Recorded Future’s Insikt Group believe they have answered the question: “Who is tessa88?”. It is a question that has puzzled security researchers since 2016 when the hacker appeared and disappeared over a four month period.
It is not unusual for a hacker to have a stellar rise to fame. However, to crash and burn so quickly and be shunned by dark web communities is unusual.
What makes tessa88 interesting?
tessa88 is linked to the sales of a number of high-profile stolen databases. The databases included those from Myspace, Badoo, Dropbox, LinkedIn and Twitter along with several others. These were the results of a number of complex data breaches and contained data that has since been used in credential attacks on sites.
Although tessa88 offered the databases for sale, there has always been questions as to whether the hacker actually stole the data. In 2016, Recorded Future identified a Russian hacker known as Peace_of_Mind who was also selling a LinkedIn database. His real name is Yevgeniy Nikulin. He was subsequently arrested in the Czech Republic and extradited to the USA over the data breach.
Nikulin and tessa88 got into a public spat through several media outlets as to who stole what from whom. This resulted in tessa88 being accused of scamming a number of other people. This led to several dark web communities acting to block the tessa88 account.
Who is tessa88?
Insikt Group has been able to link tessa88 with a number of different email accounts, Jabber accounts, aliases and a Twitter account. Those accounts and aliases include:
- Aliases: Paranoy777, daykalif, tarakan72511, janer93, stervasgoa
- Jabber accounts: tessa88@exploit[.]im, tessa88@xmpp[.]jp, mrfreeman777@xmpp[.]jp and darksideglobal@exploit[.]im
- ICQ account: 740455
- Email address firetessa@yahoo[.]com.
- Twitter account: @firetessa
- Imgur account: tarakan72511
Having identified all of these, Insikt Group now says that tessa88 is not a female as previously reported by a Russian male. His name is Maksim Donakov of Penza, Russia.
How did Insikt Group identify Donakov?
Like every detective story this is about the analysis and compiling of lots of bits of different intelligence. It started with a hacker called Trax who claimed tessa88 was a man and who posted a picture of an individual they claimed to be tessa88. Trax also pointed the finger at tessa88 for several mega breaches such as LinkedIn, and Yahoo.
The next set of data came from complaints and comments on the dark web. Hackers like to talk and boast about what they’ve done. Recorded Future identified a number of complaints against the various aliases and began to match the data. The use of OSINT (Open Source Intelligence) also yielded a number of clues including aliases that matched those Recorded Future was beginning to track.
Much of the data came from social media sources. Reports of accidents, images, videos on YouTube. All of these created a bigger picture that added to the data pool. Much of the data overlapped. Images of tessa88 standing on a damaged car tallied with reports of an individual being involved in a car accident driving an identical car. Insikt researchers were even able to gather vehicle registration numbers to match to vehicle records.
All of this led to social media accounts on a Russian version of Friends Reunited – Odnoklassniki. It wasn’t long before that data was tied back to police records, telephone numbers and other accounts. Insikt Group were able to track the use of a Bitcoin wallet connected to tessa88 and how the money was laundered to make it disappear.
Why does this matter
There is a belief that hackers are extremely hard to trace once they drop off the radar. That would only be the case if they went completely radio silent. This is not one of those cases. By scamming other members of the dark web community, tessa88 became the target of complaints. This resulted in snippets of data being posted that led to social media.
Combining all those snippets and finding matches between them gave researchers access to much more data than expected. In the end, once they started to find videos, images and social media profiles it was easy to correlate the data.
As more and more people are drawn to the dark web believing that it delivers anonymity this is a timely warning. Anonymity is paper thin. A poorly thought out remark, a reference to something that is recorded elsewhere and the tracking can begin.
Spy novels and TV shows suggest that creating a legend to allow people to assume new personas is easy. This case shows that despite a short career in 2016, those breadcrumbs of data are never lost on the Internet. They are there for the skilled investigator to follow and use to unmask the bad actor.
In the case of tessa88, the unmasking is complete. Say hello to Maxim Donakov