Malta hacker gave discount code to covert FBI operator

Malware vendor extradited to the United States had asked his partners for raise given that he ‘risked going to prison’ for selling remote access trojans 

Daniel Meli accepted to be extradited to the US to face charges of criminal conspiracy after he was tracked down by the FBI in a global anti-cybercrime investigation
Daniel Meli accepted to be extradited to the US to face charges of criminal conspiracy after he was tracked down by the FBI in a global anti-cybercrime investigation

A young Żabbar man who had spent 10 years working the internet forums hosting hackers and trading in trojans that turned unknowing victims’ computers into ‘slaves’, was arrested after his clients turned out to be none other than covert FBI employees in Georgia. 

Daniel Meli, 27, was arrested in Malta on 7 February for allegedly selling and training criminals in the use of Warzone, a remote access trojan software that bypasses security systems and remotely accesses computers without the victims’ knowledge. 

But the end of the road soon came for Meli, when in February 2022 he sold a RAT for $180 in Bitcoin to an FBI online covert employee from Georgia. The game was up. From then onwards, the FBI was tracking his operations, one of several in a global anti-cybercrime investigation that spread as far as Australia. 

Meli now faces eight counts of criminal conspiracy in a district court in Georgia that could see him face several years in prison inside the notorious American incarceration system. 

It is alleged that after tricking victims into installing the malware on their computers via email attachments or fake links, criminals could then browse file systems, record keystrokes, steal usernames and passwords, and access web cameras. The AFP, the US Federal Bureau of Investigation and Europol were among a number of international police forces to have worked together on Meli’s arrest. 

Separately, another man, Prince Onyeoziri Odinakachi, 31, was arrested in Nigeria, also on 7 February. He is alleged to have provided online customer support to individuals who purchased and used the Warzone malware from June 2019. 

A malware vendor and mentor 

Meli was described as a malware vendor and ‘RAT mentor’ who operated on the HackForums internet forum to offer his services for sale, including remote access trojans, which are designed to allow attackers to remotely control infected computers. 

Known as ‘xVulnerable’ on forums, Meli offered his services to hackers using RATs to help them remain anonymous and conceal their activity from the victim computers’ users and law enforcement. 

He offered them teaching tools such as an eBook to assist customers with the private RAT spreading method, he used to obtain numerous ‘slaves’ very quickly: often, he targeted the computers of gamers, who are generally known to have high-performance hardware that is optimal for mining cryptocurrency. 

But it was an administrator of the online criminal enterprise known as Skynet Corporation, that Meli scaled up his activities. 

On HackForums, Meli offered several different types of identification for customers to use to contact him on Skype, Discord, and Telegram, while concealing his true identity. 

He boasted of having worked for over 500 customers, with a well-established reputation in the HackForums community that was demonstrated by over 8,000 posts and past product and service offerings since his account’s creation way back in 2012. 

According to the charges issued against him, in December 2021 Meli was said to have entered into a tacit understanding with others to hack into a computer, infect it with a programme that could have affected 10 other computer users, and solicit from this kind of remote control, illicit financial gain. 

Keeping 30% profits 

Meli was credited with having created RATs which he advertised and sold, then directly assisting his clients into how to use the RATs, in a deal with the Skynet-Corporation to keep 30% of the profits for himself. 

As a result of this partnership, Meli was listed as an administrator on the website for Skynet-Corporation. 

His products were sold at just $28 to $73, and Meli would speak to customers on Skype with his ID ‘vuln.hf’ or on Discord or Telegram with the name ‘dmeli96’. 

After working with Skynet-Corporation for a few weeks, Meli contacted the unknown Skynet-Corporation administrator asking for more money, stating, “Don’t u think I deserve a raise... considering I’m risking jail time?” 

In April 2022, Meli assisted a hacker on how to use a RAT to steal email passwords from Microsoft Outlook. In one text exchange, the computer hacker promised to pay Meli when he “got profits” from his hacking. 

During October 2022, Meli provided the discount code ‘DAN’ to a covert FBI operator who purchased a RAT from the online criminal enterprise. With the discount code, the online criminal enterprise sold the RAT to the FBI for $186, and the FBI downloaded it on the same day. Meli then sold the same FBI agent an eBook on his private RAT spreading method for $218, as well as lifetime support for RATs for $57. 

Meli was arrested at his workplace in Gudja on 7 February, and during searches conducted at various locations related to the suspect, numerous items linked to this investigation were seized. 

‘Let’s get it done’ 

He appeared in court to begin extradition proceedings to the United States, where he will face charges before the American court. But he also consented to extradition and is now being held in custody at the Correctional Facility in Kordin. 

Meli’s lawyer, Joe Giglio, explained that his client wanted to tackle the charges head on and clear his name. “He was motivated by a mindset of cooperation and facing down the charges, Giglio said, summing up Meli’s attitude as ‘since we are going to have to face it, let’s get it done.’” 

The charges Meli will face in America are conspiracy, obtaining unauthorised access to protected computers to obtain information, illegally selling an interception device, and illegally advertising an interception device, each provide for a sentence of up to five years in prison, three years of supervised release and a fine of $250,000, or twice the gross gain or loss, whichever is greater. The charge of causing unauthorised damage to protected computers provides for a sentence of up to 10 years in prison, three years of supervised release, and a fine of $250,000, or twice the gross gain or loss, whichever is greater. 

Operations in various countries related to the same illegal malware trade on the dark web were being coordinated by Europol, involving several other states, including the Australian Federal Police, the Canadian Police, Croatian Police, Finnish Police, Dutch Police, Romanian Police, German Police, and Nigerian authorities.