Олег Онопрієнко Hot News 3 March 2026, 09:00

“We discovered a data leak from a top Oracle manager.” CEO Alerts Bar — about how hackers bypass 2FA and antiviruses and why 80% of attacks start with info stealers

Modern cybercrime operates as a full-fledged industry: viruses are sold on subscription, and stolen accounts are a regular commodity on darknet marketplaces. Dima Ashkinazi, founder of leak monitoring service Alerts Bar, explains what this ecosystem looks like from the inside. From info-stealers who quietly collect data to brokers who resell corporate access.

In a conversation with dev.ua, Dima tells why even antiviruses and 2FA often don’t save, how the «golden window» works after a leak, and how the incident with the compromise of a top manager’s account, discovered by his team, helped Oracle close the risks in time and avoid potential losses.

Content

Dima, let’s start from the very beginning. How did the idea for Alerts Bar come about and what prompted you to enter this niche?

— The idea came when I started encountering incidents that occurred precisely because of stolen accounts that were already hanging in bundles for sale on the Darknet. While analyzing one of these cases, I saw that today the Darknet is a huge marketplace with a systematic approach. Everything there is divided into links: some develop software, others infect, and still others are brokers who resell data. I realized that businesses need a tool that will see this before hackers.

And how expensive was it to launch such a complex product?

— Actually, at the start I invested a few thousand dollars in simple organizational things. Now is the time for solo founders. Thanks to AI, one person who understands architecture can increase their productivity dozens of times. Previously, such a startup required Angel Investments, but now everything can be done faster, cheaper and without unnecessary bureaucracy.

You mentioned the case with Oracle. How did you manage to help such a giant?

— Yes, it was in January last year. We discovered an infected computer of a Senior Director of Oracle. There were more than 400 passwords from various sites freely available there. We reported it instantly, they managed to fix everything and change the accounts. As a result, they even added me as a security contributor to their site.

Mention of Dmitry as a security contributor on the Oracle website

How exactly does your service work and who is it aimed at?

— We monitor millions of sources: Tor, Telegram channels, closed hacker forums and marketplaces. Our service notifies the company if the data of its employees or customers has been «leaked». We perform checks every six hours or even in real time. Our clients are both small businesses and large corporations.

How much does such peace of mind cost a business?

— A subscription for a small business (up to 100 employees) starts at $350 per month for one domain. For a medium-sized business, it starts at $800 for three domains. We don’t list prices on the website because we work through resellers, but these are basic guidelines.

Infostylers: why 2FA and antiviruses don’t save

— Let’s talk more about infostylers. How did they evolve?

— Previously, viruses were purely for fun — they turned the screen into MS-DOS. Then they stole passwords from ICQ. And now it’s Malware-as-a-Service. Hackers buy a subscription to the virus, have technical support and a clear roadmap. Infostyler is a Trojan that silently copies data from the browser and sends it to the Darknet. The person doesn’t even know about it.

How does infection usually occur? Are these some kind of complex attacks?

— Most often, it’s the human factor. People download «cracks» for Photoshop, cheats for games, Windows key generators, or «left-wing» software for macOS that doesn’t exist in nature. The ClickFix method is currently popular: a fake «I’m not a robot» captcha that asks you to press Win+R and paste the code. The person pastes the PowerShell code, presses Enter, and that’s it, the infection has occurred, although it says «you have successfully passed the test.»

The stolen data includes saved passwords from websites, session cookies, autofill fields, credit cards, plugin configs, crypto wallets, etc. For example, we checked the bins of some top banks and saw that as of today, 512 cards with CVV codes have been compromised recently. All this data has already been sent to the banks, and I hope they have blocked it. Yes, Monobank also uses our service.

What about antiviruses? Don’t they see the threat?

— It’s funny, but almost all infected computers that we see have antiviruses from Defender to CrowdStrike. Antiviruses are often powerless because the virus is not resident: it doesn’t sit in memory, it just copied the files once, sent them and «died». Or people just intentionally turn them off so they don’t get annoyed by alerts when they download cheats of unknown origin.

Password managers can protect against infection. Are they safer than a browser?

— Managers (like Bitwarden or 1Password) are good, but they are not a panacea. Hackers steal sessions (cookies). If they have your cookie, they can log into your Gmail or ChatGPT without a password at all and bypass two-factor authentication (2FA).

During the live presentation, a unique incident occurred — while analyzing a fresh data dump, Dmytro «hot on the trail» discovered a completely new type of info stealer — Hub Stealer.

You just found a new infostyler right in front of your eyes. Tell us more about what we found?

— Oh yes, we were just looking at the «fresh» for the 14th and came across a data dump from some QA specialist. There were cookies, and even a history of commands for Mac (ZSH History), and we discovered a new info-stealer — Hub Stealer. I hadn’t even heard the name before, so I immediately dropped it off to the research team. It was a «catch» on hot pursuit.

Anatomy of an Attack: The Two-O’Clock Golden Window and Corporate Blackmail

How long does it take for an infiltration to cause damage to a business?

— In cybersecurity, everything is decided by hours. From the moment we receive a signal about a leak to the moment when hackers can actually use the data, we usually have a few hours.

So hackers don’t immediately rush to hack an account?

— Not exactly. We see that they collect data in large «bundles» of several thousand requests and only then begin to process them. Such a bundle sticks together about two hours after accumulating a certain volume. While they are packing, we have time to react. But they also have the same couple of hours to start acting.

And what exactly do they do first?

— It depends on the «mining». If there is crypto in the logs, they try to extract it automatically and instantly. But a company account is a different story. It will most likely not be attacked immediately. It is classified: for example, «admin of a Fintech company, turnover $20 million, Eastern Europe». Then this information is posted on the Dark forum. And then someone who is interested in attacking this particular business buys this data.

Who are these people who buy such access? What are their goals?

— This is a separate group of cybercriminals who deal with Ransomware (encryptors-ransomware). There are well-known teams such as Clop or Lockbit. They attacked Ernst & Young and other large corporations. Their scheme is simple: they steal sensitive documents and demand money not to make them public. If the company does not pay, they simply throw everything out into the public.

If you search carefully, you can find gigabytes of data from the work computers of thousands of companies that were simply stupidly posted online.

Besides encryption and extortion, what other risks are there for businesses?

— Espionage for competitors or the banal use of corporate email for spam and fraud. I personally worked on restoring one domain whose reputation in Google dropped to almost zero after a hacker spam campaign. The company then could not use email normally for several months. There are many risks, and info-stealers are the source of 80% of all attacks on businesses.

And how often do businesses pay hackers to keep their data safe?

— As far as I can see, most still don’t pay. Hackers even have their own methods of pressure: they set a timer, saying, «you have 7 days left,» and then they write on the website that such-and-such a company doesn’t respect its customers, and they start the drain. This is real psychological pressure. We can even go through the TOR browser and look at these «boards of shame» on the Darknet.

On AI and vibecoding: «A manual transmission is no longer needed»

What is your opinion on vibecoding and AI in general? Does it significantly simplify work or, on the contrary, harm it?

— This is a revolution. I am already used to getting results instantly. AI never tells me: «I got sick», «I don’t want to» or «I have a different opinion». It simply clearly performs the tasks. Many people are afraid that AI will replace them, or they say that they need to «train their brain» without it. It’s like a car: you can drive with a manual transmission, but in 99% of cases it is not needed, because the automatic does a pretty good job.

What about code quality? Doesn’t this create too much technical debt?

— There will always be technical debt. But for a startup at the MVP stage, speed is more important. As we joke in the business environment, if your servers can’t handle the load from customers, it’s a good sign, it means the business is working. Then a team will come and rewrite everything with more reliable solutions, but now is the time for those who run fast.

Evil ChatGPT clones work for cybercriminals. How WormGPT FraudGPT and other threats work

What about «the other side»? Have hackers mastered these tools too?

— Absolutely. We need to clearly understand: the attacker is already using AI to the fullest extent at all stages — from creating infection methods to further hijacking accounts. For example, those ingenious instructions with PowerShell code (when people are asked to press Win+R to «check») — all this is created thanks to AI.

So AI makes their methods even more sophisticated?

— That’s right. It’s a constant arms race, which has become especially acute now with the development of AI technologies. Hackers use AI to make their methods evolve faster: they constantly change approaches, come up with new tricks, and all this happens in automated mode. It’s simply impossible to resist this manually — you also need to use technology to stay at least one step ahead.

What advice would you give to an average user or business owner?

— First, Security Awareness — teach your staff not to push everything at once. Second, Darknet monitoring. This is your last line of defense. It’s better to hear bad news from us a few hours before an attack than from hackers when your data is already encrypted.

“Ukraine now has the largest cyber army in the world. The democratic world needs this experience.” Interview with a top Romanian cybersecurity official

"All information from Telegram goes to the Russian special services." Blitz with the head of the information security and cybersecurity service of the NSDC Apparatus

"If an IT guy is scared on the street somewhere else, he can quickly call our group, they will pick him up and take him from point A to point B." Interview with Dmitry Strizhov, founder of SHERIFF