VandaTheGod is a hacker who has been active since 2013.
The hacker, who sometimes goes by the online handles of “Vanda de Assis” and “SH1N1NG4M3”, claims to be associated with various hacking groups, including the Brazilian Cyber Army and UGNazi.
VandaTheGod’s activities included the defacement of websites of governments around the world, often accompanied with messages expressing outrage over injustice or corruption, or breaking into the email systems of government workers, and Brasilian universities.
And VandaTheGod relished documenting his hacks and website defacements on his social media accounts.
VandaTheGod was certainly keeping himself busy, defacing 4,820 different websites in the eight months leading up to February 2020 – that’s over 20 every day! Meanwhile, the hacker was not above offering stolen data for sale, such as a million patient records stolen from a New Zealand health organisation.
But VandaTheGod’s delight in showing off about his hacks on social media may have proven to be his undoing.
Security researchers at Check Point describe how they investigated the hacker’s online footprint, and found a tweet which portrayed the hacked account of Brazilian actor Myrian Rios.
What many people may not have noticed in the image of Ms Rios’s hacked account, however, was a browser tab leading to a Facebook account in the name of “Vanda De Assis.”
Meanwhile, the researchers had discovered that VandaTheGod’s website had been registered using the email address [email protected] from Uberlandia, in Brazil.
The same email address was used to register other domain names, including braziliancyberarmy.com.
Meanwhile, a screenshot shared by the hacker included a browser tab containing the initials “M R”.
Pieces of the jigsaw puzzle were coming together.
Check Point’s researchers describe what they did with the information:
At first we were unsure if M. R. was VandaTheGod’s real initials, but we decided it was worth investigating, as a first name with these initials also appeared in several screenshots shared in VandaTheGod’s Twitter as the username of the machine used for this hacking activity.
At first, we tried searching Facebook for people named M.R., but as expected, we were presented with too many possibilities to fully explore.
Our breakthrough came when we searched for M.R. in conjunction with the city we previously observed in vandathegod.com’s WHOIS information: “UBERLANDIA”
This still gave us numerous Facebook profiles, but we were able to locate a single account, which contained an uploaded image endorsing the Brazilian Cyber Army.
The researchers still wanted to make more links between the Facebook account belonging to “M R” (Check Point has not released the full name of the individual) and the one run by “Vanda de Assis”.
Fortuitously, the hacker had posted the same photograph of a man holding a bottle of whisky to both accounts.
In addition, photographs taken in “M R”‘s living room while playing on his Sony PlayStation matched perfectly with the furniture seen in photos posted on Twitter by VandaTheGod.
Check Point’s team shared their research, including the identity of “M R”, to law enforcement agencies in Brazil, and notes that the individual’s activities appear to have stopped.