Security researchers at application security testing firm Checkmarx Ltd. have detailed a range of attacks from a previously little-known attack group called “LofyGang” that target online accounts.

LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.

Those behind the hacking group have been seen promoting their hacking tools in hacking forums, with some of the tools being shipped with a hidden backdoor. LofyGang has been linked to several software supply chain incidents reported this year by Sonatype Inc., JFrog Ltd. and Securelist.

The researchers first uncovered some of LofyGang’s malicious packages in August and then launched a full investigation using their internal retro-hunting tools. The hunt for LofyGang opened a Pandora’s Box of other tools, attacks and campaigns.

LofyGang is described by the researchers as an organized crime group that creates “sock-puppet” accounts using a closed dictionary of names with slight permutations of keywords such as lofy, life, polar, panda, Kakau, evil, devil and vilão — devil in Portuguese. The use of Portuguese led the researchers to conclude that the origin of LofyGang is Brazil as much of the evidence contained Brazilian Portuguese sentences and even a file called “brazil.js.” 

The gang is also operating in plain sight. Putting aside the multiple hits in Google for the gang, including YouTube videos and a TikTok hashtag, LofyGang also operates a Discord server that was created in October 2021. LofyGang also operates a Discord bot called “Lofy Boost” to deploy stolen credit cards on the operator’s account.

LofyGang was found to contribute to Cracked.io, an underground community that leaks thousands of Disney+ and Minecraft accounts. Emphasizing how the group operates in plain sight, the researchers further found that LofyGang promotes their hacking tools on a GitHub Inc. page.

The researchers conclude that LofyGang is a good example of the adage “don’t trust code from strangers, especially attackers” given the gang’s reliance on malware to infect potential victims to steal their credentials.

“The surge of recent open-source supply chain attacks teaches us that cyber attackers have realized that abusing the open-source ecosystem represents an easy way to increase the effectiveness of their attacks,” the researchers state. “Communities are being formed around utilizing open-source software for malicious purposes. We believe this is the start of a trend that will increase in the coming months.”

Checkmarx has also established a LofyGang tracking website at Lofygang.info to share new findings about the hacking group.

Image: Checkmarx/LofyGang