Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Baptiste Robert Profile picture
@fs0c131y
Aug 23, 2024 27 tweets 16 min read Read on X
Scrolly
Today, the famous hacker USDoD has been doxed by CrowdStrike.

You want to know how?

It's #OSINT time!
First the recap. This morning @TecmundoDigita published an article based on a report from CrowdStrike received from an anonymous source.

"The likely leader of the USDoD group is a 33-year-old man named Luan BG who lives in Minas Gerais, Brazil"

tecmundo.com.br/seguranca/2885…
@TecmundoDigita The article is full of info, more or less partial, without any sources. We don't have access to the initial report. I don't like that. So, at @PredictaLabOff we decided to find the truth by ourselves

Thanks to and the job is done! predictasearch.com
beta.predictagraph.com
Image
@TecmundoDigita @PredictaLabOff Let's go for the full deep dive.

Before his suspension last month, USDoD used the Twitter account @equationcorp. The bio of the account was "I protect the hive. When the system is out of balance, I correct it" Image
@TecmundoDigita @PredictaLabOff @EquationCorp zerodaycorp on Instagram, previously barbosa.luan_, has the same phrase on his profile.

This is a small link, maybe a coincidence, but it's worth digging
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp This instagram account has been mentioned by a tattoo artist. Not my style but why not?

instagram.com/wilkertattoo93…
@TecmundoDigita @PredictaLabOff @EquationCorp This Instagram account has been mentioned in this SoundCloud profile:

Luan describes himself as "Goa Trance producer from Brazil and CEO and Founder of LBGRecords."

It gives us also an old Twitter account and a Facebook account soundcloud.com/lbg91



Image
Image
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks to Tineye, with a reverse image search, I was able to find the Medium account of Luan: natsec.medium.com

Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp One of his article, mentioned an AlienVault pulse. Same name as the Insta account. See the medium link? His old Medium username was luanbgs22

Image
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks to the awesome WhatsMyName, from luanbgs22 we can find a Gravatar account. Same face, this is our guy.

Do you know? You can get an email from a Gravatar profile. Thanks to hashtray for example, we found the email luanbgs22@gmail.com

Image
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Now the fun is coming!

Thanks to , we found a lot of info linked to this email: Github, Gravatar, TV Time, leaked data and registered domains by this email predictasearch.com

Image
Image
In the RaidForums data breach, a hacking forum, we can see that this email is linked to the username LLTV

Moreover, the email has been used to register , , .

On Reddit the user LLTV talked about BlackSUSE: blacksuse.org
blacksuse.wiki
blacksuse.systems
reddit.com/r/linux/commen…Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp The Reddit user LLTV mentioned also the Medium blog NatSec:

We are still on the right tracks! But more fun is coming reddit.com/r/cybersecurit…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Remember with we found his Github account:

The bio is "Linux User/Gray Hat/Pet's lover/Future Ruby Programmer/Os-Dev." and by looking at his repo Luan like reverse engineering. predictasearch.com
github.com/Labs22

Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Luan worked hard on BlackSUSE a Linux distribution based on OpenSUSE.

By searching BlackSUSE on search engines we found this post about BlackSUSE from the user ElmagoLoko on the forum Hack Forums hackforums.net/showthread.php…


Image
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp On another post on the same forum, ElmagoLoko posted a link to his Github profile which is... the one we found earlier.

Luan is Elmagoko, he loves reverse engineering and pentesting.

github.com/Labs22
hackforums.net/showthread.php…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp A good #OSINT thread always needs a dating profile mention.

ElmagoLoko has a profile on the dating website Friend Finder. The age is consistent with the rest

friendfinder-x.com/profile/Elmago…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp This is the last sprint.

On Hack Forums (again), ElmagoLoko, published a Jabber email: ElMagoLoko@hacker.im

hackforums.net/showthread.php…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp This email is mentioned on Guiado Hacker, a hacking forum (again), by an user called CryptoSystem.

forum.guiadohacker.com.br/vb5/forum/segu…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp CryptoSystem was active on Guiado Hacker in 2020 - 2021 and posted multiple data leaks: BlackWater, Chinese Communist Party, Cayman National Bank

Very similar to what USDoD was doing ;)

forum.guiadohacker.com.br/vb5/member/942…



Image
Image
Image
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Let's take the hack of the Cayman National Bank.

It has been done by the famous hacktivist Phineas Fisher:

The leak has been published by the Distributed Denial of Secrets group and well it's still available today

en.wikipedia.org/wiki/Phineas_F…
caymannewsservice.com/2019/11/hackti…
@TecmundoDigita @PredictaLabOff @EquationCorp Time to sumup:

1. USDoD has the same bio than the Instagram account of Luan Gonçalves Barbosa
2. He is a music producer based in Brasil
3. Based on his digital footprint he loves hacking and reverse engineering
4. He has accounts on multiple hacking forums and posted data leaks
@TecmundoDigita @PredictaLabOff @EquationCorp Is Luan USDoD?

Yep he confirmed it to a statement to HackRead 2 hours ago

hackread.com/usdod-hacker-s…
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Good luck to all the people involved to this case.

All this investigation, tweets included, has been done in 10 hours by the 2 best #OSINT analysts at @PredictaLabOff and myself. Also, without and it wouldn't be possible. beta.predictagraph.com
predictasearch.com
Image
@TecmundoDigita @PredictaLabOff @EquationCorp Thanks for reading and don't forget #OPSEC is hard!
@TecmundoDigita @PredictaLabOff @EquationCorp Bro come on… Someone try to login to my unused Patreon account Image
@TecmundoDigita @PredictaLabOff @EquationCorp Update: USDoD say goodbye to his friends on TG

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Baptiste Robert Profile picture
Dec 28, 2024
5 days ago, an Instagram account shared a video from North Korea with the caption: "A brave tourist secretly captures restricted views of downtown North Korea"

Can we geolocate this footage?

It's GEOINT time!
I paused the video to screenshot this pink building. A quick Google Lens search reveals two matching photos of the location:
- alamyimages.fr/un-agent-de-po…
- flickr.com/photos/tobeyfo… Image
Image
Image
Image
The second link includes a street name and points to this location: 39.00493900995318, 125.73642620392643. Image
Image
Read 11 tweets
Baptiste Robert Profile picture
Dec 23, 2024
On Friday, December 20, 2024, the U.S. DOJ charged Rostislav Panev, a dual Russian-Israeli national, as a LockBit ransomware developer. Arrested in Israel, he awaits extradition to the U.S.

It's OSINT time! Image
You know the drill: with predictasearch.com and predictagraph.com, I traced and mapped Rostislav Panev's complete digital footprint.

Explore the graph here: predictagraph.com/graph/snapshot… Image
First things first, here’s the official information available:
- DOJ Press Release: justice.gov/opa/pr/united-…
- Superseding Complaint: justice.gov/opa/media/1381… Image
Image
Read 14 tweets
Baptiste Robert Profile picture
Oct 31, 2024
Two days ago, @TheJusticeDept announced an international disruption effort against the current version of RedLine Infostealer.

It's #OSINT time!
In the redacted complaint, Maxim Rudometov is identified as one of the developers of RedLine: justice.gov/usao-wdtx/medi…

Using Predicta Graph and #OSINT techniques, I’ve retraced each step taken by the @FBI. For full details, check out the complete graph!

predictagraph.com/graph/snapshot… Image
On March 4, 2020, a blogger named Foxovsky published a post on RedLine and its creators .

In his post, he mentioned two usernames connected to the stealer: Dendimirror and Alinchokweb.archive.org/web/2020031104…Image
Read 21 tweets
Baptiste Robert Profile picture
Oct 16, 2024
Today, the famous hacker known as USDoD was arrested by the Brazilian police.

The FBI had a way to find his identity and home address since at least June 2022. I will show you how.

It's OSINT time! ⬇️
Let’s recap: On August 23, USDoD was doxxed by Crowdstrike.

Along with the @PredictaLabOff team and using predictagraph.com, we discovered two different OSINT methods to uncover USDoD’s real identity.

x.com/fs0c131y/statu…
@PredictaLabOff Let's go!

In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account. Image
Read 15 tweets
Baptiste Robert Profile picture
Sep 17, 2024
Few things about exploding communication pagers

Thread ⬇️
First off, it's still early, and reports are developing. Keep an eye on the news in the coming hours or days for more updates.

theguardian.com/world/2024/sep…
Relax, we're talking about pagers here, not smartphones. Pagers are much older and far less powerful compared to the smartphones we use today.

en.wikipedia.org/wiki/Pager
Read 14 tweets
Baptiste Robert Profile picture
Sep 8, 2024
Three days ago, the @FBI released photos of "GRU 29155 cyber operatives": five Russian military intelligence officers and one civilian.

It's #OSINT time!
@FBI I zeroed in on Denis Igorevich Denisenko and, with the help of , mapped a portion of his digital footprint in just a few minutes.

Nothing groundbreaking, but I did uncover some interesting bits! beta.predictagraph.com

Image
Image
@FBI Денис Игоревич Денисенко appears in the Alfa-Bank data leak, with the date of birth matching the FBI's information: May 14, 1997.

The leak also includes an associated email, dalpha777@gmail.com, and phone number +7910275 0864. Image
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(