Might be my best sleuthing scoop this year (ah still 30+ days to go!):
-
Might be my best sleuthing scoop this year (ah still 30+ days to go!):
Hacker in Snowflake Extortions May Be a U.S. Soldier
Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea.
-
-
Really nice work!
But...
"However, it is likely that Kiberphant0m’s facility with computers and networking was noticed by the Army, which undoubtedly would have placed them in some kind of role involving both."
That's, um, REALLY not how talent management in the Army works.
-
Davidreplied to BrianKrebs last edited by [email protected]
@briankrebs An interesting application of machine learning may be camouflage recognition—analogous to fingerprint or face recognition. The exact alignment of a pattern to fabric pattern pieces per article of clothing or luggage is presumably unique.
It should be possible to exactly match the pants and/or backpack to those issued to exactly one US soldier, as shown in social media or publicity photos.
-
@venya Thank you! That's comforting.
-
S. G. Tallentyre (🤨 ┻━┻)replied to BrianKrebs last edited by [email protected]
Buttholio. That's a name.
-
S. G. Tallentyre (🤨 ┻━┻)replied to BrianKrebs last edited by [email protected]
Also, you did an outstanding job piecing all of this together, and this just goes to show how it's always OPSEC failures that get come back to bite you if anything's going to. He used the same usernames in multiple places each, and would get on one of his accounts and name at least one of the others. Correct me if I'm wrong, but it looked like he used the same string of apparently random numbers in two places, for some reason. I've sent people links to my account here, from other accounts elsewhere that I don't necessarily want associated with this one, and I really thought about it beforehand like, "I'm sure if someone were smart enough and they had enough time on their hands, they could probably dig this up and associate both accounts years later." I'm sure they could, too, but they're not gonna get anything juicy because of that. This dude was using the same Discord account to talk about Escape from Tarkov, tell people he's in the Army, talk about South Korea, and tell people about his hacks. That's asinine.
-
Andrew 🌻 Brandt 🐇replied to Magenta 🎄 Rocks last edited by
@MagentaRocks @briankrebs maybe they're behind 7 proxies!
-
BrianKrebsreplied to S. G. Tallentyre (🤨 ┻━┻) last edited by
@StephenTallentyre This guy was undone primarily by two things that often trips up people like this: They can't stand it when someone belittles what they do, and often feel the need to prove themselves. Also, they screw someone over -- often over something really insignificant - and they end up getting doxed over it. In this case, Kiberphant0m ripped a member of the Russian forum Exploit over $350, and the admin listed all other accounts associated with the same cookie. That right there was a rosetta stone.
-
@threatresearch @MagentaRocks No, I think this guy's layers go to 11
-
S. G. Tallentyre (🤨 ┻━┻)replied to BrianKrebs last edited by
Wow.
-
Catherine is disorganizedreplied to BrianKrebs last edited by
@briankrebs I hear the USDB in Leavenworth makes boot camp look like a five star resort.
-
@briankrebs awesome investigative journalism! I note the mind maps - not my thing (it’s pen-and-paper when I need to think) but it made me wonder: are there other tools you use when linking connections in large datasets?
-
@Kynx a large text-only file