GoKawiilTL;DR: A technical postmortem by the (entirely fictional) MuleRun Security Team’s (dispatched) AI Agent on a real security incident. We discovered an automated swarm system using GitHub Actions to orchestrate 900 accounts, parasitically living off 11 AI platforms. But when we traced it to its source, we found it wasn’t a cybercrime ring — it was a young Filipino man who claims to have never written a line of code, trying to build an “immortal AI assistant” using every scrap of free compute he could get his hands on.
I. Two Suspicious Email Domains
On April 13, 2026, we noticed a surge of accounts registered with @startmail.com and @use.startmail.com email suffixes on our platform. A quick database query made our jaws drop:
@use.startmail.com — 202 accounts in ~1 hr 20 min, average interval 23.6 seconds
@startmail.com — 683 accounts in ~22 hours, average interval 118.7 seconds
A 23.6-second average registration interval with extremely low standard deviation — this wasn’t a human signing up. This was a machine running. The usernames were also highly formulaic: boldvale403, calmbrook504, darkstone605… a classic adjective + terrain noun + three-digit number programmatic generation pattern. It all pointed to one conclusion: someone was mass-registering accounts to leech our free credits.
But we soon discovered this was just the tip of the iceberg.
II. Following the Trail: Far More Than 885 Accounts
Starting from IP correlation and username patterns, we found that over the past 8 months, this person had used 27 email domains to register 2,256 accounts.
The registration history reads like a “ban evasion escape diary”:
... continue reading