How to discover a major hacker’s identity with OSINT — Solution 2

Predicta Lab
4 min readAug 29, 2024

--

Predicta Graph

On Wednesday we shared an article showing how to discover the identity of the hacker hiding behind the pseudo ‘USDoD’ using open source investigation (read here).

However there were more than one way to go from the hacker’s Twitter to his real-life identity so this article goes through a second sequence of discoveries to do just that.

Solution 2 — using usdod.io

Exploring the archives made of USDoD’s Twitter profile, we find that in April 2024 it listed the domain usdod.io.

Archives of the contact page on that domain give us more profiles for the hacker: Telegram, Secret Forum, Breach Forum...

The Breach Forum profile mentions a Keybase under the handle ‘netsecofficial’ so we went if there was a BreachForum profile for this pseudo in the archives.

There is, and it happens to have the same user ID as the USDoD profile !

This means that USDoD used to be under the pseudo NetSecOfficial.

But that’s not the only pseudo that was used by this account, as we can see in the history of username changes :

Focusing on the ‘NetSec⭐️⭐️⭐️⭐️⭐️’ profile, we find an archive dating back to 2022 when the Twitter @NetSecReal was linked.

The account doesn’t exist anymore but once again Wayback Machine saves the day ! The archive allows us to check the code source of the page and find the profile’s twitter ID by searching “profile_banner” and taking the first sequence of numbers that follows, just as shown below.

Once we have that we can use it to find previous usernames used by the account with Lol Archiver’s tool.

Bingo ! This gives us what looks less like a pseudo and more like a name. But let’s keep digging around that Twitter profile.

We found the Twitter profile @1337_scarface in the archive under the same user ID.

Lucky for us this user was present in the 200M Twitter data breach with the email used to create the profile : cryptosystemjobs@gmail.com.

Only one way to go from here : Predicta Search !

With 3 social network results and 27 data breach results we got a lot of information to go through but most importantly we found a full name from FourSquare and ImageShack : Luan Barbosa/Gonçalves from Belo Horizonte.

Let’s have a look at the leaks : cryptosystemjobs@gmail.com is present alongside the pseudo ‘xxxStriker’ in the TorrentInvites leak, which in turn is present in the leak from Kaneva.com with the email sweet___lu.an@hotmail.com.

Once put through Predicta Search this email gives away more social media profiles : a Google account, another Image Shack, an empty LinkedIn profile and a YouTube channel.

On that YouTube channel Luan introduces himself as CryptoSystem in a hacking tutorial published in 2013, thus confirming the connections we’ve found.

Hence we have discovered a path from USDoD’s Twitter account to his identity, through his different online personas.

Looking back to the investigation, we can pin point Luan Barbosa Gonçalves’ main OPSEC mistake and probably identify what gave him away.

His main mistake was to mention his personal Twitter account in his BreachForum bio and to use the same email for that account and for other accounts displaying his name.

Authorities can make requisitions on a profile from social media and obtain certain information including previous pseudos, emails and IP address used by the profile, that would have given them all they needed to find him. It also means that USDoD could have been found out as early as june 2022 when his Twitter was on BreachForum.

The question remains : what changed recently that had him doxxed ?

Thank you for reading !

You can reproduce this investigation and make your own using our tools Predicta Search and Predicta Graph 🚀

--

--