Arrests, RedLine & META Infrastructure Takedown, and MOVEit Leaks

The cybercrime ecosystem has had a lot happening in the past few weeks, as always. We’ve got you covered. 

Dive into the most pressing recent stories on data leaks, cybercrime, and the dark web with security researcher Nick Ascoli on the podcast Leaky Weekly.

On this episode of Leaky Weekly, Nick covers:

• USDoD arrest
• Judische/Waifu (Connor Moucka) arrest
• RedLine infrastructure takedown and arrest(s)
• MOVEit leaks

Tune in for current events on the Spotify episode below (or Apple Podcasts episode here) or keep reading this article for the highlights:

USDoD Arrest

The very well-known hacktivist known as USDoD (no affiliation to the U.S Department of Defense), has been arrested by Brazilian authorities following a long career of leaking stolen data from various victims. Most recently, he attempted to broker the sale of National Public Data’s massive database of personal records.

Baptiste Robert, security researcher, along with another researcher, searched for breadcrumbs through Predicalab’s Predica Search tool that led them to USDoD’s identity.  

1. USDoD’s Twitter account, “equationcorp,” has a quote from the 2024 movie The Beekeeper, “I protect the hive. When the system is out of balance, I correct it.”
2. Searching this quote in the description of other social media profiles revealed an Instagram profile with the username “zerodaycorp” and name Luan Gonçalves, with an actual picture in the profile image.
3. This Instagram profile link is embedded in a Soundcloud profile with the username “LGB91.” This also has another photo of USDoD that when reverse image searched, points to a Medium account registered to “luanbgs22.” 

This and many other points of connection tie the same Luan Gonçalves with USDoD. 

USDoD claims Crowdstrike revealed his identity, and spoke about it in an interview with Hackread:

“So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack. I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born. I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me. This is not my end. Thank you, see you around. Don’t worry Brazilian authorities, I’m coming to meet you, I’m not a threat, in fact, I can do much for my country.”

He was unmasked around August 23rd, and then was arrested a few weeks later on October 16th. 

His message is interesting, and may imply that he would cooperate with law enforcement in the future. However its interpretation is not completely clear at this time. 

Judische/Waifu (Connor Moucka) Arrest

The threat actor Judische/Waifu behind the campaign that used stolen credentials from stealer logs to target about 160 Snowflake tenants that didn’t have multifactor authentication was arrested in Canada. 

The threat actor Judische, otherwise known as Connor Moucka, has claimed to compromise various targets in the last year including major banks, telecommunications companies, and more. 

Since Moucka was arrested on a request of extradition by the United States, most news sources are guessing that he will eventually face trial in the U.S. According to the official indictment, there were co-conspirators:

• John Binns was arrested in Turkey after the U.S. indicted him for hacking T-Mobile in 2021. He has been a threat actor for a while, and operated a very large botnet, but is now in a Turkish prison allegedly fighting to avoid extradition. 

In a conversation with security researcher Brian Krebs, Moucka confessed that he believed law enforcement was coming after him and the co-conspirators. He also claimed to have made at least four million dollars from the Snowflake extortions.

Mandiant stated that Moucka has proven to be one of the most “consequential threat actors of 2024,” and mentioned that “This particular case is significant because they’ve picked up one of the tiny minority that causes disproportionate harm.”

On many cybercrime forums, there are thousands of registered members, it’s typically the same small group of threat actors doing the majority of the posting. 

RedLine & META Infrastructure Takedown and Arrests

Operation Magnus compromised the infrastructure used by the RedLine and META infostealers, which are two major infostealer variants. Shortly after taking down the infrastructure, authorities confirmed charges against the alleged administrator. 

Here’s the takedown by the numbers:

• Eurojust coordinated a takedown of three C2 servers located in the Netherlands
• Eurojust took down two domains used by the operation
• Belgian authorities arrested two suspects
• The operation took down several Telegram channels used by the operation to communicate with affiliates, sell licenses, and support customers of both infostealer variants

The first time this backend was publicly discussed was in a conference talk in 2023 by Mathieu Lavoie, co-founder and CTO at Flare, and Alexandre Cote, a malware researcher at ESET. Their research analyzed the panels and the backends, and found several strong similarities. This conclusion they drew was correct, as the law enforcement operation tied them all back to the same Russian threat actor and servers that were taken down. 

The operation’s website has a video that lists usernames that then pans to a graphic of handcuffed hands, with the voiceover stating, “we are looking forward to seeing you soon.” There will most likely be more updates on this operation in the near future. 

MOVEit Leaks 

The threat actor Nam3L3ss on released massive data leaks on BreachForums. 

Quick refresher on MOVEit: around June of 2023, a popular file transfer software called MOVEit was the target of an exploit. This basically allowed unauthenticated access to the MOVEit product.

MOVEit began to be affiliated with Nam3L3ss’s leaks because the threat actor started making leak posts mentioned MOVEit and Cl0p, which is a ransomware group, implying connections between them. 

Counter to the narrative around MOVEit and Cl0p, Nam3L3ss has been posting databases to BreachForums for free for a while. In April of this year, the threat actor posted a database leak for a particular company that later announced that they had been hacked. Nam3L3ss clarified that they didn’t hack them, but rather found those files in a SQL backup file sitting on an open AWS bucket, and linked to the bucket in their post. 

Nam3L2ss has stated across several threads that they are not affiliated with any groups, and are not a hacker. They claim that they poke around on the internet, pull files from ransom leaks, look in open cloud storage locations, FTP servers, exposed MongoDB servers, then clean up the data, before posting to BreachForums. If this is true, then none of what they are posting is actually released for the first time.

The list of leaks Nam3L3ss has posted is filled with high profile government and corporate names, and they claim they will continue posting them until the organizations start handling sensitive data more responsibly. 

Nam3L33 claims they have a lot more leaks to post, and as of the day of recording, they were actively posting. They also have mentioned they are avenging the security researcher Connor Goodwolf, who is in a public dispute with the city of Columbus, Ohio, after revealing they were victims of a ransom leak (counter to the city’s narrative that the data was all encrypted and inaccessible).

These are all developing stories that we covered very briefly, so check out cybersecurity news outlets to stay up-to-date. We couldn’t cover everything in the last few weeks or so, and we’ll look into new stories and developments next time.

Leaky Weekly and Flare

Interested in a free training on Remote Desktop Protocol Interception with PyRDP? Sign up for the first-ever Flare Academy training with Flare’s Principal Cybersecurity Researcher Olivier Bilodeau on Tuesday January 21, 2025 at 11:00 AT-1:00 PM ET.

Learn more about the Flare Academy training here.