Unmasking Lawxsz: Attributing the Developer Behind Valkyrie and Prysmax Stealers

TL;DR

This is Part 2 of our investigation into Lawxsz, an Argentinian threat actor behind the Valkyrie, Prysmax, and Packit stealers, along with several RATs and supporting cybercrime services. Where Part 1 reverse-engineered the malware itself, this report focuses on the operator.

Through multi-vector OSINT (Telegram intelligence, underground forum breach correlation, infrastructure pivoting, and platform-specific enumeration), we collapsed a fragmented network of aliases: Lawxsz, Prysmaxadmin, Martinkwa, thesystemowner, Lukixploit, lawxsex, luquii, and Lucas555 into a single confirmed individual: Lucas Sa██bria, based in Eldorado, Misiones Province, Argentina.

Key attribution vectors that converged on the same conclusion:

• Telegram-linked phone number with an area code (3751) mapping directly to Eldorado, Misiones
• Argentinian IPs recovered from BreachForums and Breached.vc breach datasets
• A GitHub OPSEC failure (github.com/thesystemowner) exposing thesystemowner@proton.me and the alias Lukixploit after his original account was banned
• TikTok account enumeration via the password reset flow, surfacing the handle @luqo██c directly from the network response
• A Pinterest username match producing a real-name candidate, confirmed through personal email pattern reconstruction and breach data correlation
• A Google Maps review tying his personal email to a gym in Eldorado, the same city derived from the Telegram phone number
• Consistent Argentinian-Spanish dialect, UTC-3 posting cadence, and concentrated participation in Argentina-focused groups

Beyond malware development, Lawxsz actively trades stolen credit card data and BINs, brokers large-scale credential aggregation tooling, commissions phishing kits, and deals in Argentine DNI data across BreachForums, DarkForums, Cracked.sh, HackForums, DemonForums, and multiple high-risk Telegram channels.

Introduction

This research is the second part of a two-part investigation into Lawxsz and his malware ecosystem. The first part, published at dexpose.io, covered a deep technical reverse engineering of the Valkyrie Stealer, analyzing its capabilities, evasion techniques, and operator profile. We recommend reading it first to understand the malware’s technical context before proceeding with this attribution report.

Lawxsz is an Argentinian threat actor and malware author responsible for developing and distributing a portfolio of stealers and remote access tools, including:

• Prysmax Stealer
• Valkyrie Stealer
• Packit Stealer
• Additional stealers and RATs

Beyond malware development, Lawxsz operates as a prolific cybercrime facilitator. His criminal activity spans multiple domains: selling and distributing fully undetectable (FUD) stealers and RATs, actively buying and selling stolen credit card data and BINs, commissioning phishing kits, trading Argentine national ID (DNI) data, and brokering access to large-scale credential aggregation tooling. He maintains an active presence across multiple underground forums including BreachForums, DarkForums, Cracked.sh, HackForums and DemonForums, as well as numerous high-risk Telegram channels where he recruits affiliates, offers programming services for malicious tools, and conducts direct transactions in cryptocurrency.

Where the first part focused on the malware itself, this report focuses on the person behind it, tracing a fragmented network of aliases, underground forum accounts, and infrastructure back to a confirmed real-world identity through multi-vector OSINT and breach data correlation.

Telegram Activity

Lawxsz operates an active Telegram presence under the user ID 1468758771, where he functions as a seller, developer, and facilitator across multiple cybercrime channels. His activity spans malware development and distribution, carding, credential stuffing, and PII trading, with a long-running operational footprint that extends back to at least January 2023 and continues through May 2026.

Malware Development & Distribution

His core line of work is the development and sale of fully undetectable (FUD) stealers and RATs. The most recent example is his Valkyrie Stealer, advertised on May 3, 2026 with the pitch “Valkyrie Stealer Services check my profile!! stealing passwords cookies wallets 200kb loader undetectable need affiliates”. Earlier activity from January 2023 shows the same business model under different product names, with offers such as “Stealer/RAT 100% FUD undetect dm! with reverse shell”. Beyond his own products, he has also brokered access to large-scale credential aggregation tooling, including a December 2023 sale of a tool he referred to as Sherlock, advertised as containing millions of records, thousands of databases, and over 100 APIs including IntelX, supporting username, password, email, and URL-based lookups.

Carding & Credit Card Trade

Carding is the second major pillar of his activity. He actively buys and sells BINs and credit card data, frequently posting in dedicated carding channels and using card generators against known BIN ranges.

A July 2024 post in “🇦🇷 Args Crew’s” group reads “ESTOY BUSCANDO BINS STRIPE y MUCHOS MAS! COMPRO CC’s”, showing active sourcing of stolen card material at scale.

Phishing & PII Trading

He has also commissioned phishing development, including a December 2024 request for a developer to build a credential phishing page targeting Twitter (x.com). In addition, he has openly discussed doxxing and Argentine national ID (DNI) acquisition, including a January 2023 post stating “era doxxearlo a el y obtuve el dni del viejo tmb ekisde” referring to obtaining the DNI of a doxxing target’s father and requests for DNI templates and Argentine documentation across multiple channels.

Behavioral Indicators

Several behavioral indicators reinforce the geographic attribution that becomes central in later sections of this report. His language use is predominantly Spanish with Argentinian slang, his peak posting activity aligns with the UTC-3 timezone, and his community involvement is heavily concentrated in Argentina-focused groups. He also refers to himself in chats as “soy law”, consistent with the Lawxsz alias used across his other platforms.

Identification of Associated Mobile Number

Lawxsz maintains an active Telegram account. Our cyber crime investigation service has the capability to retrieve the phone number linked to a given Telegram account.

Phone Number Structure & Geographic Context

Phone numbers in Argentina are not randomly generated. They follow the ITU-T E.164 standard, which embeds geographic information directly into the number structure:

The area code 3751 maps specifically to Eldorado, Misiones a city in northeastern Argentina near the border with Paraguay and Brazil. This means the number was originally issued and registered by a telecom provider operating in that region. While this does not conclusively place the subject there at the time of investigation, it does indicate where the SIM was originally provisioned, which can be a meaningful data point in a broader attribution effort.

Mobile Dialing Format Duality

In Argentina, mobile numbers require a 9 inserted between the country code and the area code when dialing internationally. So the same mobile number can appear in two formats: +54 3751 XXXXXX and +54 9 3751 XXXXXX, both referring to the same subscriber. The extra 9 is not part of the actual subscriber number; it is simply a routing signal that tells the international telephone network the call is destined for a mobile line.

Not all OSINT platforms and Caller ID services are aware of this distinction or normalize for it. This means we effectively have two number variants to investigate separately, and querying only one may cause certain platforms to return no results or incomplete data.

Phone number OSINT produced several leads worth noting. The number in the international mobile format (+54 9 3751 XXXXXX) returned the full display name Luquii Aire via Caller ID services, while the standard format (+54 3751 XXXXXX) returned a partial name beginning with lu… via the 360Life service.

Luquii Aire does not represent a legal name; it is more consistent with a nickname or alias. Nonetheless, it serves as a useful starting anchor, particularly for cross-referencing against other data sources such as forum handles, usernames, or social media profiles. The phone number also returned associated Twitter account, which would prove to be an important lead later in the investigation.

Compromised Underground Forum Records

Lawxsz maintained an active presence across multiple underground forums, including DarkForums, BreachForums, Cracked.sh, DemonForums, Hackforums and others. The primary usernames used across these platforms were Lawxsz and Prysmaxadmin the accounts he used to advertise his stealer and related services, though additional aliases exist.

His forum registration history is relevant to the breach timeline:

• BreachForums: registered July 2, 2024
• DarkForums: registered July 6, 2024

Both forums suffered data breaches that postdate his registration, meaning his records were included in the leaked datasets.

BreachForums Breach

BreachForums was breached on three separate occasions: November 2022, August 2025, and March 2026. The leaked records across these incidents included:

• Email address
• Username
• Password (hashed)
• IP address
• Activity timestamps: lastactive, lastvisit, lastpost, regdate

Querying his known usernames against these datasets returned actionable results:

• Email: law███st2007@gmail.com
• IP Address: 187.102.2██.1██ (Argentinian IP)

Breached.vc (Old BreachForums) Records

Lawxsz was also present on the predecessor platform Breached.vc, operating under the username Martinkwa but using the same email address.

The Breached.vc breach records revealed two additional Argentinian IP addresses:

• 190.231.██9.██5
• 190.138.██4.██5

The presence of multiple Argentinian IPs across independent breach records, combined with the phone number registration traced to Eldorado, Misiones, and the observed activity pattern consistent with the UTC-3 timezone, significantly reinforces the geographic attribution.

DarkForums Breach

DarkForums was also breached, with leaked data containing usernames and IP addresses. However, the IP addresses extracted from DarkForums records were associated with VPN services, yielding no direct geographic value.

Infrastructure Pivoting & Alias Expansion

Before moving forward with unmasking Lawxsz, we observed something worth noting on valkyr[.]cx, the website Lawxsz uses to advertise his new stealer, Valkyrie. The site serves as the primary public-facing storefront for the malware, presenting features, pricing, and contact information in a format typical of commoditized malware-as-a-service operations, rather than relying solely on forum posts or Telegram channels.

Analyzing valkyr[.]cx further, we identified a subdomain at market.valkyr[.]cx/register. Attempting to create an account on the registration page returned the message: “Registration is currently closed. For inquiries, contact @thesystemowner on Telegram.”

The @thesystemowner Telegram channel turned out to be empty with no posts, however its bio contained a link to the GitHub account github.com/thesystemowner. This is notable given that Lawxsz’s original GitHub account had been banned.

GitHub Account Analysis

The account hosts 3 public repositories spanning game memory analysis, sandbox evasion research, and network stress-testing tooling. No public bio, minimal engagement, and low follower count.

GitHub repositories:

• cs2-easy-dump: A Python-based external memory dumper for Counter-Strike 2, extracting game offsets, schemas, and interfaces from a live process without code injection.
• anti-sandbox: A README-only reference repository documenting VM and sandbox detection techniques including hardware fingerprinting, hypervisor artifact checks, and user-presence validation content typical of sandbox-aware malware research.
• titan-flood-l4-l7: A network flooding toolkit covering both Layer 4 (TCP SYN, UDP) and Layer 7 (HTTP/2, Cloudflare bypass, WebSocket, QUIC), written in Python, JavaScript, C, and Rust.

We think Lawxsz was building and storing tools privately. Because even when we reached him to ask for the new GitHub account he said he didn’t make a new one (till now)

A deep analysis of the github.com/thesystemowner account and its repositories revealed two additional identifiers linked to Lawxsz. Git repositories are a particularly valuable attribution source for OPSEC (Operational Security) failures, and this case was no exception. The analysis surfaced the following identifiers:

• Email: thesystemowner@proton.me
• Username: Lukixploit

Cross-referencing thesystemowner@proton.me against known breach datasets returned a match in the BreachForums breach, where it appeared under the username thesystemowner.

This directly links the GitHub identity to a BreachForums account, adding another alias to the cluster already associated with Lawxsz which now stands at: Lawxsz, Prysmaxadmin, Martinkwa, thesystemowner, and Lukixploit.

Lukixploit Youtube Channel

After conducting an OSINT search, we identified a YouTube channel using the same username, LukiXploit, and a profile picture similar to the associated GitHub account.

The channel is a Spanish-language YouTube channel focused on cybersecurity, reverse engineering, and low-level programming. LukiXploit publishes technical walkthroughs that break down complex security mechanisms, binary analysis techniques, and code protection strategies, which is consistent with the technical profile of Lawxsz as a malware developer.

Discord Server & Identity Convergence

The YouTube channel bio contained a Discord server invite link. Following the link revealed that the invite was created by a user named Luki (lawxsex), who is also the owner of the Discord server.

Two details stand out immediately. The username lawxsex is a near-exact variation of Lawxsz, which further supports the attribution. Additionally, the profile picture displayed on this account contains the text thesystemowner.net, directly referencing the domain associated with the thesystemowner@proton.me email identified in the GitHub Analysis section.

thesystemowner Discord Account

Within the same Discord server, an additional account was identified with the display name thesystemowner and username thesystemowners.

Notably, this account uses the same profile picture associated with Lawxsz’s account on Hackforums, further reinforcing that both accounts belong to the same individual.

Identified TikTok Account

Starting from the email law███st2007@gmail.com recovered from the breach data, we used TikTok’s password reset flow as an enumeration primitive, submitting the email through the forgot password endpoint and observing the differential server response, which confirmed the email is registered on the platform. The response payload itself revealed the account’s public handle, with the root_referer field containing https://www.tiktok.com/@luqo██c, surfacing the username directly from the network traffic without any additional steps.

This led us to the TikTok account @luqo██c, operating under the display name luquii, consistent with the Luquii Aire identity returned by the Caller ID services in the phone number OSINT phase.

TikTok Profile Picture [Redacted]:

At this stage of the investigation, we had confirmed the TikTok account @luqo██c under the display name luquii, along with the profile picture associated with it. However, we still lacked critical attribution data, including his real name and other social media presence. The next phase of the investigation focused on bridging that gap.

Real Identity Attribution

Since law███st2007@gmail.com contains a relatively unique username pattern, we conducted an OSINT search on the username portion law███st2007 itself. This surfaced a Pinterest account registered under the same username and associated with the name Lucas Sa██bria.

This gives us a probable real name candidate, Lucas Sa██bria, but on its own a username match on a single platform is not sufficient evidence to attribute a threat actor with confidence. Additional corroboration was required before treating this as a confirmed lead.

Recalling the earlier phone number OSINT phase, the Twitter account surfaced through the phone number lookup was registered with a partially redacted email in the format sa*************@g****.***.

With the candidate real name now in hand, the redacted fragments begin to make sense:

• The leading “sa” likely corresponds to the surname Sa██bria
• A personal email is highly likely to contain his first name Lucas
• The “g” in the domain is consistent with gmail.com

Based on this hypothesis, we constructed a targeted query to search breach datasets for any email matching this likely pattern:

sa██bria*lucas*@gmail.com

The search returned 11 email addresses matching the pattern. After reviewing the associated breach records for each candidate, one address stood out due to its presence on platforms such as Altenen and Cracked.to under the alias Lucas555, along with the Argentinian IP address linked to its records.

Altenen is a long-running darknet carding forum, historically one of the most established platforms in the underground for trading stolen credit card data, BINs, fullz, and related financial fraud tooling.

Cracked.to is a hacking and account-cracking  forum where members trade compromised accounts, cracking tools, configurations, and related criminal services.

Both platforms align directly with Lawxsz’s established activity profile, and the associated Argentinian IP address further corroborates the geographic attribution, making this a strong contextual confirmation that this is his personal email rather than a coincidental match.

A lookup of this email across malware logs, breach datasets, combolists, and ULPs returned multiple hits, but the most notable finding was a plaintext password associated with the email: Lawoficial123!

The significance of this password goes beyond the credential itself. Lawxsz consistently referred to himself as “law” across his Telegram activity, a self-identifier that appears repeatedly throughout his chats. The password Lawoficial123! contains that exact self-reference, making it highly unlikely to be a coincidence.

An OSINT search on this email revealed registrations across multiple platforms, but the most significant finding was a second TikTok account registered under the name Lucas. The account’s profile picture matches the one associated with the previously identified TikTok account @luqo██c, confirming this is a second account operated by the same individual.

The connection to Lawxsz is further reinforced by the account’s bio, which contains a direct link to the LukiXploit YouTube channel identified earlier in the investigation. The account also reposts clips from LukiXploit’s YouTube videos, effectively functioning as a secondary promotional account for the same content. This creates a direct bridge between the newly discovered email, the Lucas Sa██bria identity, and the LukiXploit alias already firmly established within the Lawxsz cluster.

The OSINT search also returned a LinkedIn account associated with the same email

Additionally, the search surfaced his Google account ID, which is linked to a Google Maps profile. The account contains a single review, left for a gym located in Eldorado, Misiones Province, Argentina.

This is the exact same location derived from the area code of his Telegram-linked phone number earlier in the investigation.

Lawxsz Profile

The following table summarizes the confirmed and attributed personal information and aliases associated with Lawxsz, consolidated from all investigative steps documented in this report.

Conclusion

This investigation demonstrates how multi-vector OSINT, combined with breach data correlation, infrastructure pivoting, and platform-specific enumeration techniques, can systematically unmask even moderately OPSEC-aware threat actors operating in the malware-as-a-service ecosystem.

Lawxsz maintained a deliberately fragmented identity, distributing his presence across multiple aliases on Telegram, underground forums, GitHub, YouTube, Discord, and TikTok. At first glance, each identity appeared self-contained and unconnected from the others. However, recurring operational security failures, the reuse of email addresses across platforms, the consistent use of nicknames derived from his real name, the embedding of attribution-relevant content in profile pictures and bios, and the carry-over of identifiers between his banned and replacement accounts, provided enough corroborating overlap to collapse the alias cluster into a single confirmed individual.

The geographic attribution proved particularly robust, with five independent vectors (Telegram-linked phone number, Argentinian IP addresses across separate forum breaches, UTC-3 activity pattern, Argentinian-Spanish dialect, and participating in Argentinian groups) all converging on the same conclusion. The final attribution to Lucas Sa██bria rests on multiple corroborating evidence streams rather than any single source.

All unredacted findings, including the complete identifiers, IP addresses, financial indicators, and supporting evidence, have been transferred to the appropriate law enforcement authorities for further action.

DeXpose Cybercrime investigation Graph

Editorial Note

Threat actor attribution is built on fragments. Reused emails, overlapping aliases, timestamps, infrastructure patterns, and OPSEC failures that only connect when viewed together. What looks like a separate identity can turn out to be the same person, and what looks like a clear link can sometimes be coincidence.
This investigation required careful multi-vector correlation rather than assumptions. It also reflects what Dexpose is built to do, combining dark web monitoring, breach data correlation, Telegram intelligence, and infrastructure-level analysis to surface connections that would otherwise stay buried across disconnected platforms.
All unredacted findings, including full identifiers, IP addresses, and supporting evidence, have been shared with the appropriate law enforcement authorities.
For access to the unredacted version of this report, contact us at info@dexpose.io