I recently posted on LinkedIn about my personal experience with a cyberattack, sharing only a brief summary at the time. However, I believe it’s important to go into more detail now—especially since it appears that the same attack may have affected the TRC website and LinkedIn page.
Timeline of Events
Back in December, about a week before Christmas, I was traveling in Northern Sri Lanka when I received an urgent email from Wolfgang. He informed me that LinkedIn had flagged the TRC website as “malicious.” It didn’t make sense—how could our site be seen that way?
Our team investigated immediately and discovered that malicious files had been embedded in the website. These were triggering LinkedIn’s security alerts. Wolfgang and his team got to work and managed to clean up the site.
Just a few days later, I attempted to upgrade my personal LinkedIn account to Premium. I logged in from my MacBook, but the payment failed with an error related to third-party transactions. I thought it was odd. Then came another urgent message from Wolfgang: all our posts and followers on the TRC LinkedIn page had vanished.
That’s when I got a sinking feeling. I told Wolfgang that I suspected my own device might be compromised and asked him to remove my admin access to all TRC-related platforms. That gave me space to focus on the bigger question—how was I being hacked?
Trying to Contain the Threat
From that point on, I dove deep into digital self-defense. I began repeatedly wiping my MacBook and reinstalling everything from scratch—a method that had worked in previous cyber incidents. But not this time. Even after factory resets and avoiding linking my Apple ID, the attackers somehow still found my machine.
Over the winter break, I essentially gave up using my MacBook and switched to my iPhone, which I kept in Lockdown Mode. I used airplane mode most of the time, only briefly enabling connectivity when absolutely necessary. I restarted the phone multiple times a day to interrupt any persistent connections.
Interestingly, I kept receiving system messages saying a device with Lockdown Mode disabled was linked to my Apple ID. That, I later realized, was likely a cloned device being used by the attackers.
Identifying the Root Cause
With my MacBook sidelined, I had time to reflect on what might be common across all my setups. One thing stood out—I consistently used the 1Password browser extension. I suspected it might be the point of entry, but when I tested this theory after returning to school, the compromise still occurred.
In a team meeting, I raised the question of whether one of our custom Chrome extensions might be vulnerable. I also shared that the only time my MacBook seemed stable was when I avoided Chrome and used the Brave browser instead. Someone on the team suggested that my Google Sync data might be storing something malicious.
That was a breakthrough. I turned to ChatGPT for a second opinion, and it pointed me toward a possible culprit: a Remote Access Trojan (RAT)—a type of malware designed to steal browser session cookies and silently access accounts.
Securing My Digital Life
Realizing this, I took the most decisive step: securing all my critical accounts, clearing the data in Chrome for all accounts and started using hardware-based encryption keys. Since then, I’ve had no further issues.
Final Thoughts
This experience has shown me just how sophisticated and persistent modern cyber threats can be. It also reinforced the importance of avoiding premature conclusions—especially when clear evidence is lacking. I’ll be sharing more insights and lessons learned in upcoming posts, including my thoughts on how the initial compromise may have occurred.