Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Baptiste Robert Profile picture
@fs0c131y
Oct 16, 2024 15 tweets 7 min read Read on X
Scrolly
Today, the famous hacker known as USDoD was arrested by the Brazilian police.

The FBI had a way to find his identity and home address since at least June 2022. I will show you how.

It's OSINT time! ⬇️
Let’s recap: On August 23, USDoD was doxxed by Crowdstrike.

Along with the @PredictaLabOff team and using predictagraph.com, we discovered two different OSINT methods to uncover USDoD’s real identity.

x.com/fs0c131y/statu…
@PredictaLabOff Let's go!

In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account. Image
@PredictaLabOff @EquationCorp In his BF account bio, he listed a Keybase account and a link to a.sc, both using the username 'NetSecOfficial.'

An older BF account also used this username, with the same a.sc link mentioned in its bio. Image
@PredictaLabOff @EquationCorp We're getting closer!

Using BF's username history feature, we found that this account previously used the usernames: Anthony_Palmisan and NetSec⭐️⭐️⭐️⭐️⭐️. Image
@PredictaLabOff @EquationCorp This is where USDoD made his biggest mistake.

In the NetSec⭐️⭐️⭐️⭐️⭐️ BF account, he linked the Twitter account @NetSecReal.

According to archive.org, this info was in his bio on June 25, 2022.

web.archive.org/web/2022062521… Image
@PredictaLabOff @EquationCorp With the Twitter ID of this account, 2930319225, law enforcement, including the @FBI, would have been able to submit a request to Twitter to obtain all user info, including previous usernames.

This is how they would have obtained: Net_Sec_, Luan_BH_, and 1337_scarface. Image
@PredictaLabOff @EquationCorp @FBI They would have obtained the previous email used by the 1337_scarface Twitter account: cryptosystemjobs@gmail.com.

Side note: This email was also discoverable in early 2023 due to the data breach known as Twitter 200M. Image
@PredictaLabOff @EquationCorp @FBI The law enforcement approach: Using this email, they would have requested info from various sites like Foursquare to check for linked accounts.

The OSINT practitioner approach: They would have used to find his Foursquare account. predictasearch.comImage
@PredictaLabOff @EquationCorp @FBI With his Foursquare account, they would obtain his full name, a photo, and his location. Image
@PredictaLabOff @EquationCorp @FBI He wasn't hiding: According to the news article about his arrest, he was apprehended in Belo Horizonte. I guess he was just waiting at home the entire time.

g1.globo.com/politica/notic…Image
@PredictaLabOff @EquationCorp @FBI To conclude:
- At the start of his cybercriminal career, USDoD, aka NetSecReal, renamed his personal Twitter account for his activities.
- He never deleted his digital traces.
- It has been technically possible to find him since 2022.

So why was he arrested only now?
@PredictaLabOff @EquationCorp @FBI Update: The official press release regarding the USDoD arrest

gov.br/pf/pt-br/assun…
For easier reading, I created an article on LinkedIn based on this thread.

linkedin.com/pulse/tracking…
Starting today, Predicta Search Pro users can now publicly share graphs!

Check out the graph for the USDoD case

➡️ predictagraph.com/graph/snapshot…

x.com/fs0c131y/statu… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Baptiste Robert Profile picture
Mar 3
Votre volonté d’ajouter une porte dérobée dans les applications de messagerie est une énorme idiotie. Presque autant que votre condescendance…

Explications ⬇️
Beaucoup s’inquiètent, donc madame explique. À coup de novlangue et de mots clefs.

Le fameux : “Si les français ne comprennent pas c’est que l’on n’a pas assez expliqué”

Vous prenez les gens pour des idiots et après la classe politique s’étonne des résultats dans les urnes
Après avoir dit que le texte est trop large un tweet plus haut on parle “des services” ? Il n’y avait pas un mot plus large dans le dictionnaire de la French Tech ?

Non il n’y a pas de backdoor qui respecte les libertés et la vie privée. C’est un MENSONGE.
Read 12 tweets
Baptiste Robert Profile picture
Feb 7
Operation TALENT - Tracking the Hackers

On January 29th, Operation Talent dismantled the cybercrime forums Cracked and Nulled, led by two young individuals and used by millions.

Want to dive deeper?

It's OSINT time! ⬇️Image
To complete this investigation, the @PredictaLabOff team utilized our platforms predictagraph.com and predictasearch.com.

Thanks to the collaborative mode, you can access a snapshot of the graph here:
predictagraph.com/graph/snapshot… Image
@PredictaLabOff Time to uncover who was behind the forum Cracked.

@CrackedTo is the official X account of the forum. The associated email, olivia.messla@outlook.de, was revealed in the 2023 Twitter breach. Image
Read 16 tweets
Baptiste Robert Profile picture
Jan 19
The IP address of DrugHub, a well-known dark web drug marketplace, has been exposed.

The website owner made a critical OPSEC blunder.

It's OPSEC time!
On the website's /info/market-links page, three links are provided:
- The primary .onion address
- A clearnet link
- A permanent mirror Image
Currently, drughub[.]xx is protected by Cloudflare, but two months ago, it was hosted on the IP address 186.2.171.6. Image
Image
Read 9 tweets
Baptiste Robert Profile picture
Jan 14
Worried about a TikTok ban? Americans are now flocking to Xiaohongshu (REDnote), another Chinese app.

Spoiler: Yes, it tracks its users.

Time to dive in! ⬇️ Image
When creating an account, you must verify your phone number by entering a code received via SMS.

The request sent to Xiaohongshu's server includes your phone number (of course), along with your IDFA and IDFV. Image
Image
What’s an IDFA? The Identifier for Advertisers (IDFA) is a unique device ID assigned by Apple to every iOS device.

Many actors, like data brokers, use it to profile you, track your location, and more.

Read 13 tweets
Baptiste Robert Profile picture
Jan 10
Only one country was represented at Kim Jong Un's New Year's Eve party. Can you guess which one?

At the Rungrado Stadium, Kim hosted a grand celebration. Before the fireworks, officials enjoyed a private party near the stadium

One attendee's face stood out 🕵️‍♂️

It’s OSINT time!
South Korean media focused on a 2-second clip of Kim Yo Jong, Kim Jong Un's sister, seen publicly with what seemed to be her children for the first time.

But they missed something important 👀
I came across the official video of the private party before the celebration. It shows key figures stepping out of their cars, mingling, and chatting around tables.

Something immediately caught my eye. Do you see it too?
Read 17 tweets
Baptiste Robert Profile picture
Jan 8
Hackers claim to have breached Gravy Analytics, a US location data broker selling to government agencies.

They shared 3 samples on a Russian forum, exposing millions of location points across the US, Russia, and Europe.

It's OSINT time! 👇 Image
The samples include tens of millions of location data points worldwide.

They cover sensitive locations like the White House, Kremlin, Vatican, military bases, and more.

Time to dig in! Image
Image
Image
Visualizing such a massive amount of location data is no easy task.

Google Earth Pro crashed at 500k location points, and our OSINT platform hit its limit at 1.5 million. Even if it is "just" a sample, rendering the entire dataset at once is a real challenge. Image
Read 27 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(