Regular Internet users and businesses aren't the only victims of malicious hackers. In some cases, hackers themselves may be hacked.
That's what happened in an unusual hacking campaign in which an unknown group of hackers targeted systems that had already been compromised by a prolific cybercrime group known as TeamPCP. Once the hackers got into those systems, they quickly kicked out the TeamPCP hackers and removed their tools, according to a new report from cybersecurity firm SentinelOne.
From there, hackers use their access to deploy code designed to replicate across different cloud infrastructures like a self-spreading worm, steal various types of credentials, and finally send the stolen data back to the infrastructure.
TeamPCP is a cybercrime group that has garnered headlines in recent weeks thanks to a series of high-profile hacks by the group. These hacks included a breach of the European Commission's cloud infrastructure and a major cyber attack on the widely used vulnerability scanner tool Trivvy, which particularly affected companies that rely on Trivvy, including LiteLLM and AI recruitment startup Mercor.
SentinelOne senior researcher Alex Delamotte, who discovered the new hacking campaign and dubbed it “PCP Jack,” told TechCrunch that it's not clear who is behind it. At this point, Delamotte said there are three theories: The hackers are disgruntled former TeamPCP members. A member of a rival group. or third parties that “chose to model their attack tools directly on TeamPCP's previous campaigns,” many of which targeted cloud infrastructure.
“The services targeted by PCPJack are very similar to the TeamPCP campaign from December to January, prior to the alleged change in group membership in February and March,” Delamotte said.
Delamotte also pointed out that hackers are not only targeting systems compromised by TeamPCP, but also scanning the internet for exposed services such as databases running virtual machine cloud platforms Docker and MongoDB. However, SentinelOne said the group appears to be primarily focused on targeting TeamPCP.
tech crunch event
San Francisco, CA | October 13-15, 2026
According to the report, the hacker's own tools continue to tally the number of hacked targets that have successfully eliminated TeamPCP by sending that information back to the infrastructure.
The purpose of the PCPJack hackers appears to be purely financial, as they focus on monetization and steal credentials. Hackers do this by reselling or selling access to hacked systems as so-called early access brokers (hackers who break into systems and pay customers to put them on hacked machines), or by directly extorting victims.
However, according to Delamotte, hackers do not try to install software to mine cryptocurrencies on hacked systems. Probably because that strategy requires more time to reap the rewards.
As part of the attack, the hackers are using a fake help desk website, using domains that suggest they are phishing password manager credentials, Delamotte said.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.