{ "id": "f72d09ad-9a70-4965-895a-a8959fbb3a3d", "created_at": "2026-04-06T00:16:10.887859Z", "updated_at": "2026-04-10T03:23:51.755461Z", "deleted_at": null, "sha1_hash": "f93db319f39d7e26e46cbc73d869b96edd8c6429", "title": "‘LuminosityLink RAT’ Author Pleads Guilty", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 910364, "plain_text": "‘LuminosityLink RAT’ Author Pleads Guilty\r\nPublished: 2018-07-16 · Archived: 2026-04-05 20:19:16 UTC\r\nA 21-year-old Kentucky man has pleaded guilty to authoring and distributing a popular hacking tool called\r\n“LuminosityLink,” a malware strain that security experts say was used by thousands of customers to gain\r\nunauthorized access to tens of thousands of computers across 78 countries worldwide.\r\nThe LuminosityLink Remote Access Tool (RAT) was sold for $40 to thousands of customers, who used the tool to\r\ngain unauthorized access to tens of thousands of computers worldwide.\r\nFederal prosecutors say Colton Ray Grubbs of Stanford, Ky. conspired with others to market and distribute the\r\nLuminosityLink RAT, a $40 Remote Access Tool that made it simple for buyers to hack into computers to\r\nsurreptitiously view documents, photographs and other files on victim PCs. The RAT also let users view what\r\nvictims were typing on their keyboards, disable security software, and secretly activate the webcam on the target’s\r\ncomputer.\r\nhttps://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/\r\nPage 1 of 4\n\nGrubbs, who went by the pseudonym “KFC Watermelon,” began selling the tool in May 2015. By mid-2017\r\nhe’d sold LuminosityLink to more than 8,600 customers, according to Europol, the European Union’s law\r\nenforcement agency.\r\nSpeculation that Grubbs had been arrested began surfacing last year after KFC Watermelon stopped responding to\r\ncustomer support queries on Hackforums[dot]net, the Web site where he primarily sold his product.\r\nGrubbs, using the hacker nickname “KFC Watermelon,” advertised and sold his RAT via Hackforums.net.\r\nThe sale and marketing of remote access tools, also known as remote administration tools, is not illegal in the\r\nUnited States, and indeed there are plenty of such tools sold by legitimate companies to help computer experts\r\nremotely administer computers.\r\nHowever, these tools tend to be viewed by prosecutors instead as “Remote Access Trojans” when their proprietors\r\nadvertise the programs as hacking devices and provide customer support aimed at helping buyers deploy the RATs\r\nstealthily and evade detection by anti-malware programs.\r\nAccording to the indictment against him, Grubbs “recruited and encouraged co-conspirators to answer questions\r\non Skype, an internet messaging service, from potential and actual purchasers of LuminosityLink seeking to use\r\nthe software to get unauthorized and undetected access to victim computers and steal information.”\r\nLinking Grubbs to LuminosityLink was likely not a tall hurdle for prosecutors. A public filing at the Kentucky\r\nSecretary of State office lists Grubbs as the owner of Luminosity Security Solutions LLC.\r\nHowever, there are indications that Luminosity was not Grubbs’ first foray into making and selling malware tools.\r\nAccording to a February 2018 blog post by Palo Alto Networks, the Skype account connected to KFC\r\nWatermelon’s identity on Hackforums is tied to the email address “codyjohnson1337@live.com; that email\r\naccount was used in 2013 to register “plasmarat.pw,” a similar RAT sold and marketed on Hackforums.\r\nhttps://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/\r\nPage 2 of 4\n\nKFC Watermelon’s Skype profile (the “HF” in his Skype name is a likely reference to HackForums, where both\r\nLuminosity RAT and Plasma RAT were primarily sold and marketed).\r\nThe street address listed by the Kentucky Secretary of State’s office for Luminosity Security Solutions (127 Circle\r\nDr., Stanford, KY) shows up in the original registration records for dozens of domains, including at least a half-dozen that early on listed the email address coltongrubbs@gmail.com. That same email address appears in the\r\nearly registration records for barracudasec[dot]com, a domain that as far back as 2012 was identified as a popular\r\n“command and control” server that many denizens of Hackforums used to remotely administer large numbers of\r\nremotely commandeered computers or “bots.”\r\nAround the time that KFC Watermelon stopped responding to support requests on Hackforums, federal\r\nprosecutors were securing a guilty plea against Taylor Huddleston, a then 27-year-old programmer from\r\nArkansas who sold the “NanoCore RAT.”  Like Grubbs, Huddleston initially pleaded not guilty to computer\r\nintrusion charges, arguing that he wasn’t responsible for how customers used his products. That is, until\r\nprosecutors presented Skype logs showing that Huddleston routinely helped buyers work out how to use the tools\r\nto secretly compromise remote computers.\r\nGrubbs’ guilty plea could well lead to further arrests and prosecutions of customers who purchased and used\r\nLuminosityLink. Case in point: The author of the Blackshades Trojan — once a wildly popular RAT sold\r\nprincipally on Hackforums — was arrested along along with dozens of his customers in a global law enforcement\r\nsweep in 2014.\r\nIndeed, many former customers of LuminosityLink have posted to Hackforums that they are expecting similar\r\ntreatment:\r\nhttps://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/\r\nPage 3 of 4\n\nHackforums users speculate that Grubbs’ arrest could lead to the arrest and prosecution of his customers. Image:\r\nPalo Alto Networks.\r\nGrubbs initially pleaded not guilty, and his trial was slated to begin in August. But in a plea agreement released\r\ntoday, Grubbs admitted to conspiring to make and sell LuminosityLink, and to knowingly assisting customers in\r\nusing his software to break into computers.\r\nThe plea agreement notes that on July 10, 2017, when Grubbs found out the FBI was about to raid his apartment,\r\nhe hid the phone and debit card tied to his Bitcoin account, and also removed the hard drives from his computer\r\nand apartment prior to the search. “Three days later, Defendant transferred over 114 bitcoin from his\r\nLuminosityLink bitcoin address into six new bitcoin addresses,” the agreement states.\r\nThe charges to which Grubbs has pleaded guilty carry punishments of up to 25 years in prison and as much as\r\n$750,000 in fines, although any sentence the judge hands down in this case may be significantly tempered by U.S.\r\nSentencing Guidelines.\r\nA copy of the plea agreement is available here (PDF).\r\nSource: https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/\r\nhttps://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/" ], "report_names": [ "luminositylink-rat-author-pleads-guilty" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434570, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f93db319f39d7e26e46cbc73d869b96edd8c6429.pdf", "text": "https://archive.orkl.eu/f93db319f39d7e26e46cbc73d869b96edd8c6429.txt", "img": "https://archive.orkl.eu/f93db319f39d7e26e46cbc73d869b96edd8c6429.jpg" } }