Check Point has shared research detailing its investigation to expose the real identity of a notorious super-hacker who has been responsible for attacks on 4 820 Web sites, the theft of the private data of around one million people, and the sale of stolen credit cards.
In addition, for the last seven years, official Web sites belonging to governments worldwide were hacked and defaced by this hacker, who identified himself as ’VandaTheGod’. The hacks push an anti-establishment message and were carried out, he claimed, to combat social injustices that the hacker believed were a direct result of government corruption.
He targeted governments in numerous countries, including South Africa, Brazil, the Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam, and New Zealand.
He was certainly cunning, but not too clever, as a silly mistake on Facebook exposed him, and will likely seal his fate.
“The person behind the ‘VandaTheGod’ persona has used multiple aliases over the years, including ‘Vanda de Assis’ or ’SH1N1NG4M3’, and was highly active on social media, primarily Twitter," says Check Point. "They would often share the results of those hacking endeavours with the public. A link to this Twitter account would sometimes even be added to the message VandaTheGod left on compromised Web sites, confirming that this profile was in fact managed by the attacker.”
Many of the tweets in this account were written in Portuguese, and the hacker claimed to be a part of the "Brazilian Cyber Army" or "BCA", often displaying BCA's logo in screenshots of compromised accounts and Web sites.
VandaTheGod didn’t only target government Web sites, but also launched attacks against public figures, universities, and even hospitals. In one case, he claimed to have access to the medical records of 1 million patients from New Zealand, which were offered for sale for $200.
While the majority of VandaTheGod's attacks against governments were politically motivated, but closer scrutiny of his tweets shows he was also trying to achieve a personal goal: hacking a total of 5 000 Web sites, a goal that was nearly achieved, with 4 820 records of hacked Web sites linked to him.
The man behind the handle
VandaTheGod's prominent role in several hacking groups, as well as his love of publicity, meant that he stayed in touch with others in the hacking community via numerous social media accounts, backup accounts in case of takedown, e-mail addresses, Web sites and more. Through the years, this activity left a long trail of information for Check Point to investigate.
For example, the WHOIS record for VandaTheGod.com revealed that the Web site was registered to an individual from Brazil, more specifically from Uberlandia, using the e-mail address fathernazi@gmail.com. In the past, VandaTheGod claimed to be a member of the UGNazi hacking group, and this e-mail address was used to register additional Web sites, such as braziliancyberarmy.com.
This wasn’t the only time the hacker got sloppy and shared details online that gave away valuable information about his identity. Another example, a screenshot that showed the compromised e-mail account of Brazilian actress and TV presenter Myrian Rios also shows an open Facebook tab with the name "Vanda De Assis", and looking that name up led to a profile belonging to the attacker.
“While this profile did not share any details about the real identity of VandaTheGod, we were able to see many similarities between this and the Twitter accounts operated by the attacker, as the same content was often shared on both platforms,” says Check Point. “What was more interesting, however, was that this screenshot revealed the name of a user that we will identify here only by initials MR.”
At first Check Point was unsure if these were the hackers real initials, but upon further investigation, discovered a first name with these initials also appearing in several screenshots shared in VandaTheGod's Twitter as the username of the machine used for this hacking activity.
Researchers tried to search Facebook for people named MR, but unsurprisingly, were presented with too many possibilities to fully explore. “Our breakthrough came when we searched for MR in conjunction with the city we previously observed in vandathegod.com’s WHOIS information: "UBERLANDIA".
This still gave Check Point numerous Facebook profiles, but researchers were able to locate a single account, which contained an uploaded image endorsing the Brazilian Cyber Army. “At this point, we knew that we were on the right track. All that was left for us to do was to connect this individual's account with one of the known VandaTheGod's accounts. We were able to locate several cross-posts between the newly discovered profile and Vanda de Assis’s Facebook account,” the researchers say.
Finally, Check Point located shared photos of the same surroundings from different angles, specifically, the poster's living room. This confirmed that both the MR and VandaTheGod accounts were being controlled by the same person.
Bringing in
Check Point was ultimately able to connect the VandaTheGod identity with high certainty to a specific Brazilian individual from the city of Uberlândia, and relayed its findings to law enforcement to enable them to take further action.
While all of the detailed social media profiles still exist, many of the photos in the attacker's personal profile that overlap with those shared by the VandaTheGod alias were later deleted.
For seven long years, VandaTheGod's hacking activity has been targeting governments, corporations and individuals, defacing sites, stealing corporate information and dumping peoples’ credit card data online.
“While many tend to underestimate defacement hacking groups as merely digital vandals writing slogans on Web sites, VandaTheGod has proven with multiple successful attacks against reputable sites that hacktivism often crosses the line into further criminal activity, such as credentials and payment-card theft."
These groups share their exploits and techniques with the wider cyber-crime community – making them a very real danger to online security.
"While this hacker may have carried out many successful hacks, he ultimately failed as he left many trails that led to his true identity, particularly at the start of his hacking career," Check Point concludes.
Share