Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Baptiste Robert Profile picture
@fs0c131y
Oct 16 15 tweets 7 min read Read on X
Scrolly
Today, the famous hacker known as USDoD was arrested by the Brazilian police.

The FBI had a way to find his identity and home address since at least June 2022. I will show you how.

It's OSINT time! ⬇️
Let’s recap: On August 23, USDoD was doxxed by Crowdstrike.

Along with the @PredictaLabOff team and using predictagraph.com, we discovered two different OSINT methods to uncover USDoD’s real identity.

x.com/fs0c131y/statu…
@PredictaLabOff Let's go!

In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account. Image
@PredictaLabOff @EquationCorp In his BF account bio, he listed a Keybase account and a link to a.sc, both using the username 'NetSecOfficial.'

An older BF account also used this username, with the same a.sc link mentioned in its bio. Image
@PredictaLabOff @EquationCorp We're getting closer!

Using BF's username history feature, we found that this account previously used the usernames: Anthony_Palmisan and NetSec⭐️⭐️⭐️⭐️⭐️. Image
@PredictaLabOff @EquationCorp This is where USDoD made his biggest mistake.

In the NetSec⭐️⭐️⭐️⭐️⭐️ BF account, he linked the Twitter account @NetSecReal.

According to archive.org, this info was in his bio on June 25, 2022.

web.archive.org/web/2022062521… Image
@PredictaLabOff @EquationCorp With the Twitter ID of this account, 2930319225, law enforcement, including the @FBI, would have been able to submit a request to Twitter to obtain all user info, including previous usernames.

This is how they would have obtained: Net_Sec_, Luan_BH_, and 1337_scarface. Image
@PredictaLabOff @EquationCorp @FBI They would have obtained the previous email used by the 1337_scarface Twitter account: cryptosystemjobs@gmail.com.

Side note: This email was also discoverable in early 2023 due to the data breach known as Twitter 200M. Image
@PredictaLabOff @EquationCorp @FBI The law enforcement approach: Using this email, they would have requested info from various sites like Foursquare to check for linked accounts.

The OSINT practitioner approach: They would have used to find his Foursquare account. predictasearch.comImage
@PredictaLabOff @EquationCorp @FBI With his Foursquare account, they would obtain his full name, a photo, and his location. Image
@PredictaLabOff @EquationCorp @FBI He wasn't hiding: According to the news article about his arrest, he was apprehended in Belo Horizonte. I guess he was just waiting at home the entire time.

g1.globo.com/politica/notic…Image
@PredictaLabOff @EquationCorp @FBI To conclude:
- At the start of his cybercriminal career, USDoD, aka NetSecReal, renamed his personal Twitter account for his activities.
- He never deleted his digital traces.
- It has been technically possible to find him since 2022.

So why was he arrested only now?
@PredictaLabOff @EquationCorp @FBI Update: The official press release regarding the USDoD arrest

gov.br/pf/pt-br/assun…
For easier reading, I created an article on LinkedIn based on this thread.

linkedin.com/pulse/tracking…
Starting today, Predicta Search Pro users can now publicly share graphs!

Check out the graph for the USDoD case

➡️ predictagraph.com/graph/snapshot…

x.com/fs0c131y/statu… Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Baptiste Robert

Baptiste Robert Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @fs0c131y

Baptiste Robert Profile picture
Oct 31
Two days ago, @TheJusticeDept announced an international disruption effort against the current version of RedLine Infostealer.

It's #OSINT time!
In the redacted complaint, Maxim Rudometov is identified as one of the developers of RedLine: justice.gov/usao-wdtx/medi…

Using Predicta Graph and #OSINT techniques, I’ve retraced each step taken by the @FBI. For full details, check out the complete graph!

predictagraph.com/graph/snapshot… Image
On March 4, 2020, a blogger named Foxovsky published a post on RedLine and its creators .

In his post, he mentioned two usernames connected to the stealer: Dendimirror and Alinchokweb.archive.org/web/2020031104…Image
Read 21 tweets
Baptiste Robert Profile picture
Sep 17
Few things about exploding communication pagers

Thread ⬇️
First off, it's still early, and reports are developing. Keep an eye on the news in the coming hours or days for more updates.

theguardian.com/world/2024/sep…
Relax, we're talking about pagers here, not smartphones. Pagers are much older and far less powerful compared to the smartphones we use today.

en.wikipedia.org/wiki/Pager
Read 14 tweets
Baptiste Robert Profile picture
Sep 8
Three days ago, the @FBI released photos of "GRU 29155 cyber operatives": five Russian military intelligence officers and one civilian.

It's #OSINT time!
@FBI I zeroed in on Denis Igorevich Denisenko and, with the help of , mapped a portion of his digital footprint in just a few minutes.

Nothing groundbreaking, but I did uncover some interesting bits! beta.predictagraph.com

Image
Image
@FBI Денис Игоревич Денисенко appears in the Alfa-Bank data leak, with the date of birth matching the FBI's information: May 14, 1997.

The leak also includes an associated email, dalpha777@gmail.com, and phone number +7910275 0864. Image
Read 11 tweets
Baptiste Robert Profile picture
Aug 26
On Linkedin, Jean-Michel Bernigaud, (OFMIN chief of staff) wrote

"At the heart of this case is the lack of moderation and cooperation from the platform [..] particularly in the fight against pedocriminality."

Ultimately, it's all about content moderation.
Image
The legal showdown over this case will be monumental
I don't get why OFMIN didn't organize a press conference at this point
Read 4 tweets
Baptiste Robert Profile picture
Aug 25
The woman who accompanied Pavel Durov on his journey that led to his arrest is Juli Vavilova

It's #OSINT time!
Image
On August 21, Pavel Durov posted on his VK account:

"Telegram delegation visit to Azerbaijan

In Azerbaijan, Pavel Durov honed his target shooting skills and prepared for Formula 1."

The post was accompanied with 2 videos

Image

On his Instagram, Julia published a video from the same car
Read 20 tweets
Baptiste Robert Profile picture
Aug 23
Today, the famous hacker USDoD has been doxed by CrowdStrike.

You want to know how?

It's #OSINT time!
First the recap. This morning @TecmundoDigita published an article based on a report from CrowdStrike received from an anonymous source.

"The likely leader of the USDoD group is a 33-year-old man named Luan BG who lives in Minas Gerais, Brazil"

tecmundo.com.br/seguranca/2885…
@TecmundoDigita The article is full of info, more or less partial, without any sources. We don't have access to the initial report. I don't like that. So, at @PredictaLabOff we decided to find the truth by ourselves

Thanks to and the job is done! predictasearch.com
beta.predictagraph.com
Image
Read 27 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(