OPSEC fail! “Super-hacker” accidentally outs himself through careless clues left on social media


OPSEC fail!

VandaTheGod is a hacker who has been active since 2013.

The hacker, who sometimes goes by the online handles of “Vanda de Assis” and “SH1N1NG4M3”, claims to be associated with various hacking groups, including the Brazilian Cyber Army and UGNazi.

VandaTheGod’s activities included the defacement of websites of governments around the world, often accompanied with messages expressing outrage over injustice or corruption, or breaking into the email systems of government workers, and Brasilian universities.

University email

And VandaTheGod relished documenting his hacks and website defacements on his social media accounts.

Government website defacement

VandaTheGod was certainly keeping himself busy, defacing 4,820 different websites in the eight months leading up to February 2020 – that’s over 20 every day! Meanwhile, the hacker was not above offering stolen data for sale, such as a million patient records stolen from a New Zealand health organisation.

But VandaTheGod’s delight in showing off about his hacks on social media may have proven to be his undoing.

Sign up to our free newsletter.
Security news, advice, and tips.

Security researchers at Check Point describe how they investigated the hacker’s online footprint, and found a tweet which portrayed the hacked account of Brazilian actor Myrian Rios.

Myrian hack

What many people may not have noticed in the image of Ms Rios’s hacked account, however, was a browser tab leading to a Facebook account in the name of “Vanda De Assis.”

Meanwhile, the researchers had discovered that VandaTheGod’s website had been registered using the email address [email protected] from Uberlandia, in Brazil.

The same email address was used to register other domain names, including braziliancyberarmy.com.

Meanwhile, a screenshot shared by the hacker included a browser tab containing the initials “M R”.

Screenshot mr

Pieces of the jigsaw puzzle were coming together.

Check Point’s researchers describe what they did with the information:

At first we were unsure if M. R. was VandaTheGod’s real initials, but we decided it was worth investigating, as a first name with these initials also appeared in several screenshots shared in VandaTheGod’s Twitter as the username of the machine used for this hacking activity.

At first, we tried searching Facebook for people named M.R., but as expected, we were presented with too many possibilities to fully explore.

Our breakthrough came when we searched for M.R. in conjunction with the city we previously observed in vandathegod.com’s WHOIS information: “UBERLANDIA”

This still gave us numerous Facebook profiles, but we were able to locate a single account, which contained an uploaded image endorsing the Brazilian Cyber Army.

The researchers still wanted to make more links between the Facebook account belonging to “M R” (Check Point has not released the full name of the individual) and the one run by “Vanda de Assis”.

Fortuitously, the hacker had posted the same photograph of a man holding a bottle of whisky to both accounts.

Photo comparison

In addition, photographs taken in “M R”‘s living room while playing on his Sony PlayStation matched perfectly with the furniture seen in photos posted on Twitter by VandaTheGod.

Check Point’s team shared their research, including the identity of “M R”, to law enforcement agencies in Brazil, and notes that the individual’s activities appear to have stopped.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

5 comments on “OPSEC fail! “Super-hacker” accidentally outs himself through careless clues left on social media”


    How and where can I report about hackers SCAMMERS in US,,,SAUDI

    1. James · in reply to PRADEEP SHARMA

      The FBI takes all calls related to scams.

  2. jr

    MR = Marcos Roberto

  3. Adrian

    Given the reputation, and body count, of the Brazilian police under their current regime, I hope that Check Point security considered the potential ramifications of passing the suspect's details to "law" enforcement.

    1. DanaCroft · in reply to Adrian

      As a cop from Uberlândia/MG, I can assure you that we made proper use of the details we have from Marcos Roberto and, as you may know, he is doing time once again.
      Truth is we have more important crimes to persecute and, afterall, he is simply a defacer with little knowledge of what he was doing. He just used other people's scripts and he could barely name the exploits.

      Turns out he is just as famous as y'all are making him.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.