There is a certain dark irony in watching cybercriminals become the victims. But the story of PCPJack is less a morality tale and more a warning about how chaotic and layered the modern threat environment has become.
Here is what happened. An unknown group of attackers identified systems already compromised by TeamPCP, a prolific cybercrime gang behind some notable recent breaches including a hit on the European Commission’s cloud infrastructure and a supply chain attack on widely used vulnerability scanner Trivy. Rather than targeting fresh victims, the PCPJack group broke into TeamPCP’s already-hacked systems, evicted the original attackers, wiped their tools, and took over.
From there, they deployed self-spreading worm code across cloud infrastructure, harvested credentials at scale, and quietly sent everything back to their own servers.
Researchers at SentinelOne, who uncovered the campaign, are not yet certain who PCPJack is. The leading theories are disgruntled ex-TeamPCP insiders, a rival criminal group, or a third party that deliberately modelled their tools on TeamPCP’s own methods. What is clear is that the goals are financial: stolen credentials are resold, systems are flipped to initial access brokers, or victims are extorted directly.
Why This Matters for African Organisations
The instinct when reading a story like this is to treat it as a foreign problem. Two criminal gangs fighting over compromised servers somewhere on the internet. Not our concern.
That instinct is wrong.
TeamPCP’s campaigns have targeted exposed cloud services including Docker environments and MongoDB databases, exactly the kind of infrastructure that underpins modern African enterprise operations. The PCPJack group does the same, scanning the open internet for vulnerable systems regardless of where they sit.
If your organisation has internet-facing cloud services that are poorly configured or unmonitored, you are a potential target in this ecosystem, whether or not anyone has specifically chosen to come after you.
The Bigger Picture
What PCPJack really illustrates is that the cybercriminal ecosystem is not a monolith. It is fragmented, competitive, and increasingly predatory within its own ranks. That fragmentation does not make it less dangerous. It makes it less predictable.
Defenders cannot assume that a system compromised once is done. A second attacker may already be circling.
For African security teams, the lesson is straightforward: visibility across cloud environments, timely detection of anomalous behaviour, and credential hygiene are not optional improvements. They are the baseline for operating in a threat landscape that does not distinguish between continents.
The hackers are not waiting for anyone to be ready.
