Recorded Future claims it has discovered the identity of “Tessa88,” a notorious cybercriminal tied to several high-profile attacks including the LinkedIn and MySpace breaches.
Researchers with Recorded Future’s Insikt Group believe the identity of Tessa88 is Maksim Vladimirovich Donakov of Penza, Russia. According to the vendor’s report, researchers used Recorded Future data, open source intelligence, and dark web analysis to identify the contact information and aliases used by Tessa88. Over the last three years, the Tessa88 hacker profile has been connected to several enterprise breaches and sales of username/password databases.
Recorded Future used dark web activity, multiple chat and email accounts associated with Tessa88, as well as input from “TraX” — another member of the hacker community — to connect Donakov to the Tessa88 profile. But according to the Recorded Future report, what allowed researchers to piece together a profile of the hacker was social media activity, including a YouTube account that combined Donakov’s last name with another Tessa88 alias.
Ironically, some of the information used to identify Donakov included searches of “leaked databases” of personal information that hackers had exposed on the dark web. Those databases allowed Recorded Future researchers to match anonymous user profiles and connect those accounts, as well as other hacker aliases, to Donakov.
“For several years, Tessa88 was regarded as a master impersonator and it was widely believed that the actor may even be a female,” Andrei Barysevich, director of advanced collection at Recorded Future, said in a press statement. “The goal of our research was to prove that even the most skillful and determined criminals, inadvertently leave a trail of “breadcrumbs.”
Recorded Future didn’t rule out the possibility that additional individuals were connected to the Tessa88 hacker profile. “It is possible that a second unknown individual was assisting Donakov in maintaining the Tessa88 account, adhering to impeccable OPSEC procedures and until this day remaining anonymous,” the report states. “In either scenario, we firmly believe that Donakov Maksim has directly benefited from the sales of compromised databases and should be viewed as the main actor.”
Barysevich told SearchSecurity that Recorded Future has been in contact with law enforcement agencies about its findings. “Whenever we come across valuable intelligence, we share it with federal law enforcement agencies,” he said. “We are confident that they have this data right now, though we do not have visibility into how or if the data is being used.”
Who’s behind the LinkedIn breach?
Recorded Future has a “high degree of confidence” that Donakov created the Tessa88 hacker profile and was involved in the selling of user databases from LinkedIn, Myspace, Dropbox, Twitter and other companies. However, the researchers are less certain about the role Donakov played in those breaches because another threat actor, known as “Peace_of_Mind,” was discovered offering the LinkedIn database on a different dark web site than the cybercrime forums on which Tessa88 operated.
Citing a MotherBoard article in 2016 and a report from cybersecurity vendor InfoArmor on the 2014 Yahoo breach, Recorded Future detailed an extensive feud between Tessa88 and Peace_of_Mind over who rightfully owned the LinkedIn account database and who stole it from the other hacker.
Some media reports have connected Russian national Yevgeniy Nikulin to Peace_of_Mind. The Department of Justice indicted Nikulin in 2016 in connection with the LinkedIn breach and then extradited him from the Czech Republic this year to stand trial for an assortment of charges, including three counts of computer intrusion. However, Recorded Future’s report states “the investigation is still pending, and no clear evidence has been produced linking Nikulin to Peace_of_Mind.” As a result, it’s unclear which threat actor was actually behind the LinkedIn breach, as well as the other aforementioned incidents, or if they were involved at all.
“Considering the contradictory information regarding the breaches of the aforementioned companies, it is difficult to identify real tactics, techniques, and procedures (TTPs) applied by the hackers,” the report states. “However, the pending investigation of Yevgeniy Nikulin’s case, tied with the LinkedIn data leak, may shed light on this story and fill the remaining gaps.”