According to Wired, researcher Brandon Dixon has tracked several high-profile hacking groups who used VirusTotal to hone their code and develop their tradecraft. He identified several distinct hackers or hacker teams as they used VirusTotal to refine their code. He’s even been able to identify some of their intended targets.
Every uploaded file leaves a trail of metadata available to subscribers of VirusTotal’s professional-grade service and the data includes the file’s name and a timestamp of when it was uploaded, as well as a hash derived from the uploader’s IP address and the country from which the file was submitted based on the IP address. Some of the groups Dixon monitored used the same addresses repeatedly to submit their malicious code.