u/Affectionate-Goal891 — reddlx

It really sucks when your account is taken from you. Pro account 3 domains and no website on them at all. All private zones for my home and development. Rootkits dropped on servers that persisted due to MDM flaws. Took less than 4 hours to get it all cut off but the damage was done in minutes. Now my personal domains, with my name on the registrar, are running n8n workflows out of them from what I could capture. Likely phishing farms if I had to guess. No idea if he is racking an enormous bill up. Pretty certain I did not have a card on file agreeing to pay for add-ons since I had to enter it every time I bought anything.
The attack vector was simple. The email that I use for everything was taken over and Gmail doesn’t care. They changed the security info and the email password enough times to make my attempts to get it back impossible even with a workspace. The attack exposed a password manager that had enough in it to get ATT to believe them and perform a SIM swap. There went 2fa. Even this post is sadly not from my 13 yr old account. AI has turned every decent hacker into an army.
The point of this post is a warning, therapeutic, and some release of the frustration and absolute helplessness that comes from having your life stolen.
I’ve had to put fraud alerts on my credit report, get new phones for my wife and I(iPhone 17 are pretty sweet coming from an Android guy). I’ve filed for ID theft with the FTC, ATT, local police, and the cyber division of the FBI. Contacted GitHub, Cloudflare, Gmail “community”, etc. First of all, why is it so hard to even get a contact method for most of these companies. Not just them but the actual right channel so you don’t get a message back a week later with another email(can’t forward yours). I even have a yubikey that was active 2fa but is no longer on the accounts. The precision and speed of it a was mind blowing. Logs show a compromised GW that wasn’t patched yet from an exploit recently discovered. Sitting there unnoticed long enough for recon to forge certs and move laterally across the network dropping rootkits, grabbing what they needed, and destroying most of the evidence on the way out. Thousands in damage.
Of course I was blind to the whole thing, Wazuh trusted the actor and the actual heist was over in minutes.
My point other than to vent is be careful. Check firmware for your nodes of course, but don’t trust your ISP to keep their shit updated. Check. Rotate frequently, and for god sake keep a fucking paper and pen copy of your recovery info. Air gapped USB. Something other than NAS at 2 sites. The rise of the automated hackers is moving quickly. Don’t take it lightly.