (legally, via known breach dumps or HaveIBeenPwned domain search).

2. Use `grep` to filter for aliases:

grep -r "lawxsz" /path/to/breaches/ | cut -d: -f1 | sort -u

3. Extract email:password pairs and hash with `hashcat` (mode 0 for MD5):

hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

4. Correlate same password across different forum usernames using `pwned-passwords` API:

curl -X GET "https://api.pwnedpasswords.com/range/"$(echo -n "password123" | sha1sum | cut -c 1-5)

5. Use `h8mail` to automate breach lookup for multiple emails:

h8mail -t target_emails.txt -c config.json

Windows PowerShell:

Select-String -Path "C:\breaches.txt" -Pattern "lawxsz"

3. GitHub Commit Metadata Enumeration

Lawxsz accidentally left real name and email in Git commits of private repositories that were later made public or leaked via `.git` folders on misconfigured servers.

Step‑by‑Step Git OSINT (Linux):

  1. Clone any public repository associated with the stealer’s test domains:
    git clone https://github.com/suspicious-user/repo.git
    cd repo
    git log --pretty=format:"%h - %an, %ae : %s" > commits.txt
    

2. Extract unique authors:

git log --format='%aN' | sort -u

3. Search for commit metadata using GitHub’s REST API:

curl -H "Accept: application/vnd.github.v3+json" https://api.github.com/search/commits?q=author:lawxsz

4. Use `git filter-branch` to identify timestamps that correlate with forum activity (timezone analysis).
5. Cross-reference email hashes with Gravatar to retrieve profile images.

Windows (Git Bash or PowerShell):

git log --pretty=format:"%an %ae" | Sort-Object -Unique

4. Platform‑Specific Enumeration and Alias Collapsing

Lawxsz used nine aliases across six forums (e.g., “packit_dev”, “valkyrie_1337”, “prysmax_seller”). By enumerating profile pages, post signatures, and PGP keys, DeXpose collapsed them into one identity.

Step‑by‑Step (Use Maltego or manual scripts):

  1. Write a Python script using `requests` and `BeautifulSoup` to scrape forum profiles:
    import requests
    from bs4 import BeautifulSoup
    aliases = ["lawxsz", "packit_dev", "valkyrie_1337"]
    for alias in aliases:
    url = f"https://cracked.io/member.php?action=profile&uid={alias}"
    response = requests.get(url, cookies={"session": "your_cookie"})
    soup = BeautifulSoup(response.text, 'html.parser')
    print(soup.find('div', class_='signature').text)
    

2. Extract shared PGP fingerprint from multiple accounts:

gpg --recv-keys 0xDEADBEEF && gpg --fingerprint 0xDEADBEEF

3. Use `spiderfoot` to automate alias correlation:

sf.py -s lawxsz -m  scans 200+ modules

4. Perform “avatar reverse image search” using `tineye` or `Google Images` API.
5. Consolidate results into a link chart using `Maltego` transforms (built-in OSINT transforms).

  1. Malware Attribution: YARA Rules and Import Hashing for Valkyrie/Prysmax/Packit
    Once Lawxsz was identified, his stealer binaries were analyzed for code reuse. Shared import address tables (IAT) and unique strings confirmed authorship.

Step‑by‑Step Malware Analysis (Linux):

  1. Extract IAT from PE files using `pescan` or radare2:
    radare2 -A binary.exe
    [bash]> iE
    
  2. Generate a fuzzy hash (ssdeep) to compare variants:
    ssdeep -b valkyrie.exe prysmax.exe
    
  3. Write a YARA rule to detect all three families:
    rule Lawxsz_Stealer_Family {
    strings:
    $s1 = "ValkyriePanel" fullword ascii
    $s2 = "PrysmaxLogs" fullword ascii
    $s3 = "PackitC2" fullword ascii
    $hash = { 6A 00 68 00 30 00 00 }  unique opcode sequence
    condition:
    any of ($s) or $hash
    }
    

4. Scan a directory with `yara`:

yara -r lawxsz_rules.yar /samples/

5. Use `capa` to identify capabilities (anti‑VM, keylogging, form grabbing):

capa -v prysmax.exe

Windows (FlareVM):

capa.exe --json prysmax.exe > output.json
  1. Defensive Mitigation Against FUD Malware and Phishing Kits
    Organizations can use the indicators from Lawxsz’s stealer families (C2 domains, registry keys, mutexes) to harden endpoints.

Step‑by‑Step Mitigation (Windows Event Logs & Sysmon):

  1. Deploy Sysmon to log process creation and network connections:
    <RuleGroup name="StealerDetection">
    <ProcessCreate onmatch="include">
    <CommandLine condition="contains">powershell -enc</CommandLine>
    </ProcessCreate>
    </RuleGroup>
    
  2. Block known C2 domains via Windows Defender Firewall:
    New-NetFirewallRule -DisplayName "Block Valkyrie C2" -Direction Outbound -RemoteAddress 185.130.5.253 -Action Block
    
  3. Use `Autoruns` to detect persistence mechanisms (scheduled tasks, Run keys).
  4. Deploy `osquery` to hunt for stealer‑specific registry keys:
    SELECT  FROM registry WHERE path LIKE 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\%' AND name LIKE '%Valkyrie%';
    
  5. Create a custom detection rule in SIEM (Splunk/ELK) for anomalies like `%Temp%\.exe` writing to AppData\Local\Google\Chrome\User Data\Default\Login Data.

Linux Hardening:

  • Use `auditd` to monitor access to `.mozilla/firefox/` and .config/google-chrome/.
  • Deploy `AppArmor` profiles for browsers to prevent credential dumping.

What Undercode Say

  • Key Takeaway 1: Even sophisticated threat actors who compartmentalize aliases across forums, Telegram, and GitHub can be unmasked by systematic OSINT that cross-references phone numbers, breach data, commit metadata, and PGP fingerprints.
  • Key Takeaway 2: Defenders must adopt proactive threat hunting using the same open-source tools—Git scraping, breach API correlation, and YARA rules—to identify and attribute malware families before they proliferate.

Analysis (approx. 10 lines):

The DeXpose investigation reveals a critical blind spot in cybercriminal tradecraft: reusing infrastructure artifacts (commit emails, phone numbers, password hashes) across isolated personas. Lawxsz believed that changing usernames and using different forums would break the link, but OSINT techniques like phone number reversal and Git log mining collapsed his false identities in under 48 hours. For blue teams, this highlights the value of ingesting breach data feeds and automating correlation scripts. The fact that three separate stealers shared IAT patterns and YARA signatures underscores code reuse among even “individual” developers. Red teams can use similar methods to emulate advanced persistent adversaries. Law enforcement can now pivot from digital evidence to physical identification via phone carrier data and forum registration IP logs. As info‑stealers become more modular (e.g., Prysmax using stolen credit card APIs), attribution will rely on continuous metadata scraping. The biggest lesson: no alias is truly disconnected if any digital artifact overlaps.

Prediction

Within 12 months, law enforcement agencies will operationalize automated OSINT pipelines that scrape Telegram, breach dumps, and GitHub commits in real time, feeding into identity graph databases (e.g., Linkurious, Neo4j). This will dramatically shorten the window between malware release and developer de‑anonymization. Conversely, threat actors will shift toward ephemeral communication (Session, SimpleX), use single‑use phone numbers from SIM farms, and adopt Git commit obfuscation tools (e.g., `git filter-repo` with forced history rewrites). However, the fundamental principle of “metadata persistence”—that any online interaction leaves a traceable artifact—will ensure that no criminal can hide forever. Expect a surge in marketplace takedowns and arrests of stealer developers by Q3 2026, as cross‑forum correlation becomes standard practice in cybercrime investigations.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: 0x4148 Threatintelligence – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky