The unmasking of threat actor USDoD


Less than a month after my interview with the infamous hacker USDoD, he was unceremoniously de-anonymized as Luan Goncalves, a 33-year-old man from Minas Gerais, Brazil. His OPSEC was laid bare for the world to see when Baptiste Robert, CEO and founder of Predicta Lab, used his company’s OSINT tools to break down the walls of his anonymity and expose his true identity.

This is a testament to the power of Open Source Intelligence (OSINT), where a good eye for recognizing patterns, picking up on important details, and the right tools can connect the dots and expose careless mistakes.

During the weeks leading up to his de-anonymization, I exchanged private messages with USDoD, both to refine the interview into a factual resume and to engage in occasional idle chatter. Our conversation took a dark turn, as I gradually realized that he was a man surrounded by enemies, both known and unknown.

This is the story of his unmasking, which leaves an ominous mood lingering in the air. He seems to understand clearly that his time as a hacktivist is coming to an end and that chains await.

Once captured, to say he is facing extradition to the US is an understatement.

The hacking journey: a recap

USDoD’s claim to fame occurred in 2022 during the aftermath of a major data breach of InfraGard, a national non-profit organization partnered with the FBI and the private sector, aimed at protecting US critical infrastructure. The hacker dumped data on 80,000 InfraGard members.

This attack was then followed by the leak of 3,200 Airbus vendors' names, contact information, email, and mailing addresses. Airbus is a multinational aerospace company and the second-largest commercial aircraft maker in the world, and it has many partnerships with defense and security agencies.

USDoD breached Airbus using stolen employee login credentials from a Turkish airline, which he reportedly found in stolen data logs. These are often sold by shady data brokers, either for a price or for favors. He leaked the Airbus dump on Breach Forums, along with what appeared to be an antagonistic harbinger for Lockheed Martin and Raytheon – which ostensibly strikes a defiant tone that denotes his love for the challenge.

On April 8th, USDoD made international headlines after he claimed to have accessed 2.9 billion private records on individuals from Canada, the UK, and the US, including social security numbers on Americans from National Public Data, a US-based data broker that offers personal information such as background checks to employers.

Then, he reportedly attempted to sell the data dump for $3.5 million but decided to advertise it free of charge on an online exchange for hijacked data. Interestingly enough, the sum of those populations only adds up to around 440 million. Nevertheless, the data was real and contained encrypted records of names, mailing addresses, and social security numbers.

On July 24th, USDoD posted on BreachForums that he had leaked CrowdStrike's “entire threat actor list,” including the claim that he had obtained their “entire IOC (indicators of compromise) list” and intended to release it.

He also claimed to possess two large databases from an oil company and the pharmacy industry. Given the data breaches USDoD has claimed involvement in, one might surmise that his prowess at illicitly retrieving databases and monetizing them derives more from data brokers and less from security exploitation. This might also explain why there does not seem to be a discernable pattern in these attacks.

Following the breadcrumbs

Whenever hackers are driven by clout, their internet footprint gets bigger, which also creates an atmosphere of pressure and expectations to hit bigger targets, especially when all eyes are on them.

Baptiste Robert, accompanied by another researcher, began searching for artifacts left behind carelessly by the hacker. There were many. Armed with Predicalab’s Predica Search tool, they were able to track USDoD’s digital footprints and cross-examine them for neglected artifacts and similarities across a broad range of websites. These, in turn, offered significant clues that, when pieced together painted a picture of his life and his personal interests.

USDoD-TA

Before USDoD’s X account @EquationCorp was suspended, his bio said, “I protect the hive. When the system is out of balance, I correct it.” The phrase isn’t entirely unique, as it’s a quote from the 2024 action thriller film, The Beekeeper, which follows the story of an agent in a classified program called Beekeepers.

From his Instagram profile, zerodaycorp, which was previously known under Barbosa.luan, the profile contained the same exact phrase and displayed a photo. The account follows the official CIA Instagram profile, including policiafederal, which is the official federal police Instagram profile of Brazil.

Instagram

Baptiste Robert then posted that this same Instagram profile was mentioned on the SoundCloud profile LGB91, bearing a different image of the same individual. LBG91 no doubt stands for Luan Brazil Goncalves. Additionally, the researchers uncovered his Spotify profile, which was marked with a blue checkmark as a verified artist.

LBG91

Now with a couple of searchable photos, the researchers performed the reverse image and image recognition search tool TineEye, which searched over 69.9 billion images and returned several results, that connected this same image to a Medium account, a cybersecurity blog under the name NatSec, with mention of the same Instagram account.

NatSec

This same Medium username was previously registered to @luanbgs22.

Malware campaign

From there, a username search using the WhatsMyName.App search revealed a Gravatar account – and the email address associated with it. This also linked them to a different picture of the same individual.

Gravatar account

This one revelation alone provided insurmountable connections to different accounts relevant to unmasking USDoD's identity. Using the Predicasearch.com OSINT tool, the researchers discovered dozens of nexus points of information, all leading to the same conclusion: USDoD – or should I say, Luan Goncalves’s –OPSEC was terrible.

USDoD identity

From a GitHub repository under the name Luan to a user account under the alias ElmagLoko on Hackforums, which was also connected to an online dating profile, there were artifacts everywhere that tied them all together, which meant they all belonged to one and the same person sitting behind the computer.

When you culminate all the data gathered in the hunt, Luan is, in fact, USDoD. He even confirmed it himself in an exclusive interview on HackRead.com. That confession places him in the crosshairs of law enforcement. What he does next has not yet been formally ascertained. But for someone who has gained access to highly sensitive databases, I would not be surprised if he’s holding a bargaining chip for such a time and day.

Admitting defeat

USDoD offered the following statement to HackRead.com,

“So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack. I want to say thank you, it is time to admit I got defeated, and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born. I am a huge valuable target, and maybe I will talk soon to whoever is in charge, but everyone will know that behind USDoD, I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me. This is not my end. Thank you, see you around. Don’t worry, Brazilian authorities, I’m coming to meet you, I’m not a threat, in fact, I can do much for my country.”

Years ago, I myself was on the receiving end of law enforcement, and although I felt I was someone of great importance, I wasn’t willing to pay the price by giving the government what it wanted. I chose the chains rather than whatever deal was on the table.

Like USDoD, I was glad the FBI de-anonymized me, which resulted in my arrest. I resonate deeply with his statement and with his explanation for why he did what he did. Living with multiple lives and personas is ultimately a great burden.

I was glad my mask was coming off, which meant I had to face myself. Furthermore, his message alludes to the possibility of him searching for or already possessing that proverbial ‘bargaining chip.’

In the weeks before his identity was revealed, I exchanged words with USDoD over Telegram. He seemed like a man who knew his time was coming to an end, although at the time, I interpreted his erratic behavior as someone who was encompassed on all sides by enemies, both known and unknown. Whether this had any relevance to the circumstances that unfolded is anybody’s guess.

The attitude “This is not my end” stands out in particular because it denotes that, although he was defeated in this round, he plans to return as a better version of himself. The journey it takes to get there has yet to be written. No matter what happens, he will be forced to adapt to new changes as an uncertain future unfolds, which makes its own demands upon those who must traverse it.

Is this the end of USDoD?

Absolutely not.

In fact, I’ll bet this was only the beginning chapter of a greater story.

Hackers change hats as our motives take new forms, especially when we have more at stake to lose. But at the end of the day, we can never stop being hackers. Because it’s not the computer that defines what we are, but the mind of the individual that operates it.