When hackers started turning on one another and leaking the contents of closed online forums, cybersecurity researchers found a trove of information about criminals on the dark web.

That’s where eSentire’s Joe Stewart first picked up the digital trail of a Montreal man known as “Badbullzvenom,” who was providing notorious Russian cybercrime groups with malware.

Stewart and another researcher at eSentire, Keegan Keplinger, are the talk of the cybersecurity conference in Las Vegas — Black Hat 2022 — for unmasking the hacker behind the malware “Golden Chickens.”

Stewart is a cybersecurity veteran. He was the first to detect cyberespionage by the Chinese military against American companies. He has unmasked hackers in Nigeria, Russia, China and now Montreal.

The Waterloo-based cybersecurity company provided the RCMP with everything it has on the Montreal resident who they believe is associated with a Haitian street gang — The 67s — based in the city’s Saint-Michel neighbourhood.

“So what we would like is for someone to go find him and slap some cuffs on,” said Stewart.

The Montreal man provided “Golden Chickens” malware to FIN6 and Cobalt, two notorious Russian cybercrime groups. They are affiliated with a third called Evilnum based in nearby Belarus. The trio is has stolen $1.5 billion (U.S.) and is known as “The Billion Dollar Hackers Club.”

“These guys are getting away with a lot of financial crime causing a lot of financial damage,” said Stewart. “Selling their tools to people who are causing even more damage.”

One of the biggest changes in his cybersecurity career started in 2011-2012 with the first leaks from closed hacker forums on the dark web.

At first, there was a trickle of tantalizing digital clues about the professional criminals who shared information, advice and malware in the forums.

It grew into a torrent of huge leaks in 2019.

Until then cybercriminals had to make a big mistake before they were unmasked.

“But now, with all of the database leaks that have occurred from these underground hacker forums, we can paint a clear picture of who the threat actor is if they’ve spent any number of years online engaging in cybercrime, and then talking to other threat actors and revealing little hints about themselves,” said Stewart.

The combined leaks need safe storage with access for cybersecurity researchers, who can use the information for years of investigations.

“This is all stuff that wasn’t available before but is now,” said Stewart.

“This is just a treasure trove of information for people like us.”

Stewart and Keplinger will use those leaks to continue working on the “Golden Chickens” file. The Montreal hacker they unmasked worked with an accomplice eSentire believes is in Romania.

The “Golden Chickens” malware was used in March 2021, and again in March 2022, when eSentire saw it was being uploaded to the Google platform VirusTotal. Hackers do this to ensure their malware gets past anti-virus scans.

Spotting it on VirusTotal indicates another cyberattack will be launched soon, targeting e-commerce companies.

Usually, hackers test malware on underground platforms, which are taken down regularly by authorities.

The hackers’ preferred testing platform might be down, so they used the publicly available one because they have to test the malware for a buyer, said Stewart.

“So now we are just waiting for the other shoe to drop on this latest campaign,” said Stewart.

At first, small batches of the malicious code were uploaded to VirusTotal in July. Then the total payload of code for “Golden Chickens” was uploaded.

“Things are moving pretty fast now,” said Stewart. “I would expect something in the next couple of months.”

‘‘ These guys are getting away with a lot of financial crime causing a lot of financial damage. Selling their tools to people who are causing even more damage.

JOE STEWART ESENTIRE CYBERSECURITY RESEARCHER