Infosecurity Magazine reports that a cybercriminal inadvertently exposed their operations after installing Huntress security software on their own device, giving analysts rare visibility into attacker workflows.

Huntress reported that the individual, who found the tool through a Google ad, activated a trial version and unknowingly allowed their activities to be logged for three months. Investigators confirmed the actors identity through machine names and browser history, then observed the use of automation platforms, AI-powered text and spreadsheet tools, and Telegram APIs to streamline phishing and data theft.

Analysts noted research into Evilginx servers, residential proxy services, and reconnaissance of financial institutions, software vendors, and real estate firms, alongside extensive reliance on Google Translate for phishing preparation. The actor also browsed dark web markets, malware repositories, and token exchange tools.

Huntress linked the activity to more than 2,400 compromised identities. Researchers said the lapse offered in-depth information about the day-to-day activities of a threat actor and valuable lessons for defenders.