In his Twitter bio, the @equationcorp account had a link to a contact.txt file hosted on his website. One version of this file included his BF account.
@PredictaLabOff @EquationCorp In his BF account bio, he listed a Keybase account and a link to a.sc, both using the username 'NetSecOfficial.'
An older BF account also used this username, with the same a.sc link mentioned in its bio.
@PredictaLabOff @EquationCorp With the Twitter ID of this account, 2930319225, law enforcement, including the @FBI, would have been able to submit a request to Twitter to obtain all user info, including previous usernames.
This is how they would have obtained: Net_Sec_, Luan_BH_, and 1337_scarface.
@PredictaLabOff @EquationCorp @FBI They would have obtained the previous email used by the 1337_scarface Twitter account: cryptosystemjobs@gmail.com.
Side note: This email was also discoverable in early 2023 due to the data breach known as Twitter 200M.
@PredictaLabOff @EquationCorp @FBI The law enforcement approach: Using this email, they would have requested info from various sites like Foursquare to check for linked accounts.
The OSINT practitioner approach: They would have used to find his Foursquare account. predictasearch.com
@PredictaLabOff @EquationCorp @FBI With his Foursquare account, they would obtain his full name, a photo, and his location.
@PredictaLabOff @EquationCorp @FBI He wasn't hiding: According to the news article about his arrest, he was apprehended in Belo Horizonte. I guess he was just waiting at home the entire time.
@PredictaLabOff @EquationCorp @FBI To conclude:
- At the start of his cybercriminal career, USDoD, aka NetSecReal, renamed his personal Twitter account for his activities.
- He never deleted his digital traces.
- It has been technically possible to find him since 2022.
So why was he arrested only now?
@PredictaLabOff @EquationCorp @FBI Update: The official press release regarding the USDoD arrest
@TecmundoDigita The article is full of info, more or less partial, without any sources. We don't have access to the initial report. I don't like that. So, at @PredictaLabOff we decided to find the truth by ourselves