Today, the famous hacker USDoD has been doxed by CrowdStrike.
You want to know how?
It's #OSINT time!
First the recap. This morning @TecmundoDigita published an article based on a report from CrowdStrike received from an anonymous source.
"The likely leader of the USDoD group is a 33-year-old man named Luan BG who lives in Minas Gerais, Brazil"
tecmundo.com.br/seguranca/2885…
@TecmundoDigita The article is full of info, more or less partial, without any sources. We don't have access to the initial report. I don't like that. So, at @PredictaLabOff we decided to find the truth by ourselves
Thanks to and the job is done! predictasearch.com
beta.predictagraph.com
@TecmundoDigita @PredictaLabOff Let's go for the full deep dive.
Before his suspension last month, USDoD used the Twitter account @equationcorp. The bio of the account was "I protect the hive. When the system is out of balance, I correct it"
@TecmundoDigita @PredictaLabOff @EquationCorp zerodaycorp on Instagram, previously barbosa.luan_, has the same phrase on his profile.
This is a small link, maybe a coincidence, but it's worth digging
@TecmundoDigita @PredictaLabOff @EquationCorp This instagram account has been mentioned by a tattoo artist. Not my style but why not?
instagram.com/wilkertattoo93…
@TecmundoDigita @PredictaLabOff @EquationCorp This Instagram account has been mentioned in this SoundCloud profile:
Luan describes himself as "Goa Trance producer from Brazil and CEO and Founder of LBGRecords."
It gives us also an old Twitter account and a Facebook account soundcloud.com/lbg91
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks to Tineye, with a reverse image search, I was able to find the Medium account of Luan: natsec.medium.com
@TecmundoDigita @PredictaLabOff @EquationCorp One of his article, mentioned an AlienVault pulse. Same name as the Insta account. See the medium link? His old Medium username was luanbgs22
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks to the awesome WhatsMyName, from luanbgs22 we can find a Gravatar account. Same face, this is our guy.
Do you know? You can get an email from a Gravatar profile. Thanks to hashtray for example, we found the email luanbgs22@gmail.com
@TecmundoDigita @PredictaLabOff @EquationCorp Now the fun is coming!
Thanks to , we found a lot of info linked to this email: Github, Gravatar, TV Time, leaked data and registered domains by this email predictasearch.com
In the RaidForums data breach, a hacking forum, we can see that this email is linked to the username LLTV
Moreover, the email has been used to register , , .
On Reddit the user LLTV talked about BlackSUSE: blacksuse.org
blacksuse.wiki
blacksuse.systems
reddit.com/r/linux/commen…
@TecmundoDigita @PredictaLabOff @EquationCorp The Reddit user LLTV mentioned also the Medium blog NatSec:
We are still on the right tracks! But more fun is coming reddit.com/r/cybersecurit…
@TecmundoDigita @PredictaLabOff @EquationCorp Remember with we found his Github account:
The bio is "Linux User/Gray Hat/Pet's lover/Future Ruby Programmer/Os-Dev." and by looking at his repo Luan like reverse engineering. predictasearch.com
github.com/Labs22
@TecmundoDigita @PredictaLabOff @EquationCorp Luan worked hard on BlackSUSE a Linux distribution based on OpenSUSE.
By searching BlackSUSE on search engines we found this post about BlackSUSE from the user ElmagoLoko on the forum Hack Forums hackforums.net/showthread.php…
@TecmundoDigita @PredictaLabOff @EquationCorp On another post on the same forum, ElmagoLoko posted a link to his Github profile which is... the one we found earlier.
Luan is Elmagoko, he loves reverse engineering and pentesting.
github.com/Labs22
hackforums.net/showthread.php…
@TecmundoDigita @PredictaLabOff @EquationCorp A good #OSINT thread always needs a dating profile mention.
ElmagoLoko has a profile on the dating website Friend Finder. The age is consistent with the rest
friendfinder-x.com/profile/Elmago…
@TecmundoDigita @PredictaLabOff @EquationCorp This is the last sprint.
On Hack Forums (again), ElmagoLoko, published a Jabber email: ElMagoLoko@hacker.im
hackforums.net/showthread.php…
@TecmundoDigita @PredictaLabOff @EquationCorp This email is mentioned on Guiado Hacker, a hacking forum (again), by an user called CryptoSystem.
forum.guiadohacker.com.br/vb5/forum/segu…
@TecmundoDigita @PredictaLabOff @EquationCorp CryptoSystem was active on Guiado Hacker in 2020 - 2021 and posted multiple data leaks: BlackWater, Chinese Communist Party, Cayman National Bank
Very similar to what USDoD was doing ;)
forum.guiadohacker.com.br/vb5/member/942…
@TecmundoDigita @PredictaLabOff @EquationCorp Let's take the hack of the Cayman National Bank.
It has been done by the famous hacktivist Phineas Fisher:
The leak has been published by the Distributed Denial of Secrets group and well it's still available today
en.wikipedia.org/wiki/Phineas_F…
caymannewsservice.com/2019/11/hackti…
@TecmundoDigita @PredictaLabOff @EquationCorp Time to sumup:
1. USDoD has the same bio than the Instagram account of Luan Gonçalves Barbosa
2. He is a music producer based in Brasil
3. Based on his digital footprint he loves hacking and reverse engineering
4. He has accounts on multiple hacking forums and posted data leaks
@TecmundoDigita @PredictaLabOff @EquationCorp Is Luan USDoD?
Yep he confirmed it to a statement to HackRead 2 hours ago
hackread.com/usdod-hacker-s…
@TecmundoDigita @PredictaLabOff @EquationCorp Good luck to all the people involved to this case.
All this investigation, tweets included, has been done in 10 hours by the 2 best #OSINT analysts at @PredictaLabOff and myself. Also, without and it wouldn't be possible. beta.predictagraph.com
predictasearch.com
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks for reading and don't forget #OPSEC is hard!
@TecmundoDigita @PredictaLabOff @EquationCorp Bro come on… Someone try to login to my unused Patreon account
@TecmundoDigita @PredictaLabOff @EquationCorp Update: USDoD say goodbye to his friends on TG
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.