Investigating Brazilian Discord Stealers and Their Developers

Introduction

A new Brazilian infostealer, Now Stealer has emerged in January 2025, being sold through Discord and websites. Developed by a group of Brazilian hackers, the stealer is linked to other malicious software such as Iluria Stealer and Nikki Stealer.

Now Stealer: Overview and Distribution

The Now Stealer was found to be promoted through the Discord server “nowstealer” (Discord ID: 1317648730610077757) and the following associated websites:

Domain	Registration Details	Hosting & IP Information
nowstealer[.]cc	Registered via HOSTINGER Operations, UAB on 30 January 2025	Uses Cloudflare, but underlying server IP is 191[.]96[.]224[.]103 (Tyna Host Datacenter, São Paulo, Brazil)
bla4ckxcenter[.]shop	Registered via HOSTINGER Operations, UAB on 11 April 2024	—
columbine[.]cc	Registered via HOSTINGER Operations, UAB on 6 February 2025	—

A description of the stealer is provided below.

 

Payment Methods

The stealer is sold via nowstealer[.]cc and within the “nowstealer” Discord server. Payments are accepted through:

• Brazilian PIX
• Litecoin (LTC)

A decoded PIX QR code revealed the merchant name “LIVEPIX” (livepix.gg), based in São Paulo, Brazil.

Additionally, investigations into the Litecoin (LTC) address LYVz8AeZAYEkHG62Xz2qYcQV9UKAEE8s32 revealed transactions leading to the Bitso.com exchange.

Key Operators of Now Stealer Discord Server

The key operators of the “nowstealer” Discord server are detailed in the table below:

Display Name	Username	Discord ID	Member Since	Associated Accounts
Outlier	nowsteal	1313944026335936582	4 Dec 2024	N/A
Outlier	stealernow	1318829650486759434	18 Dec 2024	N/A
Haika	429limit	1324767421868802056	3 Jan 2025	GitHub (Email: oghaikaz@gmail.com), Spotify
Haika	nowstealers	1187088678871388191	20 Dec 2023	GitHub (Email: oghaikaz@gmail.com), Spotify
Haika	nowdata	1323713872590409832	31 Dec 2024	GitHub (Email: oghaikaz@gmail.com), Spotify
Haika	76868678123	1310393824157368426	24 Nov 2024	GitHub (Email: oghaikaz@gmail.com), Spotify
Haika	slovakx	1286709948205633600	20 Sep 2024	Links to nowstealer[.]cc, columbine[.]cc, Telegram: t.me/nowstealer
Futur3	nowstealer	1170900226844934225	6 Nov 2023	GitHub (Email: guzinho77+1@gmail.com), Links to discord.gg/nowstealer, Telegram: t.me/nowstealer

Outlier’s Background: Iluria Stealer Connection

The user Outlier was previously identified by Cyfirma as a developer of Iluria Stealer, alongside Ykg, Noxty, and Ness.

Key findings from historic digital traces:

• A historic YouTube channel associated with Outlier—named “outlieriluria”—contained a video “GERADOR DE NITRO 2K22 BY DADDY & SLZ” (25 October 2022) showcasing his desktop with a user directory: C:\users\gusta (desktop timestamp: 22 October 2022)
• This video also promoted a Discord Nitro Generator developed by a Discord user “ytzmo#8888”, who is no longer active under this username

Ykg – Links to Iluria and Nikki Stealer

Cyfirma found that Ykg was the owner of Iluria Stealer and a former CEO of Nikki Stealer, as mentioned in their Discord bio.

Further investigations into Ykg revealed:

• Historic Discord username: “ykg57” (inactive)
• Historic YouTube channel: “ykgg77” (display name: “Ykgg$$”) showed the Discord server of Iluria Stealer (inactive)
  • Video evidence I: “DISCORD BADGES SCRAPPER NO RATE LIMIT 2024” (18 December 2023): Their desktop screen displayed “C:\users\jpber” suggesting the user’s name initials could be “JPBER”. Additionally, in description, they showed another Discord username “ykg7”, and the website badgeshop[.]site (domain previously registered through Hostinger operations, UAB on 19 September 2023)
  • Video evidence II: “NEW MASS DM DISCORD 2023” (20 May 2023): Their desktop screen displayed “C:\users\jp” suggesting potential initials “JP” for the user’s name
• Both usernames, “jpber” and “jp” may represent initials derived from the real name of Ykg
• Potential related Discord account: “ykg” (ID: 404575407321513984; registered 21 January 2018)
• New Discord account of “ykg7” => “Xanaxshy” (ID: 1283799972495753228; registered 12 September 2024)
• Associated websites: badgeshop[.]site, nikkistealer[.]com

Iuria Stealer Social Media Accounts

Further investigation into the Iluria Stealer has uncovered the below social media accounts.

Platform	Username / ID	Notes
Bluesky	iluriastealer.bsky.social / did:plc:46iezk4lfj5bhezakcubbbt3	Registration Date: 1 September, 2024 The account advertises the Discord server “rdk”, which is currently named “Olx e a NATA”
Telegram	Iluriastealer / 7563450344	Registration Date: 5 June, 2024

 GitHub Leak by “Nfoisking”

Historic records indicate that a GitHub user named “Nfoisking” posted and leaked the source code for the Iluria Stealer malware under the repository “iluriastealer-leak”. Both the GitHub account and the repository have since been deleted.

Nfoisking’s Online Presence

Investigations into the username “Nfoisking” have uncovered accounts on Telegram and Discord. Below is a summary of the user’s online presence:

Platform	Username / ID	Notes
Telegram	nfoisking / 7068485643	Registration Date: May 2024 Historic display name: JhulyaMontês (as of 3 June, 2024)
Discord	Nfoisking / 1333547533212975139	Registration Date: 27 January 2025 Nfoisking is a member of Now Stealer Discord server (ID: 1317648730610077757) Their bio displayed the inactive Discord server discord.gg/nfoshop and the parked domain nfo.lat (registered with Hostinger Operations, UAB on 29 January, 2025)

Our investigation also uncovered a domain name associated with the user:

• Domain: nfoisking.com
• Registration Date: 27 April 2024
• Registrar: Hostinger Operations, UAB
• Current Status: The domain redirects to the Discord server “rdk” (discord.com/invite/rdk), which is currently named “Olx e a NATA”

Nikki Stealer – Background & Developer “Sk4yx”

Nikki Stealer was linked to Ykg, a former “CEO”, and further associated with the developer “Sk4yx”.

Cyfirma’s analysis of the Nikki Stealer Telegram channel (created 23 October 2023) revealed similarities with another Telegram channel linked to Crow Stealer. The developer of both malware strains was identified as “Sk4yx”. Further investigations exposed an Instagram account, “Sk4yxx” which linked to a historic Discord account, “Sk4yx#1337”, and the domains nikkistealer[.]com and bloxbets[.]com. Sk4yx’s bio described him as a “Python coder” and “ex defacer”.

The domain nikkistealer[.]com was re-registered through Hostinger Operations, UAB on 26 January 2025. Currently, the website indicates that “sk4yx” has returned and is available on Discord via the account “s85k” (Discord ID: 1334950182219022366).

Historic Hacking Activity

Sk4yx’s hacking activity was documented on br.zone-h.org between 26 February, 2023, and 10 June, 2023. He was associated with hacking the following websites:

Domain	Date
wallstreetinvest.com.br	June 10, 2023
wallstreetdaytrade.com.br	June 10, 2023
itabiranet.com.br	March 2, 2023
luppet.com.br	February 28, 2023
businesshackers.com.br	February 26, 2023
mentoriamakers.com.br	February 26, 2023
dopaoaocaviar.com.br	February 26, 2023

Historic Twitter Account

The historic Twitter account of sk4yx (username: “nosk4y”; suspended) was created on February 2021.

sk4yx posted screenshots of similar attacks against Brazilian websites. A screenshot posted by sk4yx (username: “nosk4y”) on his former Twitter account is shown below via WebArchive.org.

Sk4yx’s Digital Footprint

Investigations into the usernames “Sk4yx”, “Sk4yxx”, and “s85k” uncovered the following accounts:

Platform	Username / ID	Notes
Instagram	sk4yxx / 53884343837	Registration: July 2022 Historic Discord account “Sk4yx#1337” Linked to nikkistealer[.]com and bloxbets[.]com Bio: “Python coder” and “ex defacer”
Telegram	@sk4yxx / 6470681452	Registration: September 2023 Historic username: systemexx
GitHub	sk4yxx / 116444828	Registration: 22 October, 2022 No activity
Deviantart	sk4yx / F598381C-D245-4B07-7525-E23A48892738	Registration: 13 November, 2021 Location: Brazil
Discord	s85k / 1334950182219022366	Registration: 31 January, 2025
Matrix[.]org	sk4yx
tryhackme.com	sk4yx / 835677	Location: Brazil
osu.ppy[.]sh	35217187	Registration: 19 January, 2024 Location: Brazil
YouTube	Sk4yx / UCraUqDsnaASG73i0K0U-F0Q	Registration: 23 November, 2024 Link: youtube.com/channel/UCraUqDsnaASG73i0K0U-F0Q
Pypi[.]org	sk4yx	Registration: 5 December, 2021 Profile Url: pypi.org/user/sk4yx/ Emails: sk4yx@nikkistealer.com skayz.oficial3@gmail.com
Fivemdev[.]org (The largest Fivem community in Brazil)	5117-sk4yx	Registration: 29 July, 2024 Topic: BLOCK NPS CARS FOR FIVEM (a multiplayer modification framework for GTA V game) Profile Url: fivemdev.org/profile/5117-sk4yx
Unknowncheats[.]me (forum)	sk4yx	Registration: 16 October, 2023 DOB: 18 June 2000 (24 years old) Profile Url: unknowncheats.me/forum/members/5757666.html

Additional investigations have revealed an historic YouTube channel “@sk4yx787” (registered: 6 January 2022). The YouTube channel posted 3 videos and 2 shorts about gaming cheats in Brazilian Portuguese. The YouTube video, “highlight wanless cheat cs2” (posted on 20 October 2023) showed the user’s computer screen displaying C:\users\skayz and OneDrive name “Luis”. The video description included the Discord account “sk4yx”.

Telegram Group: “nikkist” (Nikki Stealer)

Further investigations on Telegram uncovered a group named “nikkist” (nikkistealer), owned by sk4yxx (Telegram ID: 6470681452). Recent activity in February 2025 marked the return of sk4yxx, who posted updates about Nikki Stealer v10 and shared pricing options:

• Nikki Stealer Normal: $20 monthly or $40 lifetime
• Nikki Stealer Premium: $30 monthly or $120 lifetime

Zyro: The Infostealer Promoter

A Discord and YouTube user, “zyromusics” (display name: “Zyro”; registered 4 February, 2025), posted videos about Brazilian infostealers and their developers. In the video “sk4yx & nfo – Zyro”, Zyro revealed the Discord accounts of “sk4yx” (developer of Nikki Stealer; 9 years on Discord) and “nfo” (A.K.A. “nfoisking”, also associated with Nikki Stealer; 9 years on Discord). “sk4yx787” commented on the video with “amo vocês! <3” (I love you! <3).

Zyro also promoted Now Stealer and Vystealer in their videos. The Vystealer video linked an inactive Telegram channel (t.me/vystealer) and an inactive Discord server (discord.gg/vygang) to “nfo” (“nfoisking”). Zyro is a member of the “nowstealer” Discord server (ID: 1317648730610077757) and promotes their own Discord server (discord.gg/UARugyyvQs) in their YouTube bio.

Who is Sk4yx?

Investigations corroborated information from two accounts:

1. PyPI.org user account “sk4yx” linked to the email skayz.oficial3@gmail.com
2. YouTube video “highlight wanless cheat cs2” (20 October, 2023) displayed C:\users\skayz and OneDrive name “Luis”

The email skayz.oficial3@gmail.com was registered on the following platforms:

Platform	Details
Google	ID: 114534259348190607132
AliExpress	ID: 2736396975 Username: LuisAfonso_4324407014 Registered: 13 July 2021
Twitter / X.com	N/A
GitHub	N/A
Blaze (gambling platform)	N/A

These findings suggest that the highly likely name behind the username “sk4yx” is Luis Afonso.

The only additional lead identified during the investigation is a Facebook account under the username “skayz.ffbr”. The account indicates the location as São Paulo, Brazil.

Who is Behind Now Stealer? “Haika” and “Futur3”

“Haika” has been linked to at least five Discord accounts and is identified as the owner and developer of Now Stealer.

His GitHub account, oghaika, is registered with the email oghaikaz@gmail.com, which is linked to Google, Facebook, Apple, Stripe, PayPal, AliExpress. A summary table of the accounts registered with the Gmail address on different platforms is provided below.

Platform	Username / ID	Details
Google	ID: 110412116382656660288
Facebook	N/A
Apple	N/A	Phone Hint: (+55) *****-**22
Stripe	N/A	Phone Hint: +55*********24
PayPal	N/A	Email Hint: *** az@gmail .com
Aliexpress	Ae351025User_6256750486	Registration: 9 January, 2025 Location: Brazil
GitHub	Oghaika / 179030237	Registration: 21 August, 2024 Location: Brazil Top Language: PHP (25.0%) Followers: ·        sytrs (active member of the “nowstealer” Discord server, ID: 1317648730610077757) ·        ftrzg0d (“Futur3”) ·        KodavaSolutions
Steam	N/A

 A follower of the GitHub account “oghaika” is “sytrs”. The latter is an active member of Discord server “nowstealer” (Discord ID: 1317648730610077757). Their Discord account, “sytr2s” (display name “sytr”; Discord ID: 1286774363453915272; registered: 20 September, 2024) was found to be linked to the website doxmyass.com[.]br, registered by Arlinda Elziria Souza Soares (38 years old) on 4 November 2024, with the email haixcrime5@gmail.com.

The GitHub account “oghaika” also links to the email haikax@gmail.com (found to be registered on Pinterest), Instagram “haikazx” and Facebook “Haikazx”.

A summary table for the accounts discovered for the username “Haikazx” is shown below.

Platform	Username / ID	Details
Instagram	Haikazx / 53865581878	Registered: June 2022 Phone Hint: +** ** *****-**32 Bio: Secundária @haika.php Former usernames: 5
Facebook	Haikazx / 122108554982393492	Name: Haika Lmf Profile Url: facebook.com/haikazx Email Hint: d*****e@gmail.com From São Paulo, Brazil
YouTube	Haikazx / UCCSbkWTyzYErEltCyPCNYTQ	Registered: 25 September, 2023
Telegram	Haikazx / 6336725401	Registered: August 2023 Active in at least 18 groups
Discord	Haikazx
Disqus	Starfoxxt	Name: Haikazx Posts about gaming in Portuguese

The Instagram bio of “Haikazx” mentions a secondary account, “haika.php” which has been linked to:

• Snapchat username haika.php (display name: Joao Lucas).
• ngl.link username haika.php (location: Brazil); used for anonymous messages

“Futur3” (username: nowstealer; Discord ID: 1170900226844934225) is associated with the GitHub account “ftrzg0d”, registered with the email guzinho77+1@gmail.com.

An analysis of the Gmail has uncovered the below accounts.

Platform	Username / ID	Details
Google	ID: 115031848459996724638	Visited Orlando, Florida, US in August 2023
Facebook	N/A	Email Hint: g*****7@gmail.com
OK[.]ru	N/A
GitHub	ftrzg0d / 193301794	Registered: 31 December, 2024 Location: Brazil Links to Instagram account: futurewxq (ID: 63969607931; registered: January 2024; Former usernames: 3; displayed location: Rio de Janeiro)

Their GitHub account “ftrzg0d” also links to the Instagram account “futurewxq” (registered: January 2024).

Further investigations revealed the recovery email guzinho77@gmail.com for the above Gmail. The recovery email guzinho77@gmail.com is linked to the following accounts:

Platform	Username / ID	Details
Google	ID: 115031848459996724638	Visited Orlando, Florida, US in August 2023
GitHub	N/A
Chess[.]com	VagrantStory / 67673660	Registered: 7 November, 2019 Location: Brazil
Dropbox	dbid:AACNUsOzPNqCD5PGd6MmMs4sOjMddwzrxuo	Name: Gustavo Caetano
Facebook	Vagrantzz / 2946683258783920	Registered: December 2011 Name: Gustavo Caetano Highly Likely location: Minas Gerais
Twitter / X	VagrantStory	Registered: July 2009 Potential compromised account (hacked) Location on 17 February, 2025: Minas Gerais

The email guzinho77@gmail.com has been found associated with data breaches, revealing the following information:

Database Leaked / Year	Information
EstanteVirtual, 2019	Email: guzinho77@gmail.com Address: Rua Contria 1500, Belo Horizonte, Minas Gerais, Brasil
Breached.vc, 2023	Email: guzinho77@gmail.com
Life360	Email: guzinho77@gmail.com Name: Gustavo Phone: +55-3192451290

 WhatsApp Business Account

The phone number +55-3192451290 is registered on WhatsApp as a business account under the name “Poseidon Moda Masculina” (a men’s clothing shop). The address is:

• Av. Selim José de Sales, 618 – Canaã, Ipatinga – MG, 35164-504, Brasil

Two Instagram accounts for “Poseidon Moda Masculina” were identified:

1. poseidonmodamasculina (registered January 2019): Same address as above
2. poseidonmodas (registered March 2020): Address: R. dos Tamóios, 341 – i23 – Centro, Belo Horizonte – MG, 30120-050, Brasil
   • WhatsApp business account: +55-31994946442

Password pivoting revealed two additional email addresses:

• guzinhogfx@gmail.com
• guzinhogfx@yahoo.com

The email guzinhogfx@gmail.com is registered on Facebook under the name “Gustavo Henrique (Guzinho)” (ID: 100004785066823), indicating that Gustavo lives in Belo Horizonte.

Behind the Alias: Gustavo Caetano as “Outlier”?

Gustavo Caetano may possibly be Outlier, as an historic YouTube channel “outlieriluria” associated with “Outlier” displayed a desktop screen showing the device user “C:\users\gusta” in a video titled “GERADOR DE NITRO 2K22 BY DADDY & SLZ” posted on 25 October 2022 (desktop timestamp: 22 October 2022). In the GitHub repositories “discord-profile-friends” and “discord-profile-friends”, Gustavo has also listed their Discord account @nowstealer.

Conclusion

Investigations into Now Stealer, Iluria Stealer, and Nikki Stealer have uncovered a network of Brazilian cybercriminals actively engaged in credential theft and malware distribution. The key actors—Haika, Futur3, Ykg, and Sk4yx—have been linked across multiple platforms, demonstrating extensive involvement in the cybercrime ecosystem.

The findings highlight the need for enhanced monitoring, law enforcement collaboration, and proactive cybersecurity measures to mitigate the threats posed by these actors.