Argentinian Threat Actor Lawxsz Unmasked as Lucas Sa██bria in Multi-Year Cybercrime Investigation
A two-part investigation by cybersecurity researchers has attributed the prolific malware developer and cybercrime facilitator Lawxsz to Lucas Sa██bria, a 23-year-old resident of Eldorado, Misiones Province, Argentina. The findings, derived from multi-vector OSINT, breach data correlation, and infrastructure pivoting, reveal a fragmented but traceable network of aliases, underground forum activity, and malware operations spanning at least three years (2023–2026).
The Threat Actor’s Operations
Lawxsz (real name: Lucas Sa██bria) is the mastermind behind multiple stealers and remote access trojans (RATs), including:
- Valkyrie Stealer (advertised in May 2026 as a "200kb undetectable loader" targeting passwords, cookies, and cryptocurrency wallets)
- Prysmax Stealer
- Packit Stealer
Beyond malware development, he operates as a cybercrime facilitator, trading:
- Stolen credit card data and BINs (e.g., active sourcing of Stripe BINs in July 2024)
- Large-scale credential aggregation tools (e.g., "Sherlock," a December 2023 tool with millions of records and 100+ APIs)
- Argentine national ID (DNI) data and phishing kits (including a 2024 request for a Twitter/X credential harvester)
- Fully undetectable (FUD) malware services, recruiting affiliates across BreachForums, DarkForums, Cracked.sh, HackForums, and high-risk Telegram channels
Attribution: How the Aliases Collapsed
Lawxsz maintained a deliberately fragmented identity across platforms, but OPSEC failures and breach data exposed his real-world identity. Key evidence included:
-
Telegram & Phone Number
- His Telegram account (ID: 1468758771) was linked to a mobile number (+54 3751 3███13), registered in Eldorado, Misiones a city in northeastern Argentina.
- Caller ID services returned the alias "Luquii Aire", later tied to his TikTok handle (@luqo██c).
-
Underground Forum Breaches
- BreachForums (breached in 2025–2026) revealed his email (law███st2007@gmail.com) and Argentinian IPs (187.102.2██.1██, 190.231.██9.██5).
- Breached.vc records showed the same email under the alias Martinkwa.
-
GitHub & Infrastructure Pivoting
- After his original GitHub account was banned, he created github.com/thesystemowner, exposing:
- Email: thesystemowner@proton.me
- Username: Lukixploit (also used on a Spanish-language YouTube channel covering malware development)
- A Discord server linked to the YouTube channel revealed the alias lawxsex, reinforcing the connection.
- After his original GitHub account was banned, he created github.com/thesystemowner, exposing:
-
Social Media & Real-Name Confirmation
- A Pinterest account under the username law███st2007 listed the name Lucas Sa██bria.
- A Google Maps review tied to his personal email (sa██brialucas█@gmail.com) referenced a gym in Eldorado, matching the phone number’s area code.
- A TikTok account (@lucas.████) reposted content from his LukiXploit YouTube channel, confirming the link.
-
Behavioral & Linguistic Patterns
- Argentinian Spanish dialect and UTC-3 posting cadence (consistent with Argentina’s timezone).
- Repeated self-references as "law" (e.g., password: Lawoficial123!).
Confirmed Aliases & Identifiers
| Attribute | Value |
|---|---|
| Real Name | Lucas Sa██bria |
| Location | Eldorado, Misiones, Argentina |
| Telegram ID | 1468758771 |
| Phone Number | +54 3751 3███13 |
| Emails | law███st2007@gmail.com, sa██brialucas█@gmail.com, thesystemowner@proton.me |
| Aliases | Lawxsz, Prysmaxadmin, Martinkwa, thesystemowner, Lukixploit, lawxsex, luquii, Lucas555 |
Impact & Law Enforcement Involvement
The investigation demonstrates how even moderately OPSEC-aware threat actors can be unmasked through breach data, infrastructure analysis, and cross-platform correlation. All unredacted findings including IP addresses, financial indicators, and full identifiers have been shared with law enforcement for further action.
Lawxsz’s operations highlight the growing commoditization of malware-as-a-service (MaaS), where threat actors not only develop tools but also broker stolen data, phishing kits, and credential aggregation services at scale. His case underscores the global reach of cybercrime, with an Argentinian operator serving clients across underground forums and Telegram channels.
TikTok TPRM report: https://www.rankiteo.com/company/tiktok
Google TPRM report: https://www.rankiteo.com/company/google
"id": "tikgoo1779668765",
"linkid": "tiktok, google",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': 'Global (with focus on Argentina)',
'type': 'Individuals, Organizations (via stolen '
'data)'}],
'attack_vector': 'Malware-as-a-Service (MaaS), Phishing Kits, Credential '
'Harvesting, Underground Forum Activity',
'data_breach': {'data_exfiltration': 'Yes (sold on dark web, underground '
'forums)',
'number_of_records_exposed': 'Millions (via Sherlock tool)',
'personally_identifiable_information': 'Yes (DNI, '
'credentials, cookies)',
'sensitivity_of_data': 'High (DNI, credit card data, '
'passwords)',
'type_of_data_compromised': 'Personally Identifiable '
'Information (PII), Payment '
'Information, Credentials, '
'Cryptocurrency Wallets, Cookies'},
'description': 'A two-part investigation by cybersecurity researchers has '
'attributed the prolific malware developer and cybercrime '
'facilitator Lawxsz to Lucas Sa██bria, a 23-year-old resident '
'of Eldorado, Misiones Province, Argentina. The findings '
'reveal a fragmented but traceable network of aliases, '
'underground forum activity, and malware operations spanning '
'at least three years (2023–2026). Lawxsz developed multiple '
'stealers and RATs, traded stolen data, and operated as a '
'cybercrime facilitator across underground forums and Telegram '
'channels.',
'impact': {'data_compromised': 'Passwords, cookies, cryptocurrency wallets, '
'credit card data, BINs, Argentine national ID '
'(DNI) data, credentials (millions of records)',
'identity_theft_risk': 'High (PII, DNI data, credentials)',
'payment_information_risk': 'High (credit card data, BINs)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (credit card data, '
'credentials, DNI data)',
'entry_point': 'Underground forums (BreachForums, '
'DarkForums, Cracked.sh, '
'HackForums), Telegram channels',
'high_value_targets': 'Stripe BINs, Twitter/X '
'credentials, cryptocurrency '
'wallets',
'reconnaissance_period': '2023–2026'},
'investigation_status': 'Completed (attribution confirmed)',
'lessons_learned': 'Even moderately OPSEC-aware threat actors can be unmasked '
'through breach data, infrastructure analysis, and '
'cross-platform correlation. The case highlights the '
'global reach of cybercrime and the commoditization of '
'malware-as-a-service (MaaS).',
'motivation': 'Financial Gain, Cybercrime Facilitation',
'post_incident_analysis': {'corrective_actions': 'Law enforcement '
'involvement, sharing of '
'unredacted findings for '
'further action',
'root_causes': 'OPSEC failures (breach data '
'exposure, alias correlation, '
'infrastructure pivoting), '
'fragmented identity management'},
'references': [{'source': 'Cybersecurity Research Investigation'}],
'response': {'law_enforcement_notified': 'Yes (unredacted findings shared '
'with law enforcement)',
'third_party_assistance': 'Cybersecurity researchers (OSINT, '
'breach data correlation, '
'infrastructure pivoting)'},
'threat_actor': 'Lawxsz (Lucas Sa██bria)',
'title': 'Argentinian Threat Actor Lawxsz Unmasked as Lucas Sa██bria in '
'Multi-Year Cybercrime Investigation',
'type': 'Malware Development, Cybercrime Facilitation, Data Brokering'}