Me and OP have exchanged a couple of emails and are trying to smooth this out, while also trying to get the actual attacker, I think there will be an update from OP later on

So I have spent half my day now trying to catch up all these posts I've resorted to just copy pasting a response. i have my deepest sympathy for this guy and I'm trying to help out the best i can. my response is as follows:

So this was an interesting morning checking my mails to find all of this. I'd read just about as much as I could find on the matter and would like everyone to take a second to read this.

I'm not the guy, this is a case of a little misunderstood information leading everyone in the wrong direction.

The user has been infected with a Remote Admin Tool, a legal bit of software that has been used for malicious purposes so the attacker has been able to access the crypto funds.

The person who analysed the malware has seen a call to one of my domains, this is correct I was hosting some files for the developer of the remote admin tool (see more below). This has been incorrectly described as the "attack server" Today I have removed those files in order to slow down the attacker, though all he needs to to is upload a copy somewhere else. The files themselves are pertain to password recovery and are again totally legal.

The person who analysed the malware has seen a call to bnaf12[dot]no-ip[dot]biz This is the control server of the attacker. He is using a dynamic DNS service so he can change the location of his control server quickly. The last update to that domain points to an IP in Palestine.
OP mentions is places he has seen me "bragging" about the hack. This is not true and again misunderstood information. I have a keen interest in network security and a part of my job is ensuring servers a secure. Following the rule of keep your enemies closer I crafted a few identities that hang around the blackhat world in order to keep my finger on the pulse. The "bragging" in question is all smoke used to gain trust in these communities, I'll also mention that none of my identities concern themselves with financial fraud and there is no "bragging" anywhere close that subject matter. Simply a few posts claiming my user has "got a load of installs"

Some of you may wonder why I was hosting the files in the first place, this is simple. The developer was looking for a place to host them and asked if I would do it. I saw this as a great way to get an insight in how popular the tool was and collect some usage data. No information from an infected machine would be sent to me this all goes to the control server configured by the admin using the tool (or the attacker when used for malicious purposes)

The OP has contacted me via email and as of now I am awaiting his reply. I've offered to help him in any way I can to get his funds recovered.

So I have spent half my day now trying to catch up all these posts I've resorted to just copy pasting a response. i have my deepest sympathy for this guy and I'm trying to help out the best i can. my response is as follows:

So this was an interesting morning checking my mails to find all of this. I'd read just about as much as I could find on the matter and would like everyone to take a second to read this.

I'm not the guy, this is a case of a little misunderstood information leading everyone in the wrong direction.

The user has been infected with a Remote Admin Tool, a legal bit of software that has been used for malicious purposes so the attacker has been able to access the crypto funds.

The person who analysed the malware has seen a call to one of my domains, this is correct I was hosting some files for the developer of the remote admin tool (see more below). This has been incorrectly described as the "attack server" Today I have removed those files in order to slow down the attacker, though all he needs to to is upload a copy somewhere else. The files themselves are pertain to password recovery and are again totally legal.

The person who analysed the malware has seen a call to bnaf12[dot]no-ip[dot]biz This is the control server of the attacker. He is using a dynamic DNS service so he can change the location of his control server quickly. The last update to that domain points to an IP in Palestine.
OP mentions is places he has seen me "bragging" about the hack. This is not true and again misunderstood information. I have a keen interest in network security and a part of my job is ensuring servers a secure. Following the rule of keep your enemies closer I crafted a few identities that hang around the blackhat world in order to keep my finger on the pulse. The "bragging" in question is all smoke used to gain trust in these communities, I'll also mention that none of my identities concern themselves with financial fraud and there is no "bragging" anywhere close that subject matter. Simply a few posts claiming my user has "got a load of installs"

Some of you may wonder why I was hosting the files in the first place, this is simple. The developer was looking for a place to host them and asked if I would do it. I saw this as a great way to get an insight in how popular the tool was and collect some usage data. No information from an infected machine would be sent to me this all goes to the control server configured by the admin using the tool (or the attacker when used for malicious purposes)

The OP has contacted me via email and as of now I am awaiting his reply. I've offered to help him in any way I can to get his funds recovered.

So I have spent half my day now trying to catch up all these posts I've resorted to just copy pasting a response. i have my deepest sympathy for this guy and I'm trying to help out the best i can. my response is as follows:

So this was an interesting morning checking my mails to find all of this. I'd read just about as much as I could find on the matter and would like everyone to take a second to read this.

I'm not the guy, this is a case of a little misunderstood information leading everyone in the wrong direction.

The user has been infected with a Remote Admin Tool, a legal bit of software that has been used for malicious purposes so the attacker has been able to access the crypto funds.

The person who analysed the malware has seen a call to one of my domains, this is correct I was hosting some files for the developer of the remote admin tool (see more below). This has been incorrectly described as the "attack server" Today I have removed those files in order to slow down the attacker, though all he needs to to is upload a copy somewhere else. The files themselves are pertain to password recovery and are again totally legal.

The person who analysed the malware has seen a call to bnaf12[dot]no-ip[dot]biz This is the control server of the attacker. He is using a dynamic DNS service so he can change the location of his control server quickly. The last update to that domain points to an IP in Palestine.
OP mentions is places he has seen me "bragging" about the hack. This is not true and again misunderstood information. I have a keen interest in network security and a part of my job is ensuring servers a secure. Following the rule of keep your enemies closer I crafted a few identities that hang around the blackhat world in order to keep my finger on the pulse. The "bragging" in question is all smoke used to gain trust in these communities, I'll also mention that none of my identities concern themselves with financial fraud and there is no "bragging" anywhere close that subject matter. Simply a few posts claiming my user has "got a load of installs"

Some of you may wonder why I was hosting the files in the first place, this is simple. The developer was looking for a place to host them and asked if I would do it. I saw this as a great way to get an insight in how popular the tool was and collect some usage data. No information from an infected machine would be sent to me this all goes to the control server configured by the admin using the tool (or the attacker when used for malicious purposes)

The OP has contacted me via email and as of now I am awaiting his reply. I've offered to help him in any way I can to get his funds recovered.

I have the name ine*rious on Instgram  (drop me a PM if you don't know the word)

Looking for some offers if anyone would like it, happy to use an escrow such as bithra

Cheers