New research has revealed the creator of the commercially available 16Shop phishing kit is double dipping and is surreptitiously capturing the information stolen by his customers.

Akamai said the alleged developer, an Indonesian they believe goes by handle Riswanda, has no qualms about taking advantage of the criminals who license his phishing kit and has installed a backdoor that makes a copy of the data being stolen and then storing it on Telegram, said Akamai researcher Amiram Cohen.

The backdoor was discovered while researchers sifted through the malware’s code and came across this snippet extract(valid($valid($image($data,5126))));, which were hidden in an American Express image using steganography. This level of obfuscation leads Cohen to believe that those using this kit are they themselves being ripped off.

“The highly obfuscated code collects information for all of the forms visited by the victim, and no matter what storage and delivery options are selected by the 16Shop operator, the victim’s data is siphoned off and sent to the Telegram bot via API calls,” Cohen reported.

The phishing kit itself is described by Cohen as “highly sophisticated” capable of altering its layout and presentation for mobile and desktop victims and supports 10 languages. And while Riswanda has no problems stealing from his customers, he makes sure they cannot copy his malware by installing code protections stop it from operating if the license is invalidated.