USE CASE: Investigating a Lockbit’s affiliate
On February 20th, the FBI and the U.K.’s National Crime Agency (NCA) Cyber Division reveiled the product of a years-long investigation they carried out on the ransomware group Lockbit. As a result, the individual Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord” has been added to OFAC’s SDN list (an international sanctions list).
The official release gives us an email address for the individual, which triggered Predicta Lab’s @fs0c131y to pull the thread of open source investigation. Hence this article summarizes his thread where we see how much information can Predicta Search lead us to when starting with that email.
Let’s investigate !
Who is Bassterlord ?
According to Jon Di Maggio from Analyst1:
- Bassterlord is a ransomware affiliate who runs his team, known as the National Hazard Agency. Originally, he was a junior. team member, but as time progressed, he moved up the ranks and is now its leader.
- Bassterlord partnered with at least four ransomware gangs: REvil, RansomEXX, Avadon and LockBit.
- Bassterlord is a Caucasian male around 27 years old, born, raised, and living in Lugansk, Ukraine. He operates on Russian underground forums under the monikers “Fisheye,” “Bassterlord,” “Buster,” and “National Hazard Agency,” which is also the name of his team.
Using Predicta Search to investigate
First things first, I searched the email sinner4iter@gmail.com on predictasearch.com. It gives us a lot of online profiles.
In the data breaches tab of the report, we can see that his email was in a Twitter leak. It gives us his Twitter handle @It9111
The email is also in the 000webhost leak (2015) and it gives the following location in Bryanka, Luhansk Oblast, Ukraine
Also, he has a ok.ru profile linked to this email.
It gives us a new user name, a date of birth, a location and one of his previous school.
Pivoting with name
A user with the same name as the ok.ru profile left a review about a dental clinic in Новомосковск.
The ok.ru profile states that he lives in Алексинский район. The dental clinic address is Россия, Тульская область, Новомосковск, Комсомольская улица, 36/14, 1 этаж.
This is pretty close!
In multiple leaks his personal address is available: Россия, Тульская обл, Новомосковский р-н, г Новомосковск, 301664, Маяковского ул, д. 10/2, кв. 59. And yes, it’s a 12 min walk to go the dental clinic.
This is why I love OSINT ! In multiple online profiles our guy used the name “Koyerd Uhvwi”. If you search this name, you find this Youtube channel.
If you go to the playlist tab, you will find an unlisted video. Look who has a nice new Lockbit tatoo!
After a bit more digging around in the leaks, a friendly Twitter user found his VK profile which, although it is now deleted, can be found in its older versions on the archiver vk.watch. A lot of infos can be found there : his name and DOB are identical to those we found in the leaks previously.
We can also find that our friend was looking for love. Face, name, age and region are consistent with what we found before.
With the help of the @PredictaLab relational graph, we mapped (almost) all the info found during our investigation:
This brief investigation shows how much information can be obtained from a single look up on Predicta Search and how quickly you get to an overview of the digital footprint attached to it.
THE END
