How to discover a major hacker’s identity with OSINT — Solution 1
Last week CrowdStrike revealed the identity of the famous hacker USDoD and today we will retrace how he was discovered with an open source investigation of our own !
On the 22nd of August Tecmundo published an article revealing that “The likely leader of the USDoD group is a 33-year-old man named Luan BG who lives in Minas Gerais, Brazil”. The article also provides a few pseudo and social media profiles but does not retrace the sequence of elements that connects USDoD’s official Twitter profile to Luan BG. This article will provide two ways of coming to that conclusion.
For context, USDoD is widely recognized as a very successful hacking group. Last april it was attributed the leak of 2.7 billion records from the US, UK and Canada, including social security numbers, names, addresses phone numbers etc.
Let’s find out who is behind it !
Solution 1 : using the Twitter bio
Before his suspension last month USDoD used the Twitter account @equationcorp. The bio of the account was “I protect the hive. When the system is out of balance, I correct it” (29 Avril 2024).
We found almost the same caption on the instagram @zerodaycorp (it has been changed since). That may be a coincidence but it’s worth looking into.
The name ‘Luan Gonçalves’ gave way to a deleted Threads account in cache result : @barbosa.luan_ This account also seems to be involved in cybersecurity.
If there’s a Threads account, there must by a linked instagram account under the same handle. That account was tagged in a publication by a tattoo artist : the mention has been removed since but @zerodaycorp is still present among the likes. This likely means that Luan Gonçalves changed his Instagram handle from @barbosa.luan_ (which he used when the tattoo was posted) to @zerodaycorp.
With a bit of dorking trial and error for the pseudo “barbosa.luan_” we found the handle on a soundcloud profile under the name LBG91.
Here Luan describes himself as a “Goa Trance producer from Brazil and CEO and Founder of LBGRecords”. This profile links a Spotify and a Twitter account now deleted.
Thanks to a Tineye reverse image search we were able to find the Luan’s Medium account: natsec.medium.com. This adds a new pseudo to our list.
There, an article refers to his publication on the threat intelligence platform Alien Vault/LevelBlue Labs.
His name in the author section is consistent to the one we found on his old instagram handle and the medium URL also gives us yet a new pseudo ‘luanbgs22’ .
Thanks to the awesome WhatsMyName we can find a Gravatar account using the pseudo luanbgs22. And we recognize the same face on the profile picture: this is our guy.
Did you know you can get an email from a Gravatar profile? Thanks to hashtray we found the email luanbgs22@gmail.com.
Now the fun begins ! Thanks to Predicta Search, we found a lot of info linked to this email: Github, Gravatar, TV Time, leaked data and domains registered using this email.
In the data breach from RaidForums, a hacking forum, we can see that this email is linked to the username ‘LLTV’. Moreover, the email has been used to register blacksuse.org, blacksuse.wiki, blacksuse.systems. The BlackSuse OS is mentionned on Reddit by the user ‘LLTV’.
Coming back to his GitHub account, the bio is “Linux User/Gray Hat/Pet’s lover/Future Ruby Programmer/Os-Dev.” and looking at his repositories, it seems Luan likes reverse engineering.
Luan worked hard on BlackSUSE : a Linux distribution based on OpenSUSE.
By searching BlackSUSE on search engines we found this post about BlackSUSE from the user ‘ElmagoLoko’ on Hack Forums.
On another post from the same forum, ElmagoLoko posted a link to his Github profile which is… the one we found earlier.
It’s safe to assume that Luan is Elmagoko, a reverse-engineering and pentesting enthusiast.
And on yet another Hack Forum post, ElmagoLoko published a Jabber email: ElMagoLoko@hacker.im
This email is mentioned on Guiado Hacker (another hacking forum) by a user called CryptoSystem.
CryptoSystem was active on Guiado Hacker in 2020 and 2021 and posted multiple data leaks: BlackWater, Chinese Communist Party, Cayman National Bank… That’s very similar to what USDoD was doing !
Time to sum up:
1. USDoD has the same bio than the Instagram account of Luan Gonçalves Barbosa
2. He is a music producer based in Brasil
3. Based on his digital footprint he loves hacking and reverse engineering 4. He has accounts on multiple hacking forums and posted several data leaks
Luan Gonçalves Barbosa has since confirmed being USDoD :
If you’d like to read more of this find our next article where we’ll show another way of discovering USDoD’s identity.
Thanks for reading and don’t forget #OPSEC is hard!
🚀 Try our OSINT tools Predicta Search and Predicta Graph right now for free 🚀
