A police officer reads out a search warrant at N.V.X’s residence. — Photo baochinhphu.vn

THANH HÓA — Police have dismantled a cross-border malware operation that infected thousands of computers worldwide, centred on a high school student accused of writing the code behind the scheme.

The network is believed to have targeted internet users across Europe, the Americas and parts of Asia.

Investigators say the alleged developer, identified as N.V.X, is a 12th-grade student in the northern province of Thanh Hóa who began teaching himself programming several years ago.

What started as basic experimentation with languages such as Python and C++ gradually shifted, they say, towards exploring how operating systems store and handle data. By 2024, investigators allege, he had developed malware capable of extracting information from web browsers, including login credentials and cookies, while evading basic security measures. That code was then supplied to others who handled its distribution.

According to police, the student connected with several individuals through Telegram who helped scale up the operation. One of them, Lê Thành Công, 28, is accused of commissioning malware designed to collect sensitive browser data, particularly Facebook login details that could later be sold.

Stolen information from infected computers was automatically funnelled into Telegram-based systems set up by the group, allowing them to gather and manage data at scale. Investigators say N.V.X later worked with another contact, Phan Xuân Anh, 21, to develop more advanced versions of the malware, including a strain known as PXA Stealers.

Phan Xuân Anh under custody. — Photo baochinhphu.vn

Authorities say the malware not only harvested data but also allowed attackers to take control of victims’ computers. Under the arrangement, the student was to receive about 15 per cent of the profits generated from exploiting the stolen data.

The network expanded further in late 2024. Investigators say Phan Xuân Anh introduced N.V.X to another contact, Nguyễn Thành Trường, who is accused of commissioning a separate strain of malware for around US$500. Police say he agreed to pay the student a cut of between $50 and $100 each time stolen data was monetised. The malware was later used in the broader scheme.

To make the attacks more effective, the group is also accused of integrating remote-access software into the malware, enabling them to control infected devices from afar. Once installed, the programme ran quietly in the background, collecting passwords, autofill data, IP addresses and other sensitive information.

Police say the malware was spread mainly through phishing emails sent in bulk. The group allegedly used automated tools and lists of email addresses purchased on online data forums to send messages with attachments disguised as ordinary documents, such as PDFs. In reality, the files were executable programmes that installed the malware when opened.

Authorities estimate more than 94,000 computers worldwide were infected. The stolen data was then used to access social media accounts, especially Facebook profiles with advertising privileges. Investigators say these accounts were either used to run online sales campaigns for commission or sold on to third parties.

Police have charged 12 people in connection with the case under provisions covering the distribution of tools for illegal use and unauthorised access to computer systems.

The investigation is ongoing as authorities seek to establish the full extent of the operation and the roles of those involved. — VNS