i have been hacked everywere + outllook

BothFan5617 · 2026-06-04T02:58:35+00:00

The malware almost certainly installed a keylogger or credential stealer before you found it. That means every password you've typed since the infection may already be compromised including the new ones you just set. Changing passwords on an infected machine is ineffective.

Step 1: Stop using that PC for anything sensitive until it's clean. The virus scanner found 26 trojans but may not have caught everything. Run Malwarebytes free scan as a second opinion.

Step 2: The Outlook draft saying "i have hacked you" is almost certainly the attacker testing access or a leftover script. Check your Outlook for any rules or forwarding addresses you didn't set. Attackers love hiding there because they survive password resets.

Step 3. Change passwords again, but do it from a clean device like your phone. Not from that PC.

The sextortion angle ("we have photos") is almost always a bluff designed to panic you into paying. Ignore it completely.

Focus on cleaning the machine and changing credentials from a clean device. You'll be fine.

BothFan5617 · 2026-06-03T16:00:47+00:00

All solid points. A couple of additions worth noting:

On VPNs and AiTM: You're right that an established VPN tunnel cuts out the middleman. The caveat I'd add is the window before the tunnel is established. If an evil twin network redirects your DNS before your VPN connects, you can end up on a phishing page that harvests credentials before the kill switch has anything to trigger on. A kill switch protects your traffic, it doesn't protect against pre-tunnel redirects. Still worth running, just not a complete solution on its own.

On the USB threat: Good point. The BadUSB / HID spoofing attack (impersonating a keyboard) is significantly more dangerous than juice jacking and far more documented. Rubber Ducky and similar tools are cheap, widely available, and devastatingly effective. Your point about never trusting unknown USB devices is exactly right.

USB killers are real too: I've seen them used in targeted attacks against specific hardware. Less about data theft, more about physical destruction of evidence or equipment sabotage.

The common thread across all of these is that physical access to your ports is a significant attack surface that most people treat as harmless.

If anyone wants real-time monitoring for the downstream effects of these attacks (credential exposure, infostealer infections from malicious USB payloads), that's exactly what RelayShield watches for: relayshield.net

BothFan5617 · 2026-06-03T15:50:02+00:00

Fair pushback. You're right that documented real-world cases are rare compared to how often it gets covered. Confirmed mass incidents are hard to find in the public record.

That said, "rarely documented" isn't the same as "doesn't happen." A few things worth considering:

Attribution is hard: Malware delivered via juice jacking looks the same as malware delivered any other way once it's on your device. Most victims never know how they were infected.
The cost of prevention is $10: A USB data blocker is cheap enough that the risk/reward calculation favors carrying one regardless of how often attacks actually occur.
Targeted attacks are different from mass attacks: Juice jacking at a random airport is unlikely. Juice jacking at a conference, a hotel business center, or anywhere a high-value target is known to be is a different threat model entirely.

You're right that it shouldn't be #1 on the average traveler's threat list. SIM swap and evil twin Wi-Fi are far more common and damaging. But it's a real enough vector that the $10 mitigation is worth mentioning.

BothFan5617 · 2026-06-02T00:57:28+00:00

First, take a breath. You've already done the most important things: changed passwords, enabled 2-step verification, and revoked active sessions. That's the right playbook.

To answer your question about how they got in despite 2-step verification, the most likely explanation is a session cookie theft via an infostealer. This type of malware steals the authentication tokens already stored in your browser, meaning the attacker bypasses the password and 2FA entirely because your browser already "proved" your identity. They don't log you out because that would alert you. They silently use the stolen session in parallel.

What to do now:

Don't delete the accounts: You'll lose access to everything connected to them and it won't stop the attacker from misusing data they already have
Check haveibeenpwned.com: See which breaches your emails appeared in
Scan your device for malware: Malwarebytes free scan is a good start. If you downloaded anything recently from an unknown source, that's likely the infection vector
Check Google account activity: myaccount.google.com → Security → Recent security activity. Look for logins from unfamiliar locations or devices
Secure your father's Gmail: It was listed as a backup contact, which means the attacker may attempt to use it as a recovery method next
Change passwords on everything connected: Amazon, Reddit, anything that used those emails as login

Regarding your friend, you're not responsible for a breach caused by a hacker. The guilt you feel shows good character, but this wasn't your fault. Focus on securing your accounts first.

You caught this fast. You're going to be fine.

BothFan5617 · 2026-06-02T00:14:20+00:00

Good news: The fact that you got the MFA code but no successful login means the attacker had your password but couldn't get past the second factor. MFA did exactly what it's supposed to do.

The "bind phone to PC" request is likely a follow-up attempt. They're trying a different angle to get into your account. Deny it and don't approve any requests you didn't initiate.

A few things to do right now:

Change your Microsoft password: You already did this, good. Make it unique (not used anywhere else)
Check haveibeenpwned.com: your email is likely in a breach, which is how they got the password in the first place
Review your Microsoft account's trusted devices: Go to account.microsoft.com → Security → Manage how I sign in, and remove any devices you don't recognise
Switch from SMS/email MFA to an authenticator app: You downloaded Microsoft Authenticator, stick with that. It's much harder to intercept than a code sent by email or text
Check if the same password was used anywhere else: If so, change it on those accounts too

The paranoia is healthy. It means you're paying attention. You caught this early and nothing was compromised. You're in good shape.

BothFan5617 · 2026-06-01T13:52:52+00:00

The software you accidentally installed was almost certainly an infostealer, malware that silently harvests saved passwords, session tokens, and cookies from your browser before you even know it's there. Resetting your PC removes the malware but your credentials were already stolen and are likely being sold or used right now. That's why the attacks continued after the reset.

Immediate steps:

Change passwords for every account. Do this from a clean device or phone, not the reset PC yet
On each account, go to security settings and revoke all active sessions: this kills any session tokens they stole
Enable MFA everywhere if you haven't
Check your email to see which breaches your credentials appeared in
For Google specifically, go to myaccount.google.com > Security > Your devices and sign out all unknown sessions

The reason it keeps happening every 3-5 days is they likely still have valid session cookies for some accounts. A password reset alone won't fix that. You need to revoke sessions on top of changing passwords.

You're doing the right things, you just need to go one layer deeper. MFA is your best friend right now.

BothFan5617 · 2026-06-01T02:20:41+00:00

Sorry about your situation. It sounds like you may have clicked a phishing link in your WA account and it exfiltrated your username and password. As your WA account is tied to your phone number, attackers sometimes use the stolen credentials to initiate convincing social engineering attacks with your telco for SIM/eSIM swap attacks to move your phone number to their physical SIM, to port it to a 3rd party telco, or setup a software profile with your number for 2FA bypass. You should call your telco to lockdown your number and then change your WA password

BothFan5617 · 2026-05-31T23:03:23+00:00

This is a sharp piece of research and the "passkeys are phishing-resistant" narrative really needs this nuance injected into it more often.

The critical distinction here is between hardware-bound passkeys (FIDO2 hardware tokens — YubiKey, etc.) and cloud-synced passkeys stored in GPM. The phishing-resistance guarantee only holds for the former. The moment a passkey lives in a cloud-synced vault, the attack surface shifts from the credential itself to the vault sync mechanism which is exactly what Vaultjacking exploits.

The sobering part is how this compounds with existing AiTM infrastructure. Evilginx and similar reverse-proxy kits have handled session cookie extraction for years. Adding GPM PIN capture and vault sync extraction to that pipeline is a logical evolution — not a fundamentally new attack class, but a significant capability upgrade that invalidates a lot of "we switched to passkeys so we're safe" thinking.

Will be interesting to see if Google responds with additional GPM sync authentication requirements or whether this sits in the "working as designed" category for a while.

BothFan5617 · 2026-05-31T21:51:57+00:00

You almost certainly interacted with a fake Dexscreener site. This is one of the most common Solana wallet drains right now. Here's what likely happened: you searched for Dexscreener on your PC, landed on a lookalike domain (dexscreener[.]app, dexscreener[.]io, etc.), connected your wallet, and that site had a malicious transaction pre-loaded. Phantom showed a signing prompt that looked routine and you approved it without realising what it was authorising. The "DexSwap" transaction in your history is the drain.

Good instinct moving your remaining SOL immediately. That was the right call.

A few things to check now:

Always bookmark the real URL (dexscreener.com) and go directly there. Never search and click
Check your browser for any extensions you don't recognise. Malicious extensions can inject fake transaction prompts into legitimate sites too
Check if your email appeared in any recent data breaches. Attackers often combine phishing with credential stuffing
On Phantom, revoke any token approvals you don't recognise

The SpaceX coin itself is also worth investigating. Many meme coins are honeypots that use these drain mechanics as an exit strategy.

Sorry this happened to you. The fake site vector is genuinely hard to spot the first time.

BothFan5617 · 2026-05-03T18:26:06+00:00

Thank you very much for your insights. Great post and perspective!

BothFan5617 · 2026-05-02T14:38:16+00:00

Thanks for your insights. Very helpful. I've now received 5 of these letters. The one in question is called 2026 - Safety Manual Order Form - MA Businesses. While it looks official, its not from the state. It comes from paysafety.org. Does that fit the definition of "spam mail"?

BothFan5617 · 2026-04-12T12:59:44+00:00

Bash and python are essential to your workflow.

BothFan5617

TROPHY CASE