When Cybercriminals Get Hacked: Inside the PCPJack Campaign That Targets TeamPCP

In the world of cybersecurity, the hunter sometimes becomes the hunted. A recent campaign, dubbed PCPJack, reveals a fascinating twist: hackers hack victims hacked by other hackers. Instead of targeting ordinary users or corporations, an unknown group is breaking into systems already compromised by the prolific cybercrime group SentinelOne calls TeamPCP. This approach is not just unusual—it signals a new layer of complexity in digital threats.

According to a detailed report from SentinelOne, the attackers behind PCPJack actively scan the internet for services that TeamPCP has infiltrated. Once inside, they waste no time. They kick out the original intruders, remove their tools, and deploy a self-spreading worm that replicates across cloud infrastructure. The stolen credentials—ranging from database logs to cloud platform keys—are then funneled back to the hackers’ own servers.

What Is the PCPJack Campaign?

The PCPJack campaign, identified by SentinelOne senior researcher Alex Delamotte, is a targeted operation that exploits the aftermath of earlier breaches. Delamotte told TechCrunch that the group’s motives appear purely financial. They steal credentials to resell them, act as initial access brokers—selling entry to compromised systems—or extort victims directly. Interestingly, they avoid cryptocurrency mining, likely because it requires sustained access and offers slower returns.

This campaign focuses heavily on TeamPCP, a group that has made headlines recently for breaching the European Commission’s cloud infrastructure and attacking the widely used vulnerability scanner tool Trivvy. Those attacks affected companies like LiteLLM and AI recruiting startup Mercor. Now, the tables have turned.

How Do Hackers Hack Victims Hacked by Other Hackers?

The process is methodical. The PCPJack operators scan the internet for exposed services, such as the Docker platform or MongoDB databases, that TeamPCP has already compromised. Once they gain access, they immediately evict the original hackers. SentinelOne’s report notes that the attackers keep a tally of successful evictions, sending this data back to their command infrastructure.

Delamotte outlined three theories about the perpetrators. They could be disgruntled ex-members of TeamPCP, a rival cybercrime group, or a third party who modeled their tools on TeamPCP’s earlier campaigns. “The services targeted by PCPJack strongly resemble the December-January TeamPCP campaigns, before the alleged change in group membership that happened in February-March,” she explained.

Why This Matters for Cloud Security

This campaign underscores a growing trend: cybercriminals are not just competing for victims—they are actively sabotaging each other. For businesses relying on cloud infrastructure, this means the threat landscape is more volatile than ever. Even if your systems are not directly targeted by TeamPCP, they could become collateral damage in a turf war between hacking groups.

SentinelOne’s findings also reveal that PCPJack uses domains designed to phish for password manager credentials and fake help desk websites. This dual approach—technical exploitation and social engineering—makes the campaign particularly dangerous. Companies should review their incident response plans regularly and ensure that exposed services are locked down.

What Can Organizations Do to Protect Themselves?

First, prioritize patching and configuration management. Many of the vulnerabilities exploited by TeamPCP and PCPJack stem from misconfigured cloud services. Second, monitor for unusual activity, such as sudden changes in access logs or unexpected credential exfiltration. Third, educate employees about phishing attempts, especially those mimicking help desks or password managers.

As Delamotte noted, the PCPJack hackers are not trying to mine crypto—they want quick cash through credential theft. This makes them unpredictable but also creates opportunities for defenders. By understanding their tactics, organizations can stay one step ahead.

In the end, the story of PCPJack is a stark reminder: in the digital underworld, no one is safe—not even the hackers themselves. As this campaign evolves, cybersecurity teams must remain vigilant, adapting to a landscape where victims and attackers constantly swap roles.