Cyber Civil War: The Hackers Hijacking Other Hackers’ Stolen Data
The world of cybercrime just got a lot more crowded. In a strange twist of events, a new group of hackers is now targeting other hackers to steal their stolen goods. According to a fresh report from the security firm SentinelOne, a mysterious campaign dubbed “PCRJack” has been hunting down systems already compromised by a well-known cybercrime gang called TeamPCP. Instead of finding their own victims, these new actors simply wait for someone else to do the hard work, then they kick the original intruders out and take over.
It sounds like a movie plot, but the reality is much more technical. TeamPCP has spent months breaking into cloud infrastructure and widely used software tools like LiteLLM and Trivy. Once they gain access, they usually install backdoors to steal credentials or sensitive data. PCRJack researchers found that this new rival group uses custom scripts to scan the internet for those specific TeamPCP backdoors. When they find one, they use a clever bit of code to evict the original TeamPCP members and replace their access tools with their own.
The Fight for the Cloud
Alex Delamotte, the senior researcher who discovered the campaign, says it is not yet clear who is behind PCRJack. However, she has three main theories. The hackers could be disgruntled former members of TeamPCP who want to take what they feel they are owed. Or, they could be a rival gang looking to cut out the competition. There is even a chance they are a third party that simply decided to model their attack tools specifically to hijack TeamPCP’s earlier hard work.
The targets of these attacks are often massive. We are talking about cloud infrastructure, virtual machine platforms like Docker, and large databases like MongoDB. By taking over these systems, the PCRJack hackers gain a massive amount of power. They can see everything the original hackers saw, but without having to spend the time or money to find the vulnerability themselves. It is a high-tech version of a scavenger following a predator to steal its kill.
Why Hackers Turn on Each Other
The goals of the PCRJack hackers are purely about the money. They do not seem interested in installing “crypto-miners” to generate digital currency, likely because that takes too much time and is easy to spot. Instead, they focus on stealing credentials. Once they have usernames and passwords for high-level accounts, they sell that access to other criminals on the dark web. They act as “initial access brokers,” selling the keys to the kingdom to the highest bidder.
This “hacker-on-hacker” crime shows how professional the underground economy has become. There is an entire tally system within the PCRJack infrastructure that keeps track of how many targets they successfully stole from TeamPCP. They even send this information back to their own servers to brag about their success. It is a digital scoreboard for a war that happens entirely in the shadows.
For regular internet users and big corporations, this civil war is bad news. It means that even if a company manages to block one group of hackers, another might already be hiding in the same system, using a different set of stolen keys. The complexity of these attacks makes it much harder for security teams to clean up a breach. It is no longer enough to kick out the first intruder; you have to make sure nobody else followed them through the door.
