The identity of tessa88, the hacker who sold databases stolen in some of the biggest data thefts in US history from companies including LinkedIn, Facebook and DropBox, has been revealed as a named Russian national by cybersecurity company Recorded Future.
The alleged hacker, from Penza, Russia, is said to have sold databases containing millions of personally identifiable information between February and March 2016 on underground hacker forums.
Timeline for US tech giants
Sales are said to have included more than half a billion username and passwords, which were then used in a number of account takeover, phishing and other cyberattacks.
The comprehensive investigation by Recorded Future found, with a “high degree of confidence”, that their suspect is the man behind the sale of these extensive databases.
The Russian is also believed to have sold data stolen from Badoo, QIP, Rambler, VKontakte and Mobango.
Prolific hacker made $90,000
Analysis of the Russian hacker’s Bitcoin wallet show that he earned the equivalent of at least $90,000 for his criminal activity. His 168 Bitcoins were laundered through peer-to-peer exchange LocalBitcoins.
In May 2016 he was banned from underground forums because of accusations by other members that he was scamming them. Since then, tessa88 ceased all communication with the media and public and their identity has remained unknown until now.
A number of attempts had previously been made to uncover the identity of tessa88, who also went by the online aliases stervasgoa, janer93. Many previously believed that tessa88 was female.
Unmasking tessa88: Investigation timeline
Recorded Future’s threat intelligence group, Insikt Group, used a combination of their own data, open-source intelligence and dark web analysis to uncover tessa88. Here’s how they did it:
|Linking tessa88 to email accounts
Dark web analysis connected tessa88 to multiple chat and email accounts, including instant messaging Jabber account firstname.lastname@example.org. This account was used in sales threads on dark web forums. This led to the Twitter account @firetessa, which featured posts confirming that it belonged to tessa88.
|The first picture of tessa88
A member of the underground community named TraX confirmed that tessa88 is a man behind the LinkedIn, Myspace and Yahoo megabreaches. TraX posed an alleged picture of tessa88 wearing a Guy Fawkes mask perching on top of a car.
|Connected Imgur account
Open-source intelligence led to the Imgur account tarakan72511, which contained screenshots of a discussion with two people, one of who claimed to have the original Yahoo and Equifax database dumps in 2017. The Imgur account also contained a close-up picture of a man who matched the body type and hairstyle of the picture posted by TraX. The picture was captioned “tessa88”.
Further analysis of the dark web revealed that a member of the underground forums named Paranoy777 also used the Jabber username tarakan72511@chatme[.]im. Paranoy777 was also a selling off stolen databases between February and May 2016.
A member of the cybercriminal community lodged a complaint on dark web forums against a Russian-speaking scammer going by the name Daykalif, who also used the Jabber account tarakan72511@chatme[.]im, and was also selling stolen databases. This connects the Jabber account tarakan72511@chatme[.]im to Paranoy777 and, in turn, tarakan72511. Recorded Future concluded that it is likely the same person.
Further analysis of tarakan72511’s Imgur account revealed the user as an “avid” dog lover. A Youtube account with a similar username – Tarakan72511 – showed a video of someone feeding stray dogs. In this video, a voice can be heard stating they are in Penza. Crucially, the same style Guy Fawkes mask worn in the picture posted by TraX can be seen in the boot of a Mitsubishi Lancer.
Taking the name from the YouTube username and running it through Penza records revealed a named Russian national. Running the name through a Russian crime database showed the individual committed several crimes, and was involved in a car accident while driving a Mitsubishi Lancer – the same type of car identified in the Youtube video.
Recorded Future confirmed via confidential sources that their suspect is a real person who spent time in jail in 2014. Further open-source intelligence identified a number of accounts tied to the man on Russian social media site Odnoklassniki. The pictures matched those on Imgur and also included a picture of a Mitsubishi Lancer.
Was tessa88 working alone?
It is unclear if the man identified as tessa88 was part of the Russian cyber gang that stole the main bulk of data in 2012. A 2016 report by cybersecurity company InfoArmor claimed that tessa88 was the seller for the group of hackers.
Andrei Barysevich, director of Advanced Collection at Recorded Future, told Verdict that “it is evident” their suspect “was responsible for monetisation of stolen data.
3 Things That Will Change the World Today
“We have not found evidence that he was the main hacker, though.”
Another name that crops up is Peace_of_Mind. Recorded Future’s report indicates that tessa88 and Peace_of_Mind made an agreement in May 2016 to share some of the databases in a “likely attempt to expedite monteising the massive amount of data between the two”.
However, this relationship seems to have deteriorated, as shown by an interview with Motherboard, in which tessa88 described Peace_of_Mind as a “fagot who takes undue credit” and that tessa88 “shared a dump for analysis! And he started selling it.”
Peace_of_Mind alleged that tessa88 stole the hacked databases from “an old buddy” and started to sell them.
Who is tessa88?
What happens now?
Recorded Future told Verdict that they shared their findings with federal law enforcement “well in advance” of releasing their report.
But is the man believed to be behind tessa88 likely to face any charges?
“We have seen plenty of cases where foreign nationals were indicted for their roles in cybercrimes,” explained Barysevich. However, it remains to be seen whether this individual will face justice.
One such example of extradition for cybercrimes is the closely connected case of Russian national Yevgeniy Nikulin – who some speculate is the hacker known as Peace_of_Mind
In October 2016, the FBI arrested Nikulin for the same 2012 LinkedIn breach that tessa88 profited from. Nikulin was extradited from the Czech Republic in March this year to face criminal proceedings in the US.
His extradition to the US heightened tensions with Russia, who had been fighting the US to extradite him back to Russia.
The upcoming criminal trial in the US of Nikulin will shed some light on the gaps in the story.