OPSEC fail! “Super-hacker” accidentally outs himself through careless clues left on social media

D’oh!

Graham Cluley
@gcluley

VandaTheGod is a hacker who has been active since 2013.

The hacker, who sometimes goes by the online handles of “Vanda de Assis” and “SH1N1NG4M3”, claims to be associated with various hacking groups, including the Brazilian Cyber Army and UGNazi.

VandaTheGod’s activities included the defacement of websites of governments around the world, often accompanied with messages expressing outrage over injustice or corruption, or breaking into the email systems of government workers, and Brasilian universities.

And VandaTheGod relished documenting his hacks and website defacements on his social media accounts.

VandaTheGod was certainly keeping himself busy, defacing 4,820 different websites in the eight months leading up to February 2020 – that’s over 20 every day! Meanwhile, the hacker was not above offering stolen data for sale, such as a million patient records stolen from a New Zealand health organisation.

But VandaTheGod’s delight in showing off about his hacks on social media may have proven to be his undoing.

Sign up to our newsletter
Security news, advice, and tips.

Security researchers at Check Point describe how they investigated the hacker’s online footprint, and found a tweet which portrayed the hacked account of Brazilian actor Myrian Rios.

What many people may not have noticed in the image of Ms Rios’s hacked account, however, was a browser tab leading to a Facebook account in the name of “Vanda De Assis.”

Meanwhile, the researchers had discovered that VandaTheGod’s website had been registered using the email address fathernazi@gmail.com from Uberlandia, in Brazil.

The same email address was used to register other domain names, including braziliancyberarmy.com.

Meanwhile, a screenshot shared by the hacker included a browser tab containing the initials “M R”.

Pieces of the jigsaw puzzle were coming together.

Check Point’s researchers describe what they did with the information:

At first we were unsure if M. R. was VandaTheGod’s real initials, but we decided it was worth investigating, as a first name with these initials also appeared in several screenshots shared in VandaTheGod’s Twitter as the username of the machine used for this hacking activity.

At first, we tried searching Facebook for people named M.R., but as expected, we were presented with too many possibilities to fully explore.

Our breakthrough came when we searched for M.R. in conjunction with the city we previously observed in vandathegod.com’s WHOIS information: “UBERLANDIA”

This still gave us numerous Facebook profiles, but we were able to locate a single account, which contained an uploaded image endorsing the Brazilian Cyber Army.

The researchers still wanted to make more links between the Facebook account belonging to “M R” (Check Point has not released the full name of the individual) and the one run by “Vanda de Assis”.

Fortuitously, the hacker had posted the same photograph of a man holding a bottle of whisky to both accounts.

In addition, photographs taken in “M R”‘s living room while playing on his Sony PlayStation matched perfectly with the furniture seen in photos posted on Twitter by VandaTheGod.

Check Point’s team shared their research, including the identity of “M R”, to law enforcement agencies in Brazil, and notes that the individual’s activities appear to have stopped.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 comments on “OPSEC fail! “Super-hacker” accidentally outs himself through careless clues left on social media”

  1. Given the reputation, and body count, of the Brazilian police under their current regime, I hope that Check Point security considered the potential ramifications of passing the suspect's details to "law" enforcement.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.