‘Styx Stealer’ malware developer accidentally exposes personal info to researchers in ‘critical opsec error’

A suspected developer of a new malware strain called Styx Stealer made a “significant operational security error” and leaked data from his computer, including details about clients and earnings, researchers have found.

Styx Stealer is “a powerful malware” capable of stealing browser data, instant messenger sessions from Telegram and Discord, and cryptocurrency. The Israel-based cybersecurity firm Check Point, which analyzed the malware, said that it was used against its customers, though further details were not provided.

“The developer made a fatal error and leaked data from his computer, which allowed Check Point to obtain a large amount of intelligence,” researchers said in a report published last week.

The developer of Styx Stealer was found to be linked to one of the Agent Tesla threat actors known as FucosReal, who was involved in a spam campaign also targeting the company’s customers. Agent Tesla is a remote access malware that has been targeting Windows systems since 2014.

According to Check Point, the creator of Styx Stealer revealed his personal details, including Telegram accounts, emails and contacts, by debugging the stealer on his own computer using a Telegram bot token provided by a customer involved in the Agent Tesla campaign in March 2024.

“This critical OpSec failure not only compromised Styx Stealer's anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign,” researchers said.

Following the analysis, researchers were able to link Styx Stealer to a Turkish hacker known as Sty1x. This, in turn, allowed Check Point to track down FucosReal to an individual in Nigeria.

“The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights,” researchers said.