Hecker-Sakuya-LiveGamer101 alliance reshapes ransomware ecosystem operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
SilverInc is operating a commercial access-resale ecosystem for exposed or weakly authenticated LLM endpoints, turning unauthorized access into a monetized supply chain and expanding risk to exposed AI infrastructure. The service is advertised through Telegram and Discord, with access sold for cryptocurrency or PayPal, and is tied to Hecker, Sakuya, and LiveGamer101. The latest reporting adds that the same ecosystem is now advertising access on silver[.]inc as a Unified LLM API Gateway, reinforcing the criminal market around LLMjacking and resale.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
CrystalRAT Telegram-promoted malware-as-a-service
Malware Activity
First: 02.04.2026 02:17
Last: 02.04.2026 02:17
Sources 1
About this happening:
The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
CrystalRAT Telegram-promoted malware-as-a-service
Malware ActivityAbout this happening: The **CrystalRAT** malware-as-a-service is being promoted on **Telegram** and **YouTube** with **remote access**, **data theft**, **keylogging**, and **clipboard hijacking**, incr...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor Meta
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
**Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Venom Stealer subscription and affiliate malware-service ecosystem
Threat Actor MetaAbout this happening: **Venom Stealer** is being run as a **subscription-based** malware service with **Telegram licensing** and an **affiliate program**, signaling a more organized cybercrime ecosyste...
Threat actors ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 03.03.2026 17:01
Last: 03.03.2026 17:01
Sources 1
About this happening:
**Compromised cPanel access** is being commoditized in **fraudulent chat groups**, creating a scalable supply of trusted hosting infrastructure for **phishing**, **spam**, and **m...
Threat actors ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Compromised cPanel access** is being commoditized in **fraudulent chat groups**, creating a scalable supply of trusted hosting infrastructure for **phishing**, **spam**, and **m...
Chinese-language money alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 16.02.2026 12:30
Last: 16.02.2026 12:30
Sources 1
About this happening:
**Trafficking-linked crypto payments** are increasingly routed through **Telegram-based CMLN services**, **scam compounds**, and **online casinos**, expanding the scale and resili...
Chinese-language money alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **Trafficking-linked crypto payments** are increasingly routed through **Telegram-based CMLN services**, **scam compounds**, and **online casinos**, expanding the scale and resili...
Timeline
-
28.01.2026 15:15 3 articles · 3mo ago
SilverInc access-resale ecosystem disclosed
Initial DisclosureSilverInc operates a commercial service at silver[.]inc that resells access to exposed or weakly authenticated LLM infrastructure, including exposed LLM service endpoints and publicly accessible MCP servers. Researchers say the service is marketed on Telegram and Discord in exchange for cryptocurrency or PayPal payments, promotes NeXeonAI as a unified AI infrastructure with access to more than 50 AI models, and is attributed to aliases Hecker, Sakuya, and LiveGamer101.
Show sources
- Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation — www.bleepingcomputer.com — 28.01.2026 15:15
- Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation — www.bleepingcomputer.com — 28.01.2026 15:15
- Researchers Find 175,000 Publicly Exposed Ollama AI Servers Across 130 Countries — thehackernews.com — 29.01.2026 20:37