Editor’s Note: When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. “I had no success really,” said its founder, who goes by the online moniker smelly_vx.
But over the last couple of years, the site’s popularity has soared thanks in part to its robust Twitter presence that mixes breaking cybersecurity news with memes. The site now bills itself as “the largest collection of malware source code, samples, and papers on the internet,” with about 35 million samples overall.
vx-undergound operator smelly_vx recently talked to Recorded Future analyst and product manager Dmitry Smilyanets about the site’s goals, finances, and plans for the future. The interview, which was conducted over email in English, has been lightly edited for clarity.
Dmitry Smilyanets: I would like to start from the very beginning — please introduce yourself.
I am in my early 30s. I have a wife. I have a dog. I don’t think I can say anything else which is interesting or important.
DS: Tell me about the site’s background — how did it start, how did you build it into what it is today?
VX: About vx-underground — it was created to act as the successor to the legendary vxHeaven (created by the Ukrainian dude herm1t). When I was a teenager I discovered vxHeaven and learned tons from it. It was an invaluable asset. Around 2017 or so, when I was a software engineer, I got tired of writing malware (as a hobbyist) by myself.
I began looking for vxHeaven, or whatever it had become. I was unable to find anything, to my disappointment, and one day on some random IRC server I discovered, I was conveying my disappointment to a guy named Phaith and he said to me, “Well, if you miss it so much, why don’t you make your own?” I thought this was a good idea — why not make my own? And that is precisely what I decided to do. The issue I faced was that my background was in low-level development, I primarily did C/C++ development on the Windows platform. I did not have any skills in web development, web security, system administration, etc. I also did not have any contacts, I had been a “lone wolf” for nearly a decade at this point — I was a “nobody.” However, I decided this shouldn’t be a restraining factor so I bought some random bullshit hosting, purchased the domain name ‘vx-underground’ and got to work.
I officially made vx-underground in May 2019. I had no success really, I did not have a Twitter account or any contacts or any relationships in the information security industry. I made the vx-underground Twitter account in August 2019 and, interestingly, shortly after I made the account I was contacted by a guy named Bane. Bane was a member of a group called ThugCrowd. They had a large follower base on Twitter (20,000+), they had connections, they knew their way around things, blah blah blah. ThugCrowd was very kind to me and supported the idea of a new vxHeaven. They introduced me to some people who also liked the idea of a new vxHeaven.
Unsurprisingly, in October 2019, vx-underground was banned from a lot of web hosts. I had places which housed neo-Nazis, pornography, and gambling, deny my hosting.
Nobody wanted to house malware samples, the only way I was going to get the ability to house malware samples was if I had become a company, and did paperwork and all sorts of bullshit. I did not like this idea. Luckily, and to my surprise, the people over at ThugCrowd introduced me to a group of people behind TCP.DIRECT. They also liked the idea of a new vxHeaven, as the main group of people behind it also had been on the vxHeaven forums ages ago. They assisted me with hosting, handling the web security, etc. This was very beneficial for me because, as TCP.DIRECT will confirm, I am a complete idiot with anything system administrative/web security related.
Following this introduction to TCP.DIRECT, vx-underground had essentially zero restraint. I was able to upload malware samples, malware papers, malware source code, etc. as much as I liked. The only thing I had to do then was add content and be consistent. Along the way I met a guy from the [Commonwealth of Independent States], Neogram, who assisted me with Russian translations and giving me a (metaphorical) tour of the CIS malware scene. This expanded my horizon and gave vx-underground better insight into current malware trends.
All of this happened very quickly, this ‘story’ encapsulates what happened between August 2019 and December 2019.
DS: What are your mission and goals?
VX: I don’t know. vx-underground is a library, our goal is basically to… collect malware samples, papers, and code? It exists and that is it. The closest thing to a ‘goal’ we have is simple: “more papers, more samples, more code.” It is as simple as that.
DS: Are you financially motivated? How do you monetize your work? Is it lucrative?
VX: No, we are not financially motivated. vx-underground is fueled by passion and love for the ‘game.’ In 2021 vx-underground made $13,000 all from donations. Every time I tell people vx-underground does not make money I am always greeted with shock and surprise. It appears people are unable to comprehend someone would do something for passion rather than financial gain. This is disappointing.
DS: One may say you are a threat actor group. Are you?
VX: This is an invalid question. Who says vx-underground is a threat actor? I will share something that the general public (probably) doesn’t know.
vx-underground has connections to a lot of people in the industry. Our internal group is composed of people from:
— Anti-virus companies
— Threat intelligence companies
— Incident response companies
— Universities (academics)
— “Red Team” companies
Because of this, we have our hands in a lot of different baskets and we have pretty good visibility on who-is-who, who-is-doing-what, etc. Outside of our internal group we also have additional resources. Anyone who believes we are a threat actor is being silly.
DS: How many malware researchers help you with your portal and collections? Do you work “regular jobs” or is this a full-time gig?
VX: A lot. We’ve spoken with individuals from basically every single AV/EDR [antivirus and endpoint detection and response] vendor on the planet. We all have regular jobs, vx-underground doesn’t make enough money (as stated previously).
DS: Why do you provide well-indexed malware samples?
VX: We provide malware samples because we like malware. Also, VirusTotal is ridiculously fuckin’ expensive. They have a good product, the people at VirusTotal are very nice, but the management/business people there probably hate our guts.
Hey VirusTotal, we’re not trying to become your competitor =D
DS: Are there any big changes coming up for the portal? What are your plans for the future?
VX: We have no plans. Our plan is to keep adding content daily. We keep it simple.
DS: How big is your collection and what is your most precious asset? What is the coolest sample you’ve got?
VX: We are close to 35,000,000 samples. This is small compared to AV vendors who take in millions upon millions of files daily. However, for a small group of people this is pretty good. We have no precious assets, we share every sample we get. But, the coolest are probably the APT [advanced persistent threat] samples.
DS: How often do you get unsolicited, “previously not seen” files from an individual?
VX: Recently, thanks to the wonderful people at ReversingLabs, we have an unfathomable amount of “never seen before” samples. From “individuals,” however, we get DMs, tags (on Twitter), emails, Discord messages, or Telegram messages, about content/leaks/additions almost daily. We appreciate these people =D
DS: What countries do you get most of your file submissions from?
VX: Probably anything NATO-based. We get a lot of people from the USA or EU contacting us about samples or papers. This isn’t surprising though, as most of our followers are from these countries.
DS: Have you ever hesitated to share files you received? Or NOT shared files? Why?
VX: Yes, in the past when we received ransomware source code we were hesitant to share it. Although we believe in freedom of information, sometimes when we receive completely weaponized code we do not want to indirectly aid amateur criminal groups. However, nine out of ten times it does not matter, because the code ends up on Telegram, various forums, etc. Us not sharing it may prohibit or restrict legitimate researchers the ability to also review it. Yes, we have received some files we never shared. We never shared them because these files are not malware-related and would probably piss off Big Brother. We are not WikiLeaks or DDoSecrets, we’re a malware library.
DS: Have you had issues with law enforcement? Are you worried about getting shut down/arrested?
VX: No, we have never had problems with law enforcement. I have been very open about certain aspects of vx-underground and we do not commit crime. What is there to fear? =D
DS: Who creates the pictures you share on Twitter? How did you pick that style? Do you think it matches the malware topic?
VX: Some of the art work is done by Nico. She is our graphic designer. She does incredible work. Other pieces of art are located online by various individuals from vx-underground but a large majority comes from a person in our group named Ethereal. In the ’90s and early 2000s there was a malware research group named 29a (hex for 666). 29a always used a very dark aesthetic with their work and we carried that tradition over. Unfortunately, malware development is a taboo subject in the information security scene, we are disenfranchised, we are seen as the ‘boogey-man.’ You have 10 million “hacking is not a crime” advocacy groups, but if we tweet, “Writing malware is not a crime,” people will go absolutely fuckin ballistic.
DS: Do you worry about actions being taken against you by governments, or pissed-off organizations/people?
VX: No, we try very hard to remain neutral with everyone. We do not like drama or conflict. Whenever someone (or some organization) has an issue with us we are always willing to discuss the issue.