{
	"id": "ed1f3187-bb0b-4938-8ad5-6a1b9df850d7",
	"created_at": "2026-04-06T00:08:36.506852Z",
	"updated_at": "2026-04-10T03:20:18.275232Z",
	"deleted_at": null,
	"sha1_hash": "75af65f18b37f3f5688ad24cc819abfbdc59d7e5",
	"title": "Nigerian Tesla: 419 scammer gone malware distributor unmasked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1859526,
	"plain_text": "Nigerian Tesla: 419 scammer gone malware distributor unmasked\r\nBy Threat Intelligence Team\r\nPublished: 2022-05-04 · Archived: 2026-04-05 21:41:10 UTC\r\nAgent Tesla is a well-known data stealer written in .NET that has been active since 2014 and is perhaps one of the\r\nmost popular payloads observed in malspam campaigns.\r\nWhile looking for threats targeting Ukraine, we identified a group we call “Nigerian Tesla” that has been dabbling\r\ninto phishing and other data theft activities for a number of years. Ironically, one of the main threat actors\r\nseemingly compromised his own computer with an Agent Tesla binary.\r\nIn this blog, we expose some of the activities from a scammer who started off with classic advance-fee schemes\r\nand is now successfully running Agent Tesla campaigns. In the past two years, this threat actor was able to collect\r\nclose to a million credentials from his victims.\r\nSpam campaign\r\nOur investigation started with an email targeting titled Остаточний платіж.msg(Ukrainian for Final\r\npayment.msg). It contained a link to a file sharing site that downloads an archive containing an executable file.\r\nThis executable is actually an Agent Tesla stealer, capable of exfiltrating data in multiple ways, though most\r\ncommonly using SMTP. The technique is really simple as it only requires an email account that sends messages to\r\nitself containing stolen credentials for each victim that executed the malware on their computer.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 1 of 9\n\nTest successful!\r\nThe attacker sent a number of messages containing the body “Test successful!” from the same machine. Those\r\nemails should have been deleted for obvious reasons but this threat actor did not and leaked his own IP address\r\nallowing us to locate them in Lagos, Nigeria.\r\nThese messages are checks done by the threat actor to make sure communication with Agent Tesla is configured\r\nproperly. This is typical and is often described in hacking forums where users ask for help with the ‘software’.\r\nThere were an additional 26 emails sent from the same IP address that weren’t test emails but came from a real\r\nAgent Tesla execution. We don’t know exactly how, but the attacker managed to infect his own machine.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 2 of 9\n\nHere is a list containing some of the services that the Nigerian Tesla threat actor used:\r\nPerfectMoney\r\nGlassdoor signupanywhere (could be a source to get victims emails)\r\nomail.io (service for extracting emails)\r\nwarzone.ws (Warzone RAT)\r\nworldwiredlabs (NetWire RAT)\r\nle-vpn.com and bettervpn.com zenmate.com tigervpn hotvpn (VPN provider)\r\nsecuritycode.eu cassandra.pw (Code Protector)\r\nesco.pw (office document protection)\r\nmonovm hostwinds.com firevps dynu 4server.su (VPS and dedicated servers)\r\ndnsomatic.com cloudns.net (DNS services)\r\nspam-lab.su\r\nfilesend.io 4shared (hosting files)\r\navcheck.net (offline av test)\r\nbitshacking.com\r\narchive.org (used like cloud storage)\r\nxss.is hackforums.net exploit.in\r\ntitan.email (.pw accounts, various scams)\r\nRita Bent, Lee Chen and John Cooper are some of the names that have been used in the past along with dozens of\r\ndifferent email accounts with passwords containing the string ‘1985’. The following image shows the activity\r\nfrom user rita398 in hackforums asking about Esco Crypter:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 3 of 9\n\nIn that case, we see Rita complaining about some RDP suspension that happened eventually to one of his\r\nregistered domains.\r\nThe following email accounts were used in various phishing and data stealing operations:\r\nalong.aalahajirazak.ibrahim@gmail.com\r\nadministracion@romexpert.es\r\nadministracioneforce@eforce.es\r\nsoceanwave244@gmail.com\r\nbarristeradamssetien@gmail.com\r\ncatalinafuster@palmaprocura.com\r\ndavid01smith@yandex.com\r\ndavidsmith.ntx31@yandex.com\r\ndavids27smith@yandex.com\r\nelisabet.valenti@ag.barymont.com\r\ngestor3@afectadosvolkswagenabogados.com\r\ninfo@borrellacerrajeros.com\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 4 of 9\n\ninfo@crmarismas.org\r\ninfo@cristaleriagandia.com\r\ninfogestinsur@grupogestinsur.com\r\ninstalaciones@gopamar.com\r\nisabel@grupoatu.com\r\nm.lopez@forestadent.es\r\nnacho@alasvigilnevot.com\r\nrestaurante@elsecretodechimiche.com\r\nsoceanwave244@gmail.com\r\ntienda@di-tempo.com\r\ntorremolinos3@copiplus.es\r\nv.reino@gooddental.es\r\nvictor@sugesol.com\r\nvives@viveselectricitat.com\r\nBased on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014.\r\nBack then, they performed classic scams under the Rita Bent moniker.\r\nOne of their preferred scams was phishing for Adobe login pages. We have records indicating that several Adobe\r\nfake pages were deployed from 2015 until recently. Landing pages looked like the following:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 5 of 9\n\nFast forward to 2020, and the threat actor has graduated to malware distributor. He protects his binaries with the\r\nCassandra Protector obfuscator and then checks them against AVcheck[.]net.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 6 of 9\n\nWho is behind these attacks?\r\nThe threat actor shared photos of himself back in 2016 and for some reason forgot about them.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 7 of 9\n\nE.K. was born in 1985 according to his driver license. Remember that 1985 was used in a lot of passwords\r\ncollected from accounts that conducted these illegal activities.\r\nAt the moment, we do not have much information about other members in the team. But E. K. seems to be the\r\nmost relevant figure, at least the one who started the scheme.\r\nFrom 419 scams to Agent Tesla\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 8 of 9\n\nNigerian Tesla stole more than 800,000 different credentials from about 28,000 victims. This shows how simple\r\nand yet effective running one of these campaigns can be. In this case we see an interesting evolution from a threat\r\nactor that was performing the classic advance-fee scam(419 scam) before moving into the malware distribution\r\nworld, more or less for the same end goal.\r\nMalwarebytes users are protected against Agent Tesla. We detect this sample as Spyware.Password.Stealer.\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/05/nigerian-tesla-419-scammer-gone-malware-distributor-unmasked/"
	],
	"report_names": [
		"nigerian-tesla-419-scammer-gone-malware-distributor-unmasked"
	],
	"threat_actors": [],
	"ts_created_at": 1775434116,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/75af65f18b37f3f5688ad24cc819abfbdc59d7e5.pdf",
		"text": "https://archive.orkl.eu/75af65f18b37f3f5688ad24cc819abfbdc59d7e5.txt",
		"img": "https://archive.orkl.eu/75af65f18b37f3f5688ad24cc819abfbdc59d7e5.jpg"
	}
}