{
	"id": "7b96da41-b7e7-42c1-b511-e4215f4a9847",
	"created_at": "2026-04-06T00:10:18.025372Z",
	"updated_at": "2026-04-10T13:11:29.058516Z",
	"deleted_at": null,
	"sha1_hash": "480644fd3f8d7038109dfa8d211ce09d5e09496e",
	"title": "How the Mimikatz Hacker Tool Stole the World's Passwords",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 253974,
	"plain_text": "How the Mimikatz Hacker Tool Stole the World's Passwords\r\nBy Andy Greenberg\r\nPublished: 2017-11-09 · Archived: 2026-04-05 20:26:01 UTC\r\nFive years ago, Benjamin Delpy walked into his room at the President Hotel in Moscow, and found a man dressed\r\nin a dark suit with his hands on Delpy's laptop.\r\nJust a few minutes earlier, the then 25-year-old French programmer had made a quick trip to the front desk to\r\ncomplain about the room's internet connection. He had arrived two days ahead of a talk he was scheduled to give\r\nat a nearby security conference and found that there was no Wi-Fi, and the ethernet jack wasn't working.\r\nDownstairs, one of the hotel's staff insisted he wait while a technician was sent up to fix it. Delpy refused, and\r\nwent back to wait in the room instead.\r\nWhen he returned, as Delpy tells it, he was shocked to find the stranger standing at the room's desk, a small black\r\nrollerboard suitcase by his side, his fingers hurriedly retracting from Delpy's keyboard. The laptop still showed a\r\nlocked Windows login screen.\r\nThe man mumbled an apology in English about his keycard working on the wrong room, brushed past Delpy, and\r\nwas out the door before Delpy could even react. \"It was all very strange for me,\" Delpy says today. \"Like being in\r\na spy film.\"\r\nIt didn't take Delpy long to guess why his laptop had been the target of a literal black bag job. It contained the\r\nsubject of his presentation at the Moscow conference, an early version of a program he'd written called Mimikatz.\r\nThat subtly powerful hacking tool was designed to siphon a Windows user's password out of the ephemeral murk\r\nof a computer's memory, so that it could be used to gain repeated access to that computer, or to any others that\r\nvictim's account could access on the same network. The Russians, like hackers around the world, wanted Delpy's\r\nsource code.\r\nIn the years since, Delpy has released that code to the public, and Mimikatz has become a ubiquitous tool in all\r\nmanner of hacker penetrations, allowing intruders to quickly leapfrog from one connected machine on a network\r\nto the next as soon as they gain an initial foothold.\r\nhttps://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/\r\nPage 1 of 3\n\nBenjamin Delpy\r\nMost recently, it came into the spotlight as a component of two ransomware worms that have torn through Ukraine\r\nand spread across Europe, Russia, and the US: Both NotPetya and last month's BadRabbit ransomware strains\r\npaired Mimikatz with leaked NSA hacking tools to create automated attacks whose infections rapidly saturated\r\nnetworks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies like\r\nMaersk, Merck, and FedEx, and is believed to have caused well over a billion dollars in damages.\r\nThose internet-shaking ripples were enabled, at least in part, by a program that Delpy coded on a lark. An IT\r\nmanager for a French government institution that he declines to name, Delpy says he originally built Mimikatz as\r\na side project, to learn more about Windows security and the C programming language—and to prove to Microsoft\r\nthat Windows included a serious security flaw in its handling of passwords.\r\nHis proof-of-concept achieved its intended effect: In more recent versions of Windows, the company changed its\r\nauthentication system to make Mimikatz-like attacks significantly more difficult. But not before Delpy's tool had\r\nentered the arsenal of every resourceful hacker on the planet.\r\n\"Mimikatz wasn’t at all designed for attackers. But it's helped them,\" Delpy says in his understated and French-tinged English. \"When you create something like this for good, you know it can be used by the bad side too.\"\r\nEven today, despite Microsoft's attempted fixes, Mimikatz remains an all-too-useful hacker tool, says Jake\r\nWilliams, a penetration tester and founder of security firm Rendition Infosec. \"When I read a threat intelligence\r\nreport that says someone used Mimikatz, I say, 'tell me about one that doesn’t,'\" Williams says. \"Everyone uses it,\r\nbecause it works.\"\r\nhttps://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/\r\nPage 2 of 3\n\nSecrets for the Taking\r\nMimikatz first became a key hacker asset thanks to its ability to exploit an obscure Windows function called\r\nWDigest. That feature is designed to make it more convenient for corporate and government Windows users to\r\nprove their identity to different applications on their network or on the web; it holds their authentication\r\ncredentials in memory and automatically reuses them, so they only have to enter their username and password\r\nonce.\r\nWhile Windows keeps that copy of the user's password encrypted, it also keeps a copy of the secret key to decrypt\r\nit handy in memory, too. \"It’s like storing a password-protected secret in an email with the password in the same\r\nemail,\" Delpy says.\r\nSource: https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/\r\nhttps://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/"
	],
	"report_names": [
		"how-mimikatz-became-go-to-hacker-tool"
	],
	"threat_actors": [],
	"ts_created_at": 1775434218,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/480644fd3f8d7038109dfa8d211ce09d5e09496e.pdf",
		"text": "https://archive.orkl.eu/480644fd3f8d7038109dfa8d211ce09d5e09496e.txt",
		"img": "https://archive.orkl.eu/480644fd3f8d7038109dfa8d211ce09d5e09496e.jpg"
	}
}