How the Nigerian Businessman Hacker “Bill Henry” Twisted the Underworld

By Bill Toulas / March 17, 2020

Check Point researchers have managed to track down a Nigerian hacker whom they call “Dton,” while his full identity has been shared with the authorities already. For his online victims, he was known as “Bill Henry,” and he had a successful campaign so far, managing to run a six-figure fraud campaign. Dton started by buying stolen credit cards from the “Ferrum Shop” darknet marketplace, a place where he has spent over $13,000 since 2013. The cost of cards there ranges from $4 to $16, while the maximum withdrawal that Dton has been trying for each time is 200,000 Nigerian Naira (NAN), the equivalent of about $550.


Source: CheckPoint Research

At some point, Dton decided that he no longer wishes to pay Ferrum Shop for stolen cards, so he moved to the next step, which was to steal credit card details on his own. He bought a kit of packers, crypters, info-stealers, and keyloggers, and quickly set up his arsenal. Soon, Dton got tired of having to pay for the packers too, so he thought that he’d better create his own custom-built malware, set up a RAT-spamming operation, and send thousands of emails with malicious attachments. So he paid someone to do it for him, figuring out that if he has a unique RAT, no anti-virus databases could have known about it, so he doesn’t have to pay for obfuscation.

private rats

Source: CheckPoint Research

But there’s a twist. Dton has actually planted malware on the machine of the developer who had built the custom remote access tool for him. In fact, he tried to do the same with every person he did business with. The reason for this was to extort them by threatening to report their activities to Interpol. Having numerous screenshots gathered from their machines would make it easy to hand over all the juicy details to the authorities. So, Dton presented absurd demands to his accomplices, and if these weren’t satisfied, the nonconsenting crooks got reported to the law authorities.


Source: CheckPoint Research

And here’s another twist: Dton is not a full-time hacker, but a hard-working content creator, entrepreneur, and a respected innovator among the Nigerian upper class. He is an accomplished business administrator admired by his colleagues by day, and by night a ruthless cybercriminal entrepreneur feared even by his accomplices. If there’s a takeaway from this story, it is that you can never be too vigilant online. Actors like Dton know next to nothing about coding, yet they don’t need to anymore. Exploit kits, packers, obfuscators, and even custom malware can all be paid for nowadays, so make sure that you’re doing absolutely everything possible to avoid being that low-hanging fruit.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: