Hacked - Unmasking a Cybercriminal With Open Source Intelligence
Episode Date: November 2, 2024We wanted to know: How was USDoD, the hacker behind major data breaches, unmasked? On this episode, we trace his journey from infiltrating FBI-linked networks to leaking sensitive data, and hear from ...OSINT specialist and Predicta Lab CEO Baptiste Robert, who used open-source intelligence to follow USDoD’s digital trail, revealing what law enforcement missed along the way. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
It's like, I don't know if it is a word in English, a puzzle.
Puzzle.
Yeah, but it's like a puzzle.
About a month ago, a story broke about 3.2 billion Social Security numbers
that were hacked and leaked from a Florida-based data broker called National Public Data.
We talked about it on this show.
The person behind that hack used the handle, USDOD.
He had been operating since at least 2020,
Likely earlier. The day before I'm recording this on October 16th, he was arrested by Brazil's
federal police in what they called Operation Data Breach. This is the story of how he was unmasked.
U.S. DoD's name is a troll. He adopted it in December 2020 after exposing the data of 80,000
InfraGard members. InfraGard is a collaboration between the FBI and the private sector. USDOD
impersonated a InfraGuard CEO got access and compromised the project. His handle, USDOD, was a swipe at U.S.
defense agencies. Weirdly, it was not in pissing off the FBI that we see the beginning of his
downfall. It was in getting on the wrong side of a private security firm called CrowdStrike.
July 2024, USDOD leaked a 100,000-line indicator of compromise list from the company,
and CrowdStrike swiftly retaliated doxing USDAD in a blog post.
His alleged real identity, Luan G, a 33-year-old Brazilian citizen.
Weirdly, Crowdstrike wasn't the first to identify him.
In an interview with Hackreed, Luan later revealed that another cybersecurity group
Intel 421 had already unmasked him before the InfraGuard hack, but it wasn't until that
national public data breach that his identity became really widely published.
The question that all of this raised to me is if two companies were able to dox this person's
identity, A, why wasn't law enforcement? And B, what are the clues that they were both finding?
in response to all of this, Luan publicly declared his intentions to step away from cybercrime.
John Bambenik, a cybersecurity expert, remarked in an interview with Hackreid that Luan's announcement
could be a tactic to muddy the waters and create a PR smokescreen while he continued to do
exactly whatever the hell it is he wants.
Luan has since been arrested.
So, it's a mess.
There's all these big companies pointing fingers of Luan, and there's all these big companies pointing fingers
of Lawan, and there's still that question, what were the breadcrumbs that led all of these
separate groups right to Lawan's door? For me, the answer to that question rested with a guy
named Batiste. Of all the people who unmasked USDOD, Batiste Robert is the one I was most
fascinated by. Batiste works in open source intelligence or OScent, taking information that's
openly available for anybody to find
and doing the work of
turning that into actionable intelligence.
Creating intelligence
from information you find
on the internet is complicated
and it's not only
it's not just a question of
oh, I managed to find a tool on GitHub
and I do have some information.
Yeah, I'm doing OSINT. No.
The most important thing on
OSINT is to be able
to analyze what you
have to investigate
to understand the biggest story behind something.
Batiste was able to reproduce not just the findings of these other massive cybersecurity companies,
but to find the trail of breadcrums leading to a person that had apparently evaded law enforcement for years.
And then post those findings in granular detail on social media,
which is where I found it is a remarkable piece of research.
The thing I was maybe most fascinated by was how concerned Batiste is with understanding the whole person, not just their alleged crimes, but them, their whole life.
Are they a family person? Are they social? Are they isolated? Is this behavior a trend or an exception? And to hold that whole image of the person in their mind, even as they unravel alleged wrongdoings.
So I called him up, try and understand not just USDAD, but how people like Batiste use the trove of public information that's trailing behind an actor like him to try and create a picture of a person that doesn't want to be found.
The bad and the good to find the story in the facts.
This is the doxing of USDOD with Batiste Robert, researcher and CEO of Predicta Lab here on Hacked.
Batisse, thank you for being here.
Thank you for the invitation.
U.S. DoD.
That's who we're here to talk about.
Prior to all of this, what had this actor done?
Why did people know this name U.S. DoD?
So, U.S. DoD was a very famous hacker since 2022, I think, something like this.
This guy did a lot of things.
a lot of data breaches you heard in the last two years.
He was involved and one of the biggest data breach he made was very recently
when he leaked all the social security numbers of the US citizens.
So this is a very big data breach and he used to be a very big data breach.
and used to be a very famous on underground forums and also on telegram on the major hacking forums.
Yeah, you made reference to the national public data breach in which a great deal of social security numbers and personal information were leaked to data brokers.
A lot of damage done from that.
There was the Airbus breach.
There was the crowd strike breach, an earlier one, a LinkedIn breach.
This actor, in spite of all these very, very high-profile.
attacks, USD managed to stay anonymous for a very long time. In spite of everything that you were able to find during your investigation, how is it that you think that he was able to keep below the radar in spite of these very, very high profile attacks and this very visible trail of breadcrumbs leading to him?
So this guy was very, was super visible for sure in the hacking ecosystem.
So, I mean, everyone knows his name for sure.
The thing is, when you create a new persona,
when you create a new identity like USDA,
you need to be careful of everything,
like really everything.
You need to be careful when you create a new profile
on social networks,
and you need to create a new email,
to be careful of the IP you used,
everything.
So this is what we are calling OBSEC,
so Operation Security,
and Opsack is super complicated.
The thing is cyber criminals
leaves always some traces behind,
and you are always able to find
their real identity because at one point they forget something,
they missed the fact that these phone numbers was linked with a previous profile,
with their real identity, something like this.
So, yes, he used to target some very high-profile companies and people,
but he made a lot of mistakes, to be honest.
And this is why we managed to find him.
But we were not the first to find him for sure.
The real question, and this is something we will raise in the future.
I'm pretty sure the FBI was able to find him almost two years before.
But I don't know why.
They did nothing.
So I don't think his identity was super complicated to find, but for some reason, no one
talk about it.
Interesting.
I wonder why that is.
It's such a high profile person doing such high profile things, and yet the evidence was
right there.
The thing is he managed to, he is behind a lot of data breaches, but he was not a super
sophisticated hacker.
So sometimes for the public, it can be super impressive.
Okay, you act with your acts, national public database.
Oh, this is crazy.
But at the end, the technicality behind these hacks are not that crazy.
So this guy was good, for sure.
He managed to do a lot of things, a lot of data breaches.
But it was not a super skilled hacker.
And in general, a good actor is someone who is not super public, who is not visible.
A good hacker is someone super discreet.
He don't want to be seen.
And because if you are seen, it means you are losing your access to your victims.
So this guy was seeking some fame.
for sure. And this is why, how can I say that?
Ego is one of the biggest motor for the hackers.
So in general, authorities, law enforcement managed to catch cyber criminals
because they are pretty young, very motivated by ego, by fame, by Molly,
And because of everything, they are not in the control of what they are doing.
And if you are motivated by this kind of feelings, you will make a lot of mistakes.
And with only one mistakes, sometimes we manage to find your real identity.
Sure.
He seemed to want to make a name for himself at something that you don't really want to make a name for yourself.
So we're here talking about an unmasking that you kind of took part in and shared because it's fascinating.
I wonder if you could just take us through that, beat by beat.
How did that, where did it start?
What was the first clue you found and just take us through the whole thing?
So in order to find his real identity, you need to put the investigator at and to try.
and to try to follow his steps.
So what I started to do with my team is to just list all the information we have about this guy,
all the public information we have.
So this guy was very famous on Twitter.
He was very famous on a hacking forum called Bridge Forums.
So his profile was valuable publicly.
And with this information, you were able to find a previous version of all of his profiles.
What you have to understand and keep in mind is that Internet have a memory.
So everything is archived somewhere by someone and by someone.
and you have some public archive.
For example, you have the website called Archive.org,
which is crazy.
This website is just awesome.
You can find a lot of things.
And for one website, you can find the previous version of this website
archived by people.
I mean, it can be during, you can find a lot of different versions.
So what we did is we listed all the information we have,
his Twitter profile, his website, his profile and hacking forums.
We extracted all the information contains in these profiles.
So some links to messaging application, links to telegram,
profiles, this kind of thing. We also consult the previous version of his profile, so we go to the archive,
and we managed to do some links to a Twitter, to one of his previous Twitter account.
And it was his first big mistake because what you have to understand too is before being a cybercriminals, before being a criminal, this is not something you plan in advance.
So this kind of guy in general are some geeky guy,
pool of computers.
They had some passion for computers,
for security, for reverse engineering.
And so when they are a teenager,
they are talking on forums,
they created profiles.
I mean, like us.
You, when they discover,
the computers, they started to create a digital life.
But then life goes on.
They decided to be a cyber criminal
and they create a new identity.
But still, a lot of time, they create their cyber criminal identity
based on the previous identity, based on their real identity.
So we used with Predictalab to track some cybercriminals, and what we can find is there is always a way to track what they did in the past.
And for USDOD, this is exactly the same thing.
We can find his passion.
For example, this guy is producing some music.
So he loves some techno, techno music.
I don't, this is not my show.
I don't know the precise style of music,
but this is some techno thing.
He also,
we were able to find his first nickname
on the hacking forums
because, I mean, before being very good at what he is doing,
10 years ago,
he was just a script kiddie
publishing some YouTube video
and just explaining how to ask something.
It was super basic, but still, this video is still here.
And also because even if you are a cyber criminal,
you have a life, you can have a wife,
you can have a husband, you can have kids,
you can have some patients,
and so we were able to find a,
I think it was a four square profile,
And this guy was kissing his dog.
So it was a small puppy on his profile picture of this guy is kissing the dog.
So you have the image of cybercriminals.
This guy was talking a lot.
Yes, I'm a very strong cybercriminal.
No one will be able to catch me.
Foxy, FBI, blah, blah, blah.
And at the end, you can find his phone.
for square profile with him kissing his dog.
So reality, the real life is always more complicated
because you have a life before being a bad guy.
You can find all the digital footprint.
And what people have to understand is you,
when you are good at OSINT, open source intelligence,
a good OSINN investigator will be able to find a lot of information about you,
about all your digital traces,
and a good investigator will be able to understand your,
life history. So based on the digital footprint you live, you will be able to understand,
okay, so during this year, on this year, he was producing music, he was living here.
Then he started to go to hacking forums, so he created his first identities, he published some
video on YouTube, and then he was trying to
to sell some services.
Interesting.
It's something we hear a lot that the mistake that ends up catching someone is the mistake
they'd made long, long before the thing that they're being caught for.
How much, I'm struck by, you know, figuring out that this person liked to post to YouTube,
that they like to make some kind of electronic music, that they love their dog.
How much when you're doing OScent is it about the tangible deal?
details versus that sense of who they are as a person, holding that in your head and really
understanding who this person was.
This is complicated.
This is always complicated because when you are working on a case, you are, obviously, there
is one big person of interest.
Here, this is USDA, but this guy has a family.
So this guy has a wife.
I think he have some kids too.
And it's you cannot start your investigation saying, okay, this is a bad guy.
He deserves what you got, what you got on blah, blah, blah.
No, this is complex because life is complicated.
You can do some mistakes.
And when you are working in cybersecurity, you can talk with.
with a lot of cybersecurity professional,
and you will see that in their past, they did some stuff.
Some blurry stuff, let's say like this.
Because when you are working in this field,
you have some skills, and you want,
and when you are young, you want to test.
You want to test.
You want to prove that you are the best.
And what the differences between,
becoming cybercriminals
and becoming a
cybersecurity professional
is not that big
sometimes it can be your wife
it can be your kids
it can be your education
it can be the fact that
you have a good situation or not
people you met
it can be
I mean life is complicated
and you have also
the right to
do some mistakes and to take some bad decisions.
So when you are investigating a cybercriminal,
I'm trying to stick to the fact and to what I'm able to find.
The issue you have when you are doing some OSINT investigation,
so based only on digital traces,
you have to be sure that the information, the account you found,
is really the account of the person of interest.
And for this, it can be a little bit complicated sometimes
because, for example, I'm using the username F society.
But I'm not the F society on all the website
because when I started to become famous on my field,
people started to create an account with my username.
And for example, I do have an account on OnlyFants,
but this is not me, obviously.
And a guy from India created an account with my username.
So you need to be really careful.
You need to be really careful when you do an account,
investigation because you will find a lot of information, but then you have to be sure that
you linked, you are talking and you are, you are following the good as the correct lead.
So what I want to do, what I want to emphasize is you can have the capacity of extracting a lot of data.
and this is why on the internet you will find a lot of API's tools,
methodology in order to get data,
then you have to be able to analyze,
to quantify the quality of the data you are able to extract.
And for this, you can, there is some methodology
to give a notation to the information to the data,
you have, you need to be able to quantify the reliability of the data and the quality of the data and also the source of the data.
So if someone you cannot trust give you some data, even if the data is super cool, this is a me.
You don't know.
So you need to be super careful.
And also when you go to a court, to the justice,
this is another story,
because everything needs to be,
you need to be able to repeat everything.
All the steps need to be public,
need to be redo if necessary.
And for this,
you need to link.
You need to have a source for all the information you have.
You need to archive everything.
So this is super important to preserve all the links, all the proof you have.
Yeah, I was struck by how thorough the documentation, even in your public posting about this OScent project was.
Right at the same time as you came out, I think shortly prior Crowdstrike published a piece saying that they were pretty sure that they figured out.
who USDOD was. As you talked about earlier, it was inevitable that the FBI was probably
looking into this actor as well. Your project was an OSIN project. It was stuff that was just
out there in the world. How did your work differ from potentially what CrowdStrike was doing,
what other parties were doing to figure out who this person was? So the real story is we, one morning,
I
find a post
I just
read a post on Twitter
about
the Portuguese
I think it was a Portuguese
article
saying
we manage
an anonymous source
give us a report
from CrowdStrike
this report
say this guy
USDOD
is called
blah blah
blah, he has an Instagram account and they in this article, this article was not that good.
And they wrote some information about USDA, but it was super incomplete.
There were no source at all.
And I read this article and I was like, okay, this is interesting.
I can smell some, I can smell some, I can smell some,
thing. This is interesting. If they manage to find it, to find this guy, I am probably able to do it too.
So I will start to find it by with my tools, with my, following my way, but I want to source everything.
I want to have some clear, a clear way on the logical way to find him.
So I started with my team.
So we were three people from Predicta Lab working on it.
And I mean, 10 hours later, we managed to redo all the analyses and to find a lot of information about him.
And then the day after, I was not that happy because I wanted to find another way to find him.
And I managed to find a second way to have.
find his real identity.
So this guy made a lot of mistakes.
And when I did this work the second day,
so when I was saying before,
this guy, the biggest issue this guy made is he used,
he convert his Twitter account,
his personal Twitter account to the USDOD Twitter account.
So everyone was no.
this USDUD account.
So this Twitter account was used before with an email address.
And when you search this email address on data breaches,
you are able to find a lot of personal information about him,
and this is how you can find him.
But I'm not from law enforcement,
but law enforcement has a special power, obviously,
and they were able to do a request to Twitter
to ask some information about this Twitter account
a long time ago.
So by doing a request to Twitter,
they were able to get some IP,
the previous usernames used by this guy,
but also this email.
And when you have this email,
you can search on data breaches
and find everything about him,
find where he is living, his name, and everything.
So this is why I don't really understand why this guy is still free.
It's probably due to some geopolitical reason.
I guess there is no treaty between US and Brazil,
and this is probably why they did nothing.
But I published this Twitter thread a few weeks ago now,
And I am pretty sure the FBI knew who this guy was a long time before.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world
where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents
that handle whole entire workflows.
Humans stay in the loop and on the loop
to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running
on their secure operations graph.
A constantly updating intelligence engine
fueled by more than 9 trillion telemetry events every week,
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led-by-design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with our own.
Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every
AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually
looks like, go to Arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected and cybersecurity teams
were tested like never before, but here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th.
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights into how threat actors are evolving,
how defenders are responding, and what strategies can help you stay ahead of the next big breach.
It's not fear-mongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
He's also been posting since all of this happened.
Have you been following his response to this identity becoming public?
So when it happened, when the Portuguese, when the Portuguese newspaper published the article,
so a lot of media attention, he received a lot of media attention saying,
is this true or not?
Are you this guy?
And I think the article was published in the morning for the French.
And during at the end of the day, he confirmed to one of the US newspaper that, yes, I am this guy.
I will not hide.
So if the authorities want to meet me, there is no issue.
I'm not a thread.
and I can help you
and I will not hide and I will assume what I did in the past.
A few days after that, he did some modification on his Instagram account,
which was a way to find him also.
So it was the second way to find his real identity.
and also he locked his Facebook account.
So he did some modification,
but to be honest,
this guy was not super clever
because there is still a lot of information about him on the internet.
And as we said earlier,
it seems as though the mistake that gets you caught is the one you already made.
So locking down an account moving forward doesn't do a whole lot.
But I know for a thing.
fact that this guy, a lot of people tried to dox him before because, you know, the hacking community
is weird. You have a lot of young people trying to take the, trying to take the lead.
And when someone is super public, famous like USDOD was, they want to take him down, basically.
And so a lot of people
Discussed with him before
Long time before that
And they warm him saying,
Okay, guys, okay, guy, we can find your identity.
You did some mistake, blah, blah, blah.
But he did nothing.
He didn't corrupt it.
So it was not really hiding.
Before we kind of wrap up,
is there anything about the story
that I haven't asked you about?
Is there like a big element to this
that we didn't get to?
What we can bring to people to listeners is, so this guy was a very famous hacker for two years.
He leaked a lot of information, but he was not super skilled.
He was not really hiding.
A lot of cybersecurity film managed to find his real identity.
but at the end he was able to do what he was doing.
So life is complicated.
He was publicly, this guy was super strong,
was threatening the FBI saying no one will be able to catch me, blah, blah, blah.
But in reality, this guy is not very happy.
And it's super important for people who listeners and especially young people who love cybersecurity,
who want to work in cybersecurity, that it doesn't pay at the end.
Maybe if you choose to be a cyber criminal, you will get a lot of money,
but at one point you will lost everything, all your life, personal life and also professional life,
it doesn't worth it.
So it's super important for young people,
for people in cybersecurity to understand that,
okay, it can be sexy sometimes.
Yes, this guy managed to do big data bridges for sure.
And that at the end, he will lose everything
and he will face some,
he will probably go to prison at one point.
So to jail at one point.
So be careful of what you are doing.
Be a cybersecurity, a cybersecurity professional.
It's super cool.
We have a lot of things to do legally.
And so don't hesitate to do the correct choice.
For anyone who's looking to get into OSIT for the first time,
kind of on the side that you're on,
on the side that doesn't have people like you looking into you,
what do you recommend?
We have a lot of folks that are interested in this field.
Where should someone who likes OSINT start?
So, OSINT is complicated.
You have to understand what OSINT is.
OSINT is an acronym for open source intelligence.
Open source means publicly accessible,
and intelligence is a super strong world with a big background,
with a real meaning,
and a lot of history behind.
Working, I know in the US
a lot of people have a military background
more than in France or Europe, general.
And being from the intelligent community
is super different
from being from the real world.
Let's take like this.
And so of creating intelligence
from information you find on the internet is complicated,
and it's not only, it's not just a question of,
oh, I managed to find a tool on GitHub,
and I do have some information.
Yeah, I'm doing OSINT.
No, the most important thing on OSINT is
to be able to analyze what you have to investigate,
to understand the biggest story behind something.
So if you want to go on OSINT,
You need to be logical more than technical.
And being technical is important.
You will be able to create some tool for sure.
But at the end, if you have a lot of information
and you don't know what you have in front of you,
it doesn't matter.
That's fascinating.
It's about being able to, as we were talking about,
hold the person behind this.
data that you're finding in your head as they come into clearer and clearer, you know,
image relief?
Yes, it's like, I don't know if it is a world in English, a puzzle.
Puzzle.
Yeah, but it's like a puzzle.
I mean, when you are watching a movie, a movie about, I mean,
when you are watching a movie, you see the investigator, trying to understand what
happened and at the end this is super clear.
Okay, this guy is guilty, he did that, blah, blah, blah.
But in real life, it's more complicated than that because you have everything, you have a lot
of data, but you need to, your brain must be able to do the correct link.
You need to understand the situation based on data, which can be incomplete.
and you need to sometimes try some stuff, try some hypotheses, be wrong a lot, and come back,
try to find more data and understand what's happened.
So it's complicated because life is complicated and it's not just black or white because life is
black or white.
If you want to work in Osint,
this is
passion.
This is really a passion.
You will learn a lot of things.
You will work on
a lot of different
topic because
I mean,
I met
a lot of
cool people
and worked on different stories,
but you will also work on
horrible stuff.
sometimes because this world is made of horrible people sometimes,
horrible crimes.
And we need as a society people to investigate and to do this work.
And this is why the work of law enforcement all over the world is super important
because we need these guys to do their work and to catch a bad guy.
So all things is just a small part of what law enforcement,
month all over the world is doing.
It's cool than some citizens can do it.
But be careful of what you are doing because great power, great big responsibility, as always.
Batis, this is a fascinating investigation.
It was great to read about.
And thank you for sitting down and taking me through it.
This was a very fascinating conversation.
Thanks to you.
Cheers.