Hamburglars

Back to Posts
28Oct

Hamburglars

By
Reading Time: 10 minutes

Episode 1 – The Trigger

The investigation, dubbed “Hamburglars“, originated from an incident response activity and a targeted deep-dive conducted by the Cyber Threat Intelligence Team.
An Italian company operating in the food service sector had reported anomalies in its systems: an ongoing brute-force attack targeting its customer area.

At first, the case appeared to be a typical cyberattack. However, further analysis quickly clarified the situation: the suspicious logins were made using valid credentials and originated from a botnet leveraging unusual and geographically distributed IPv4 addresses. It was, in fact, a credential stuffing campaign: automated testing of username and password pairs obtained from previous data breaches to identify valid accounts.

Through OSINT investigations, attention soon turned to Telegram, which in recent years has become a primary marketplace for this type of material. The inquiry led to the discovery of two private channels, CentralBullet and RobShop, along with several subchannels where pre-validated credential packages were sold.

What made this operation particularly significant was that the compromised accounts were not mere customer profiles. They contained loyalty points accumulated over years of purchases, active subscriptions, and stored payment methods ready for use. With a single compromised credential, attackers could log into the customer portals of major Italian and international food service companies to redeem meals, or access retail accounts to shop using loyalty points, or even exploit delivery app profiles already linked to credit cards to order meals to their doorstep.

Each stolen login had immediate monetary value: a free hamburger, a discounted pair of shoes, or a complimentary month of streaming.

The name Hamburglars reflects a cybercriminal economy where stolen loyalty points don’t just sit in databases, they’re cashed in for actual burgers.

Episode 2 – Locked Rooms

The communication architecture was not limited to a simple Telegram group but served as the core of a more complex infrastructure.
Direct access was not allowed. Entry into the main private channel, where credential trading took place, was granted only after approval by an administrator.

Alongside the central channel, several additional spaces existed, each serving a specific function. Secondary channels acted as backup copies, ready to replace the original in case of takedown. Feed channels collected buyer reviews, often accompanied by screenshots as proof of the purchased credentials’ successful use. Finally, in the drop channels, small free samples of real accounts were published, used as a method to demonstrate product quality and build trust among potential buyers.

Rob*** (RobShop) – Marketplace architecture

Assa Karwa (CentralBullet) – Marketplace architecture

This architecture is typical of illicit marketplaces. While Telegram provides immediacy and ease of access, the underlying logic mirrors that of dark web forums: a controlled entry point, a main storefront, redundant systems to ensure continuity, and a reputation mechanism based on user feedback.

At the time of this article’s publication, RobShop had expanded the marketplace through an automated shop on the clear web.

Episode 3 – Machines Testing Keys

Analyzing the content of both CentralBullet and RobShop channels, immediately revealed a recurring reference to the SilverBullet software.

Screenshot of SilverBullet software

SilverBullet is a (fork of OpenBullet [1] ) legitimate automation tool designed to perform repeated requests against web applications. In the context of this investigation, however, it had been adapted to carry out credential stuffing attacks against Italian consumer portals.

The channels provided ready to use configurations, tailored for specific national and international brands.

.svb configuration file for credential stuffing attack against an Italian customer portal

Evidence also indicated that the Threat Actors were continuously developing new configurations in an ongoing effort.

The operational flow was clear:

  • a combolist of credentials, sourced from previous data breaches, was uploaded;
  • SilverBullet executed the username:password pairs automatically;
  • when access succeeded, the script also read the loyalty points balance;
  • only accounts with at least 500 loyalty points were saved in the final results.

The output was a text file in the format:
username:password | POINTS = balance

Sample extracted from a free combolist drop

A turnkey product, transforming raw databases into immediately monetizable material.

Episode 4 – The Italian Chessboard

The analysis of data collected from CentralBullet and RobShop made it possible to precisely delineate the targeted sectors.
The majority of targets were located within the Italian territory, with a few exceptions distributed in France and Germany.
The affected brands covered a wide range of areas: food service including well known fast food chains, footwear, consumer electronics and large scale retail trade. Also targeted were logistics and delivery services and some of the major streaming platforms.


RobShop and CentralBullet2 marketplaces selling and testing accounts

This diversity had a clear purpose: to supply the criminal market with products suitable for multiple types of buyers. Loyalty program accounts in food service and large scale retail trade enabled the acquisition of physical goods at a reduced cost, while accounts tied to logistics and streaming provided immediate use at nearly zero cost. It was estimated that, in the first case, the financial benefit for the buyer ranged between 60% and 90%, whereas in the second case it amounted to 100%.

For sellers, diversification also served as a risk mitigation strategy: rather than depending on a single brand, maintaining a portfolio of targets ensured business continuity even if one company implemented countermeasures.

Episode 5 – The Dog and the Name

The first key figure in the case was Rob***, administrator of a Telegram channel named Redirect Rob. From there originated his network of services: a main sales channel, a feed containing buyer reviews, a drop featuring sample free credentials, and the personal profile @ROB*** for direct contact.

However, Rob*** made several SecOps mistakes, likely due to inexperience. The same profile picture used on his Telegram channel also appeared on an almost identical TikTok account registered as ROB*** (note: differ by only one letter). That was the initial lead, though not sufficient on its own.

A video posted on the TikTok account showed two individuals in a seaside location. By extracting still frames and enlarging specific background details, a sign with the name of a hotel was identified. A geolocated search confirmed that it was a real establishment located in Emilia Romagna, Italy.

Rob*** and his brother on vacation in 2024

The hotel terrace where the video was filmed

The next step involved cross referencing this information with social media profiles associated with the name appearing in various comments: Papa Sierra (alias). Analysis of the photos and location tags published by Papa Sierra revealed elements consistent with the same area and timeframe as the videos uploaded by ROB***. Furthermore, some family related content made it possible to indirectly recognize the individual appearing in the TikTok videos.

Location tags on Papa Sierra social network profile

In parallel, cross checks were carried out on metadata, profile pictures, and nickname history. The most notable finding was that the photo of a dog used on Telegram also appeared in several personal accounts traceable to the Sierra family: a seemingly trivial detail, yet sufficient to confirm that the social context was the same.

Social network profile of a memeber of the Sierra family 

By combining all these clues, the matching nicknames, geolocation, direct references to the father, recurring imagery, and reuse of the same profile photo, a high level of confidence could be achieved: behind the alias Rob*** was, with high probability, November Sierra (alias), resident in Padua province, Italy.

November Sierra with his brother and his father Papa Sierra

Episode 6 – The Faceless Empire

While Rob*** had left traces that allowed attribution to a real identity, the situation was far more elusive with Assa Karwa. No unique profile could be reconstructed behind this nickname; nevertheless, the network of channels and coordinated activities under his control indicated a far more structured presence.

CentralBullet and its replica, CentralBullet 2, formed the operational core, but Assa’s reach extended beyond these. Surrounding them was a constellation of groups with evocative names such as “L’impero di Hirozen“, “DarkCentral“, and “La Massoneria“, serving both as redundancy and as tools for customer retention and promotion. This was a deliberate branding strategy: giving channels recognizable names capable of creating identity and community around the vendor.

The level of activity surpassed that of Rob***. By June 2025, Assa had launched a channel dedicated exclusively to combolist auctions, named “Asta Shop Assa“. Here the numbers were significant: over 130.000 valid loyalty accounts from two well known Italian food chains, presented as pre-validated packages ready for use. These were not isolated dumps, but organized stockpiles, grouped and auctioned to maximize profit.

“Asta Shop Assa” Telegram channel, showing combolist auctions

Communication was also carefully managed. In early July, for example, a message announced a temporary suspension of activities for two months due to “holidays“. A detail that might have seemed minor, yet could provide insight into an age group that, like Rob***’s, could fall within the school age range.

Episode 7 – Spinning Coin

Behind every illicit marketplace there is a flow of money, and this case was no exception.
The currency choice was predictable: cryptocurrency. Within the feed channels and in private conversations with the threat actors, it was possible to collect several addresses, Bitcoin addresses linked to Rob*** and Ethereum addresses linked to Assa Karwa.

Some wallets were found empty at the time of verification, while others showed a significant history of prior transactions. Blockchain analysis revealed patterns consistent with behaviors already observed in similar environments: the address rotation technique, intended to reduce traceability by avoiding the concentration of proceeds in a single wallet.

During conversations, addresses were provided by sellers only after transaction terms had been agreed, often via direct private contact. In some cases, buyers posted proof of payment in review feeds, displaying the on-chain transaction alongside a note praising the seller: a validation mechanism that substituted blind trust with a form of certified review.

These addresses provided two useful elements: on one hand, they confirmed the marketplace’s viability by demonstrating that transactions had actually taken place; on the other, they offered blockchain observation points that could be cross referenced with other financial flows to seek correlations with exchanges or wallets linked to known identities, the classic “follow the money“.

Bonus Episode – The shot from the dock

On July 17, 2025, at 15:51Z, a photo was posted by an admin in the CentralBullet channel that initially seemed unrelated to credential sales. The image showed several cruise ships docked in a port, captured from an elevated perspective, seemingly casual content, uploaded either to fill the channel or to self celebrate a vacation (note: removed shortly afterward).

Every visual detail, however, constituted a potential clue, and the image was therefore subjected to a verification process. Distinctive elements were first isolated: the layout of the docks, the positions, colors, and liveries of the ships, and the orientation of the mooring structures. These were then cross referenced with open source maritime traffic data.

From left to right in the image, the Allure of The Seas of Royal Caribbean was identified;

moving right, with the stern facing the observer, was the Breakaway of Norwegian Cruise Line;

finally, on the right, with its unmistakable yellow and black funnel, was a Costa Crociere vessel: the Costa Smeralda.

Cross referencing these elements with real time VHF AIS radio signal maps [2] made the match immediate: the location was Civitavecchia port, specifically the dock used at the time by Tirrenia ferries heading to Olbia. The time of posting further reinforced the hypothesis: AIS data indicated that around that hour, the presence and positions of the ships were consistent with the image.

Location of the shot and ship positions at that time

While this data alone could not allow for a definitive attribution, it provided an important piece of the puzzle: it indicated that one of the actors managing the channel was physically in that area. This information, combined with other clues collected over time, could help reconstruct movements and routines.

Epilogue – Beyond Hamburglars

The investigation demonstrated how an apparently contained incident, originating from the theft of loyalty points, can in fact open a window onto a well organized criminal ecosystem. The Telegram channels under observation proved to be fully-fledged marketplaces, capable of offering pre-validated credentials, automating selection through tools like SilverBullet, and operating according to continuity and reputation principles not unlike legitimate commerce.

From a defensive perspective, the lesson is clear: stolen credential data exists outside the perimeter, and the only way to mitigate its impact is to render reuse ineffective. Multi-factor authentication, anti-bot/anti-fraud controls, and proactive credential monitoring are now indispensable measures.

Hamburglars is now in the hands of the competent authorities, yet it already provides a concrete example of how the combination of Incident Response and Threat Intelligence can reconstruct the activities of Threat Actors and, most importantly, translate isolated signals into a comprehensive overview.

References

[1] https://github.com/openbullet/OpenBullet2
[2] https://www.cruisemapper.com

Author

Francesco Sercia is a member of the Yarix Cyber Threat Intelligence Team. Passionate about cybersecurity since the days of Sub7 (if you know, you know), he has also been actively involved in fighting child exploitation and the non-consensual sharing of intimate images. He keeps telling himself he’ll update his YouTube channel, but his husky — and the time he spends tracking your current location (just kidding… or maybe not) — keep him far too busy.
Dedicated to my family (who still think I just "fix computers").

Share this post

Author

Back to Posts

Related Posts

02Oct

Red Teaming & Jazz: Creativity as a Service

Red Teaming & Jazz: Creativity as a Service Foreword I had been missing on... read more
16Sep

Elons (Proxima/Black Shadow related) ransomware attack via Oracle DBS External Jobs

Premise As Yarix’s Incident Response Team, our responsibilities are to manage critical issues... read more
03Jun

Doppelganger: An Advanced LSASS Dumper with Process Cloning

Github Repo: https://github.com/vari-sh/RedTeamGrimoire/tree/main/Doppelganger What is LSASS? The Local Security Authority Subsystem Service (LSASS) is a... read more