By Cybercriminals continually adapt to law enforcement crackdowns, finding new ways to sustain underground operations and target businesses and public organizations. One such figure, operating under multiple aliases, has gained notoriety for developing and distributing malicious software designed to steal sensitive data.
Who is Fumentazo?
Known by various aliases—including “Unc Fumentazo”, “UnknownWebPT”, “FunnelHunel”, Zixshore”, and “ExomSec”—this individual is the developer behind Bizfum Stealer. The source code for this malware is publicly available on his GitHub account, UnknownWebPT.
What is Bizfum Stealer?
Bizfum Stealer is a C-based, open-source malware designed to exfiltrate sensitive data while evading detection through Windows’ native systems.
Key Features of Bizfum Stealer:
- Evades detection by leveraging ntdll.dll and bcrypt.dll
- Extracts browser cookies, stored passwords, Discord tokens, clipboard data
- Encrypts stolen data using AES encryption, with the AES key further secured by RSA encryption
- Uses Telegram for exfiltration, sending encrypted data links via a Telegram bot and uploading to GoFile
A detailed analysis of Bizfum Stealer was conducted by Cyfirma, which can be accessed here.
Tracking Fumentazo’s Activity
Fumentazo has been identified as an active member of the Exomium Security Discord server (ID: 1255624534795485315), where he operates under the alias “Unknown” (Username: 1337.web, Discord ID: 1255535398252187749, Registered: June 2024).
Past Aliases and Activity:
- Previously went by “Unc Fumentazo” and “zixshore”
- Another Discord account, “Fumentazo” (ID: 1217908524105863260), was found in the “Together C & C++” Discord server (ID: 331718482485837825)
- At least two previous Discord servers associated with “ExomSec”, are currently offline, with no retrievable evidence
Key Personal Details (Based on Analysis):
- Likely based in Europe, frequently traveling between three countries
- Estimated to be between 18-26 years old, with aspirations to join his country’s cybersecurity military unit in 2025
- Spent at least two years in Sweden, speaks Swedish and French, and codes in five programming languages
- Physical stats: 185cm tall, 84kg
- StackOverflow profile “fmalheir-fmalheir” lists a location of Portugal Cove-St. Philip’s, NL, Canada
A Rising Name on BreachForums
Fumentazo, also known as FunnelHunnel (ID: 28215), joined BreachForums in August 2023. Before this, he operated under the username ExomSec (ID: 226117). His data was leaked on breached.vc, revealing that he registered with exomsec@gmail.com and an IP address traced to Helsinki, Finland (ISP: DNA Oyj, IP: 37.33.161.69).
In August 2024, he created a new BreachForums account, using the alias “Zixshore”.
Notable Activities on BreachForums:
- Sold stolen data from:
- AmeriGas Azure Cosmos Production Database
- Pridemarinegroup.com (contracts and worker data)
- Loader Source Code (reflective DLL injection to bypass detection)
- Modia’s Magento-based e-commerce platform
- Previously ranked at the top of BreachForums’ leaderboard for most messages posted.
- On January 14, 2025, “Zixshore” announced his application to become a staff member on BreachForums.
Potential Leads: Where is Fumentazo?
Analysis of Discord messages and breached data suggests that Finland is the most likely location for Fumentazo. Evidence supporting this includes:
- IP Address (37.33.161.69) from breached.vc links him to Helsinki, Finland.
- A screenshot posted by him on Discord for his bot “Spidey Bot” contained Finnish-language elements (“tänään klo”, meaning “today at”).
Appendix: Detailed Tables of Accounts and Activity
For a structured overview of Fumentazo’s social media, forum activity, email addresses, and cryptocurrency wallets, refer to the tables in the appendix below.
Appendix
- Social Media Accounts
| Platform | Username / ID | Notes |
| X.com | Fumentaz0 / 1817054487703334912 | Registered: July 27, 2024 Previously “UnknownWebPT” Following emocat (@emocatT_T) |
| X.com | WebUnknownP / 1768357346030338048 | Registered: March 14, 2024 Name: “jupiterunk” Registered Email: exomsecowner@gmail.com Following Robin (@D4mianWayne) |
| Twitter.com | ExomSec | Account Suspended |
| GitHub.com | UnknownWebPT / 182143294 | Registered: Sept 19, 2024 Developer of Bizfum Stealer Email: exomsecowner@gmail.com |
| GitHub.com | ExomSec / 120128879 | Registered: Dec 8, 2022 Developer of MIPS (Mass IP Scanner to find IPs with a certain port) |
| Roblox.com | ExomSec / 5520637695 | Registered: Feb 2, 2024 |
| Discord.com | exomsec / 1080208242065547355 | Registered: Feb 28, 2023 |
| Discord.com | Fumentazo / 1217908524105863260 | Registered: March 14, 2024 |
| Discord.com | 1337.web / 1255535398252187749 | Registered: June 26, 2024 |
| Telegram (username) | Fumentazo / 5104917405 | Registered: March 25, 2022 Historic Username: Darknessfallo Activity: Historic Display Names: · Fumentazo · Operative Nightfall (AKA Funnel Hunnel)Daw · Operative Nightfall (AKA Funnel Hunnel) Member of Jacuzzi 2.0 (ID: 2018336281) |
| Telegram (Channel) | ExomSec / -1001665401265 | Registered: December 2, 2022 |
| Imgur.com | Funnelhunnel / 182106585 | Registered: June 8, 2024 |
| StackOverflow.com | fmalheir-fmalheir | Registered: Oct 5, 2018 Location: Portugal Cove-St. Philip’s, NL, Canada |
- Forum Accounts
| Forum | Username / ID | Notes |
| BreachForums.ST | Fumentazo / Funnelhunnel (28215) | Registered: Aug 2023 |
| BreachForums.ST | Zix / Zixshore (296589) | Registered: Aug 29, 2024 |
| BreachForums (breached.vc) | ExomSec (226117) | Leaked data found |
| Patched.to | ExomSec (348154) | Registered: June 9, 2024 (Banned) |
- Email Addresses
| Registered Platforms | Notes | |
| exomsecowner@gmail.com | Google (ID: 111865759474981303498) X.com (ID: 1768357346030338048) | Connected to GitHub and Twitter |
| exomsec@gmail.com | Google (ID: 102572320196504865429) | Breached on breached.vc Username: ExomSec ID: 226117 IP: 37.33.161.69 |
| zixshore@onionmail.org | BreachForums | PGP key registered under “zixshore” |
- Monero Wallets
| Source | Wallet |
| Discord | 86xFAz8w8qN1bEvcuUumRc64fS59UTNhQbWdoX7hzMuqdD9bNo4YKshjns1i6SV5oVhyARgfoDGfrdQNXkvwEbfpNTBLXUw |
| Telegram | 49C7J5vf4g8RMrAP5pVPcdLqnNkhvbxs1FiBxoujiDwqDAJwaghsiBkWEpt6JM7Vw29nRWLxXjfhXXpa8enijpqFUb64U1C |
