Notorious Super Hacker 'VandaTheGod' Identified After One Facebook Mistake

28/05/2020

Since 2013, 'VandaTheGod' has hacked and defaced many government websites, sold corporate information and dumped many individuals’ credit card information online.

The notorious hacker has certainly carved his name into fame. But unfortunately for him, he has somehow left some trails behind to be sniffed on.

He was said to have left so many clues that could be used to reveal his real identity, especially during the start of his hacking career.

"Ultimately, we were able to connect the VandaTheGod identity with high certainty to a specific Brazilian individual from the city of Uberlândia, and relay our findings to law enforcement to enable them to take further action," said Check Point researchers in a blog post.

Researchers at the Isreali cybersecurity firm said they have forwarded their findings to law enforcement agencies to enable them to take further action, adding that the social media activities on profiles associated with VandaTheGod have stopped towards the end of 2019.

A screenshot shared by both VandaTheGod Twitter account and Vanda de Assis Facebook account
A screenshot shared by both VandaTheGod Twitter account and Vanda de Assis Facebook account, that revealed a particular name that goes with the initial: M. R. (circled in red)

“We started the entire research process after we received a request from one government to assist with finding his real identity,” Check Point’s Lotem Finkelstein said.

The self-publicizing super-hacker has set himself to target of hacking 5,000 websites in his career. Most of his victims were from U.S. and mostly governmental. VandaTheGod also hacked numerous private companies and academic institutions, with targets in more than 40 countries.

On his @VandaTheGod Twitter handle, the hacker housed a tally of those scalps.

Unlike most other hackers who tend to deter following public reports of their hacking activities, VandaTheGod seemed to enjoy the attention the media has given him.

VandaTheGod has been slippery as a fish, as he gathered more and more experience from his hacking attempts.

“The more he expanded his activities, the more we could see him developing new capabilities and showing interest in new hacking fields. He was obviously pleased with the skills he acquired, and made sure to boast about his dubious achievements on Twitter, Facebook and any other platform,” Finkelstein said.

But he apparently made mistakes, that some could be used to trace the hacker back to his real identity.

The method of investigatory thesis by Check Point was fairly simple: look for clues that might help identify non-anonymized social media accounts belonging to the hacker, and then find matches that link those to VandaTheGod.

"VandaTheGod’s major role in several hacking groups, as well as their love of publicity, meant that they stayed in touch with others in the hacking community through numerous social media accounts, backup accounts in case of takedown, email addresses, websites and more. Through the years, this activity left a long trail of information for us to investigate."

For example, the WHOIS record for VandaTheGod.com showed that the website was registered to an individual from Brazil, more specifically from Uberlândia. There, the email address used for registering was also available for the public to see.

"As it happens, in the past VandaTheGod claimed to be a member of the UGNazi hacking group," the researchers at Check Point said.

And the most obvious, was on the several screenshots he made of his web browser.

First, when he shared a screenshot of a hacked account belonging to a Brazilian actress and a TV presenter, the screenshot also showed an open Facebook tab with the name “Vanda de Assis”.

The researchers then cross-checked the content of this Facebook account with VandaTheGod's Twitter account, and found similarities.

“The person behind the VandaTheGod persona operated under multiple aliases, such as ’Vanda de Assis’ or ’SH1N1NG4M3’, and was highly active on social media, primarily Twitter. They would often share the results of those hacking endeavors with the public,” said Finkelstein.

VandaTheGod - M. R.
unique image on Vanda de Assis’ Facebook profile.

Having found similarities, Check Point then compared various Facebook and Twitter accounts looking for further clues.

Eventually, they found another screenshot with a set of initials left unmasked.

The notorious hacker was found to have shared a screenshot that inadvertently revealed a name that Check Point refers to only by the initials: M. R.

VandaTheGod - Vanda de Assis
And the same unique image shared on M. R.'s Facebook account.

“We were able to locate a single account, which contained an uploaded image endorsing the Brazilian Cyber Army,” said the researchers, after succeeded in linking the initials to the Brazilian city of Uberlândia, and pulled all Facebook profiles that matched.

The final step was confirmation.

“At this point, we knew that we were on the right track. All that was left for us to do was to connect this individual's account with one of the known VandaTheGod's accounts. We were able to locate several cross-posts between the newly discovered profile and Vanda de Assis’s Facebook account.”

This was where the researchers found the significant proof to reveal the person behind VandaTheGod.

“Photos of the same surroundings from different angles, specifically, the poster's living room,” posted on the VandaTheGod Twitter account and the named Facebook account. They had exposed the hacker.

Check Point shared its findings with law enforcement “to enable them to take further action,” and since doing so, “many of the photos in the attacker's personal profile that overlap with those shared by VandaTheGod have been deleted.” The VandaTheGod Twitter account has also been inactive since November 2019.

“VandaTheGod succeeded in carrying out many hacking attacks,” added Check Point, “but ultimately failed from the OPSEC perspective.”