How a self-taught Vietnamese high schooler built the malware that infected 94,000 computers worldwide

What they did not know was that the person behind it was a high school student.

Thanh Hoa provincial police announced this week the indictment of 12 suspects in a global malware distribution ring that infected more than 94,000 computers across Europe, the Americas and Asia. Among those charged is a 12th-grader from Hac Thanh Ward, identified only by his surname Nguyen, whom investigators describe as the operation’s technical ringleader.

Nguyen’s path into cybercrime began around 2023, when he started teaching himself Python and C++ as a 10th-grader.

His study of operating system architecture and data storage helped him quickly advance beyond basic programming.

By 2024, he had built source code capable of extracting login cookies, saved browser passwords, autofill data and other sensitive information while bypassing basic operating system defenses.

In July 2024, he connected via Telegram with Le Thanh Cong, 28, of Ha Tinh Province, who commissioned him to develop malware for large-scale distribution. The files were disguised as compressed archives and spread via email and online platforms. When victims opened them, the malware installed silently and began harvesting data, which was automatically routed to Telegram bots controlled by the group.

Cong later introduced Nguyen to Phan Xuan Anh, 21, of Nghe An Province. Anh proposed building a new strain with expanded capabilities, and Nguyen became the lead developer of what they named PXA Stealers. Under their arrangement, Nguyen handled all programming, updates and upgrades while the rest of the group managed distribution and data exploitation. He received 15% of all profits from the stolen data.

The group integrated remote-access tools into the malware, allowing them to control infected computers through virtual private servers. In late 2024, Nguyen took on another commission from a person police identified as Nguyen Thanh Truong, who used the Telegram alias “Adonis.” Truong paid $500 for a new malware variant bearing his alias, and Nguyen earned additional payments of 50 to 100 USDT each time the group profited from data stolen using it.

The ring spread malware primarily through mass email campaigns, disguising executable files as PDFs or ordinary documents. The group also purchased email lists from online forums and used automated tools for bulk distribution. Stolen data was routed to Telegram channels for sorting and exploitation.

After seizing control of devices, the group focused on hijacking Facebook accounts with advertising capabilities. These were used to run illicit online advertisements or resold to third parties.

Investigators estimate the ring’s illicit profits at tens of billions of dong (VND10 billion equals $380,000).

Nguyen and 11 others have been charged under Article 285 of the Criminal Code, covering the production and distribution of tools for illegal purposes, and Article 289, covering illegal access to computer networks or electronic devices.

The case connects a local police bust to a malware campaign that had drawn scrutiny from some of the world’s leading cybersecurity research teams.

Cisco Talos first documented PXA Stealer in November 2024, identifying it as a Python-based information stealer targeting government and education entities in Europe and Asia. By mid-2025, a joint investigation by SentinelOne and Beazley Security had tracked PXA Stealer campaigns across 62 countries, with more than 200,000 stolen credentials and over four million harvested browser cookies.

*The student’s name has been changed.