Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Baptiste Robert Profile picture
Baptiste Robert
@fs0c131y
CEO @PredictaLabOff | French Security Researcher, Ethical Hacking, OSINT

Oct 16, 15 tweets

Today, the famous hacker known as USDoD was arrested by the Brazilian police.

The FBI had a way to find his identity and home address since at least June 2022. I will show you how.

It's OSINT time! ⬇️

Let’s recap: On August 23, USDoD was doxxed by Crowdstrike.

Along with the @PredictaLabOff team and using predictagraph.com, we discovered two different OSINT methods to uncover USDoD’s real identity.

x.com/fs0c131y/statu…

@PredictaLabOff Let's go!

In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account.

@PredictaLabOff @EquationCorp In his BF account bio, he listed a Keybase account and a link to a.sc, both using the username 'NetSecOfficial.'

An older BF account also used this username, with the same a.sc link mentioned in its bio.

@PredictaLabOff @EquationCorp We're getting closer!

Using BF's username history feature, we found that this account previously used the usernames: Anthony_Palmisan and NetSec⭐️⭐️⭐️⭐️⭐️.

@PredictaLabOff @EquationCorp This is where USDoD made his biggest mistake.

In the NetSec⭐️⭐️⭐️⭐️⭐️ BF account, he linked the Twitter account @NetSecReal.

According to archive.org, this info was in his bio on June 25, 2022.

web.archive.org/web/2022062521…

@PredictaLabOff @EquationCorp With the Twitter ID of this account, 2930319225, law enforcement, including the @FBI, would have been able to submit a request to Twitter to obtain all user info, including previous usernames.

This is how they would have obtained: Net_Sec_, Luan_BH_, and 1337_scarface.

@PredictaLabOff @EquationCorp @FBI They would have obtained the previous email used by the 1337_scarface Twitter account: cryptosystemjobs@gmail.com.

Side note: This email was also discoverable in early 2023 due to the data breach known as Twitter 200M.

@PredictaLabOff @EquationCorp @FBI The law enforcement approach: Using this email, they would have requested info from various sites like Foursquare to check for linked accounts.

The OSINT practitioner approach: They would have used to find his Foursquare account. predictasearch.com

@PredictaLabOff @EquationCorp @FBI With his Foursquare account, they would obtain his full name, a photo, and his location.

@PredictaLabOff @EquationCorp @FBI He wasn't hiding: According to the news article about his arrest, he was apprehended in Belo Horizonte. I guess he was just waiting at home the entire time.

g1.globo.com/politica/notic…

@PredictaLabOff @EquationCorp @FBI To conclude:
- At the start of his cybercriminal career, USDoD, aka NetSecReal, renamed his personal Twitter account for his activities.
- He never deleted his digital traces.
- It has been technically possible to find him since 2022.

So why was he arrested only now?

@PredictaLabOff @EquationCorp @FBI Update: The official press release regarding the USDoD arrest

gov.br/pf/pt-br/assun…

For easier reading, I created an article on LinkedIn based on this thread.

linkedin.com/pulse/tracking…

Starting today, Predicta Search Pro users can now publicly share graphs!

Check out the graph for the USDoD case

➡️ predictagraph.com/graph/snapshot…

x.com/fs0c131y/statu…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling