{
	"id": "a610c679-bddf-4245-b339-dbefff373aab",
	"created_at": "2026-04-06T00:13:12.405036Z",
	"updated_at": "2026-04-10T13:11:44.937681Z",
	"deleted_at": null,
	"sha1_hash": "24654874750e9977e427e14b510e47e0bcb4b874",
	"title": "Trik Spam Botnet Leaks 43 Million Email Addresses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1937876,
	"plain_text": "Trik Spam Botnet Leaks 43 Million Email Addresses\r\nBy Catalin Cimpanu\r\nPublished: 2018-06-12 · Archived: 2026-04-05 14:04:29 UTC\r\nOver 43 million email addresses have leaked from the command and control server of a spam botnet, a security researcher\r\nhas told Bleeping Computer today.\r\nThe leaky server came to light while a threat intelligence analyst from Vertek Corporation, was looking into a recent\r\nmalware campaign distributing a version of the Trik trojan, which was later infecting users with a second-stage payload —\r\nthe GandCrab 3 ransomware.\r\nThe Vertek researcher discovered that Trik and GandCrab would download the malicious files that infected users' systems\r\nfrom an online server located on a Russian IP address.\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe researcher told Bleeping Computer that the group behind this operation misconfigured its server and left its content\r\naccessible to anyone accessing the IP directly.\r\nOn this server, he discovered 2201 text files, labeled sequentially from 1.txt to 2201.txt containing chunks of roughly 20,000\r\nemail addresses, each.\r\nThe Vertek researcher believes the operators of this server have been using these recipient lists to service other crooks who\r\ncontracted their services to distribute various malware strains via malspam campaigns.\r\nServer leaks 43,555,741 unique email addresses\r\n\"We pulled all of them to validate that they are unique and legitimate,\" the researcher told Bleeping Computer earlier today.\r\n\"Out of 44,020,000 potential addresses, 43,555,741 are unique.\"\r\nThe researcher is now working with Australian security expert Troy Hunt, the owner of the Have I Been Pwned service, to\r\ndetermine how many of these emails are new and how many have been previously leaked in other data dumps.\r\n\"The email addresses are from everywhere,\" the researcher told us. \" There were 4.6 million unique email domains.\r\nEverything from .gov to .com, and domain of several private businesses.\"\r\nThe Vertek researcher has analyzed the files and broke down the email addresses per domain. In a list the researcher shared\r\nwith us earlier today (embedded at the bottom of this article), he points out that the vast majority of email addresses are old,\r\nfrom antiquated email services such as Yahoo (10.6 million) and AOL (8.3 million).\r\nSurprisingly, while there are many custom email domains included in the leak, there are very few Gmail addresses included,\r\nsuggesting the email addresses database is either incomplete, or this malware campaign intentionally targeted users using\r\nolder email services.\r\nThe Trik trojan\r\nThe Trik trojan is a classic malware downloader. It infects computers and assembles them into a giant botnet. The botnet's\r\noperators use these computers to send out new spam campaigns, or they sell \"install space\" to other crooks, allowing them to\r\ndeliver more pontent threats to Trik victims, similarly to how they rented install space to the GandCrab crew for the\r\ncampaign Vertek stumbled on.\r\nThe Trik trojan has been an active threat for at least a decade but has recently seen a resurgence, according to this Proofpoint\r\nreport.\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 3 of 6\n\nIn its earlier days, the malware operated primarily as a worm that self-spread via removable USB storage devices, Skype, or\r\nWindows Live Messenger chats. These worm-based variants had previously been tracked under the name of Phorpiex.\r\nThe malware evolved into a fully-fledged trojan years later, when it forked the codebase of the SDBot trojan and started\r\nusing email spam as its main delivery \u0026 infection mechanism, while also switching to an IRC-controlled botnet architecture.\r\nTrik is not the first spam botnet to leak its email addresses database. In August 2017, a spam operation known as Onliner\r\nleaked 711 million email addresses that it was using to spam users.\r\nAt the time of writing, the Trik C\u0026C server that's leaking email addresses keeps going offline at intermittent intervals.\r\nTop 100 email domains included in the leaked data:\r\n8907436 yahoo.com\r\n8397080 aol.com\r\n 788641 comcast.net\r\n 433419 yahoo.co.in\r\n 432129 sbcglobal.net\r\n 414912 msn.com\r\n 316128 rediffmail.com\r\n 294427 yahoo.co.uk\r\n 286835 yahoo.fr\r\n 282279 verizon.net\r\n 244341 bellsouth.net\r\n 234718 cox.net\r\n 227209 earthlink.net\r\n 221737 yahoo.com.br\r\n 191098 ymail.com\r\n 174848 att.net\r\n 156851 btinternet.com\r\n 139885 libero.it\r\n 120120 yahoo.es\r\n 117175 charter.net\r\n 112566 mac.com\r\n 111248 mail.ru\r\n 107810 juno.com\r\n 92141 optonline.net\r\n 86967 yahoo.ca\r\n 78964 me.com\r\n 73341 yahoo.com.ar\r\n 71545 yahoo.in\r\n 71200 rocketmail.com\r\n 69757 wanadoo.fr\r\n 68645 rogers.com\r\n 65629 yahoo.it\r\n 65017 shaw.ca\r\n 64091 ig.com.br\r\n 63045 163.com\r\n 62375 uol.com.br\r\n 57764 free.fr\r\n 57617 yahoo.com.mx\r\n 57066 web.de\r\n 56507 orange.fr\r\n 56309 sympatico.ca\r\n 54767 aim.com\r\n 51352 cs.com\r\n 50256 bigpond.com\r\n 48455 terra.com.br\r\n 43135 yahoo.co.id\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 4 of 6\n\n41533 netscape.net\r\n 40932 alice.it\r\n 39737 sky.com\r\n 39116 yahoo.com.au\r\n 38573 bol.com.br\r\n 38558 YAHOO.COM\r\n 37882 excite.com\r\n 37788 mail.com\r\n 37572 tiscali.co.uk\r\n 37361 mindspring.com\r\n 37350 tiscali.it\r\n 36636 HOTMAIL.COM\r\n 36429 ntlworld.com\r\n 34771 netzero.net\r\n 33414 prodigy.net\r\n 33208 126.com\r\n 32821 yandex.ru\r\n 32526 planet.nl\r\n 32496 yahoo.com.cn\r\n 31167 qq.com\r\n 30831 embarqmail.com\r\n 30751 adelphia.net\r\n 30536 telus.net\r\n 30005 hp.com\r\n 29160 yahoo.de\r\n 28290 roadrunner.com\r\n 27558 skynet.be\r\n 26732 telenet.be\r\n 26299 wp.pl\r\n 26135 talktalk.net\r\n 26072 pacbell.net\r\n 26051 t-online.de\r\n 25929 netzero.com\r\n 25917 optusnet.com.au\r\n 25897 virgilio.it\r\n 25525 home.nl\r\n 25227 videotron.ca\r\n 24881 blueyonder.co.uk\r\n 24462 peoplepc.com\r\n 24435 windstream.net\r\n 24079 xtra.co.nz\r\n 23465 bluewin.ch\r\n 23375 us.army.mil\r\n 22433 hetnet.nl\r\n 22247 trainingelite.com\r\n 22021 yahoo.com.sg\r\n 21689 laposte.net\r\n 21336 ge.com\r\n 21130 frontiernet.net\r\n 21055 q.com\r\n 21034 mchsi.com\r\n 20882 webtv.net\r\n 20830 abv.bg\r\n 19425 insightbb.com\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nhttps://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/"
	],
	"report_names": [
		"trik-spam-botnet-leaks-43-million-email-addresses"
	],
	"threat_actors": [],
	"ts_created_at": 1775434392,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24654874750e9977e427e14b510e47e0bcb4b874.pdf",
		"text": "https://archive.orkl.eu/24654874750e9977e427e14b510e47e0bcb4b874.txt",
		"img": "https://archive.orkl.eu/24654874750e9977e427e14b510e47e0bcb4b874.jpg"
	}
}