Do Son 
One of the alleged operators behind the SmokeLoader malware has found himself at the center of a criminal case in the United States, following accusations of stealing data from more than 65,000 individuals. The defendant, Nicholas Moses—who operated under the alias “scrublord”—allegedly used the malware to orchestrate the large-scale harvesting of personal information and user credentials across the globe.
The case was initially filed in North Carolina, but by mid-last week, it was transferred to federal prosecutors in Vermont. While the rationale for this jurisdictional shift remains unclear, accompanying court documents indicate that Moses has entered a guilty plea to one count—conspiracy to commit fraud and unauthorized computer-related activities.
According to investigators, between early 2022 and May 2023, Moses maintained a command-and-control server in the Netherlands, through which he managed a SmokeLoader-powered botnet. This malware functions as a loader, enabling the deployment of more specialized and covert programs on compromised machines—including spyware modules, credential-stealing tools, and utilities for conducting DDoS attacks.
Prosecutors allege that Moses maintained a database containing over 619,000 files of stolen user data and sold credentials for various online services, priced between one and five dollars apiece. In November 2022, he allegedly boasted in a chat group about possessing over half a million logs acquired via SmokeLoader.
Among the victims is at least one FDIC-insured financial institution based in Charlotte, North Carolina. Despite this, the case continues to unfold in Vermont. As of now, the U.S. Department of Justice has declined to comment on the specifics of the investigation.
SmokeLoader is far from a novel threat. The malware first emerged on underground forums in 2011 and has remained a staple tool among cybercriminals ever since. It is distributed in various configurations, ranging from a basic edition priced at $400 to a fully-featured suite with advanced modules costing up to $1,650.
The renewed scrutiny of SmokeLoader follows a major international takedown operation. In May 2024, Europol launched Operation Endgame, which disrupted several major malware droppers, including SmokeLoader, IcedID, Pikabot, and others.
In early 2025, as part of the continued effort, authorities across multiple countries—including the United States, Canada, France, Germany, the Netherlands, and the Czech Republic—conducted arrests, raids, and interrogations of individuals linked to the SmokeLoader botnet. Europol noted that while some suspects had been reselling access to the malware at inflated prices, others mistakenly believed they had long escaped law enforcement attention.
According to Europol, Operation Endgame remains ongoing, with further arrests and investigative actions anticipated. The case underscores the growing international coordination in dismantling criminal cyberinfrastructure and unmasking those behind it.
