_Scope Note: To create the following actor profile, Insikt Group used OSINT, Recorded Future data, and dark web analysis to identify the contact information, alternative aliases, and TTPs used by the actor tessa88.

This profile will be of most interest to email service providers, social media, and technological companies located primarily in the United States and Russia._

Executive Summary

In early 2016, a previously unknown hacker operating under the alias of tessa88 publicly emerged after offering an extensive list of compromised, high-profile databases for sale. The hacker offered for sale the databases of companies such as VKontakte, Mobango, Myspace, Badoo, QIP, Dropbox, Rambler, LinkedIn, and Twitter, among others. Within several months of incredibly active public engagement, the hacker's personas were banned from almost every dark web community for various reasons, and by May of 2016, tessa88 entirely ceased all communications with the media and public alike. In the following months, numerous attempts were made to uncover the true identity of the hacker. However, no concrete evidence was ever produced that linked tessa88 with any real individual.

New findings strongly suggest that the individual behind tessa88 may be Maksim Donakov of Penza, Russia, who operated under multiple different monikers on the dark web. It is possible that a second unknown individual was assisting Donakov in maintaining the tessa88 account, adhering to impeccable OPSEC procedures and until this day remaining anonymous. In either scenario, we firmly believe that Donakov Maksim has directly benefited from the sales of compromised databases and should be viewed as the main actor.

Key Judgments

• tessa88’s criminal career likely began as early as 2012, before the breaches of LinkedIn, Dropbox, Yahoo, and others that were accredited to them. They likely created the alias tessa88 specifically to sell high-profile databases.
• Our analysis, based on discovered images of the real individual hiding behind the moniker tessa88 and underground forum discussions, allows us to assess with a high degree of confidence that tessa88 is a man and not a woman.
• Our analysis reveals that the moniker tessa88 is tied to aliases Paranoy777, Daykalif, and tarakan72511. All share similar social media photos that are nearly identical to a passport photo of Maksim Donakov, who is the individual behind Paranoy777.
• Our research suggests that Donakov, Maksim Vladimirovich (Донаков, Максим Владимирович), is a resident of the Russian Federation.

Uncovering tessa88’s true identity.

Background

The threat actor tessa88, also known as stervasgoa and jannet93, is a famous hacker who was involved in the sale of multiple high-profile databases, including LinkedIn, VKontakte, Facebook, MySpace, and Twitter, from February to May of 2016. It is believed by some in the media that the actor is a Russian-speaking female. tessa88 was active for only a short time, during which they sold databases from websites including LinkedIn, VKontakte, Yahoo, Yandex, Rambler, MySpace, Badoo, QIP, and Mobango. tessa88 was eventually banned on multiple forums due to accusations of fraudulent activities from other members.

Les données enregistrées par Recorded Future indiquent que l'acteur Peace_of_Mind, également connu sous le nom de Peace, vendait une base de données LinkedIn dès le 16 mai 2016 sur le site TheRealDeal Market, aujourd'hui disparu. La violation de LinkedIn a conduit à l'arrestation du ressortissant russe Yevgeniy Nikulin (Евгений Никулин) par le FBI en octobre 2016. Nikulin se trouvait en République tchèque à ce moment-là et a ensuite été extradé vers les États-Unis. Le gouvernement russe a déclaré que les actions des États-Unis étaient motivées par des raisons politiques et, afin de lutter contre l'extradition de Nikulin, a émis un mandat d'arrêt à son encontre en novembre 2016, l'accusant d'avoir dérobé 3 450 dollars sur WebMoney. Au moment de la rédaction du présent rapport, l'enquête est toujours en cours et aucune preuve claire n'a été produite établissant un lien entre Nikulin et Peace_of_Mind.

Motherboard a publié les conclusions d'une interview réalisée avec tessa88, qui se présente comme un membre chevronné du milieu criminel clandestin et accuse Peace_of_Mind d'avoir dérobé les bases de données que tessa88 vendait. Peace_of_Mind, en réponse, a affirmé que tessa88 avait volé les bases de données à un ami afin de les vendre en ligne.

A report from the cybersecurity firm InfoArmor claims that tessa88 acted as a proxy who sold accounts and personally identifiable information (PII) stolen by a group of hackers identified as “Group E.” InfoArmor claims that tessa88 was the first to sell accounts from many of these high-profile databases beginning as far back as February 2016, which Recorded Future data confirmed.¹ Around May 2016, InfoArmor claimed that tessa88 and Peace_of_Mind made an agreement to share at least some of their respective databases between one another in a likely attempt to expedite monetizing the massive amount of data between the two actors. The relationship between tessa88 and Peace_of_Mind deteriorated as other members of the underground communities claimed the data was of poor quality. If this report is accurate, this corroborates Motherboard’s findings and explains the outspoken hostility between the two actors.

Activity of tessa88 (also known as stervasgoa) on the dark web between February and May 2016.

Threat Analysis

An analysis of dark web activity connected tessa88 to multiple chat and email accounts, including the Jabber accounts tessa88@exploit[.]im, tessa88@xmpp[.]jp, mrfreeman777@xmpp[.]jp, darksideglobal@exploit[.]im, the ICQ account 740455, and the email address firetessa@yahoo[.]com.

tessa88 selling databases from websites including LinkedIn and MySpace on an underground forum that is currently defunct.

Le tessa88@exploit[.]im Le compte Jabber utilisé par tessa88 dans des fils de discussion sur des forums clandestins a conduit au compte Twitter @firetessa, qui, le 5 juillet 2016, a publié le tweet suivant : « Le compte Jabber tessa88@exploit[.]im était à eux.

Le tweet provenant du compte Twitter @firetessa affirmant que tessa88@exploit[.]im leur appartient.

The actor TraX, a member of the underground community, stated that tessa88 is a man and posted an alleged photo of the actor on an underground forum. TraX also stated that tessa88 was behind recent mega breaches like LinkedIn, MySpace, and Yahoo, and even expressed a willingness to share this information with reporters.

An alleged photo of tessa88 posted by TraX on an underground forum.

OSINT then identified the Imgur account tarakan72511, who posted screenshots of discussions regarding the Yahoo and Equifax breaches with the actors HelloWorld and Ibm33a14. Note that Ibm33a14 is a Russian-speaking actor who claimed to have the original Yahoo and Equifax database dumps in 2017 on several cybercriminal forums.

A screenshot of a discussion regarding the Yahoo and Equifax posted by tarakan72511.

That same Imgur account also posted a picture titled “tessa88” in 2017, showing a man whose body type and hairstyle are similar to the individual depicted in the aforementioned picture posted by TraX.

A potential picture of tessa88 posted by tarakan72511 on Imgur.

The moniker tarakan72511 is an alias used by the actor Paranoy777, who uses the Jabber account tarakan72511@chatme[.]im. Paranoy777, like tessa88, both were sellers of stolen databases from large social media and technology companies from February to May 2016.

Recorded Future identified a complaint filed against tarakan72511 in which another member claimed that Daykalif is a Russian-speaking scammer who was trading large databases and used the Jabber accounts daykalif@xmpp[.]jp and tarakan72511@chatme[.]im — the same Jabber account used by the actor Paranoy777, who, in turn, is connected to tarakan72511. If this claim is true, then it is likely that the users Paranoy777 and Daykalif are the same person.

A complaint found on a criminal forum claiming that Daykalif used the Jabber accounts daykalif@xmpp[.]jp and tarakan72511@chatme[.]im.

Des informations supplémentaires fournies par le compte Imgur tarakan72511 ont révélé que l'utilisateur est apparemment un grand amateur de chiens. OSINT a identifié un compte YouTube avec un nom d'utilisateur similaire — Tarakan72511 Donakov — qui a publié une vidéo montrant quelqu'un nourrissant des chiens errants. Dans la vidéo, une voix indique qu'ils se trouvent à Penza, en Russie. Le véhicule apparaissant dans la vidéo est une Mitsubishi Lancer immatriculée K652BO 58.

Tarakan72511 Donakov’s YouTube profile.

Moreover, at 56 seconds in the video, a Guy Fawkes mask is seen. A similar mask was used as the avatar on Tarakan72511 Donakov’s YouTube profile and is also worn by the person on the image shared by TraX.

The Guy Fawkes mask seen in the YouTube video, YouTube avatar, and in TraX’s image.

L’OSINT recueilli sur Donakov (Донаков) de Penza (Пенза) a révélé qu’une personne nommée Донаков М.В./Donakov M.V. avait commis plusieurs crimes dans les villes russes de Yaroslavl et Penza, notamment un accident de la route survenu au volant d’une Mitsubishi Lancer en 2017. Un certain Donakov, Maksim Vladimirovich (Донаков, Максим Владимирович), originaire de Yaroslavl et ayant déménagé plus tard à Penza, a également été mentionné dans plusieurs articles de SudAct, indiquant que l’individu avait passé plusieurs années en prison avant l’accident.²

À partir de ces informations, l'enquête a permis d'identifier trois profils Odnoklassniki, tous au nom de Maxim Donakov, dont deux indiquaient comme lieu de résidence actuel Yaroslavl et un autre Penza. Le premier profil Odnoklassniki appartient à un homme qui résidait à Yaroslavl et qui est né le 2 juillet 1989. L'utilisateur a visité le site pour la dernière fois le 9 septembre 2013. Le deuxième profil Odnoklassniki présente le même nom et la même date de naissance que le profil précédent. La photo de profil et les autres images représentent la même personne que celle visible sur l'image Imgur de tarakan72511. Veuillez noter la Mitsubishi Lancer immatriculée А 134МК 76.

Images from the Odnoklassniki profile of Maxim Donakov.

The analysis of the second Odnoklassniki profile revealed that the actor is linked to another user, “Ядовитый Таракан” (Yadovitiy Tarakan), allegedly residing in Pervomaysk, Ukraine. Yadovitiy Tarakan’s name is synonymous with the Imgur account tarakan72511, and the profile photo of the person strongly resembles Donakov Maxim. It is worth mentioning that Pervomaysk is Maxim Donakov’s real place of birth. Considering the facts mentioned above, we assess with a high degree of confidence that Yadovitiy Tarakan’s profile also belongs to Donakov Maxim.

Another Odnoklassniki profile with the username “Ядовитый Таракан” created by Maxim Donakov.

Furthermore, confidential sources confirmed that Maxim (Maksim) Donakov is a real person born on July 2, 1989. According to SudAct, Donakov was released under police supervision but was then imprisoned after committing another crime in 2014. This may explain the existence of multiple Odnoklassniki profiles, as Donakov may have been forced to create a new profile after his release from prison if he forgot the login credentials for his previous account(s).

OSINT a identifié d'autres comptes et coordonnées susceptibles d'être liés à Donakov (tessa88), tels qu'un profil VKontakte pour Maxim Ivanov avec le numéro de téléphone +79022222229, des profils sur Vkrugudruzei et Valet.ru, ainsi que le compte YouTube Maxim Donakov avec le numéro de téléphone +17789981919. Une recherche sur Internet avec les mots-clés « Максим Донаков » a permis de trouver le profil Gulik01 sur Freelance.ru, qui pourrait appartenir à tessa88 (Donakov). Les informations relatives au compte de Gulik01 indiquent qu'il s'agit d'un freelance russophone spécialisé dans les technologies de l'information.

Moreover, additional searches in leaked databases identified Maksim Donakov, a resident of Penza born on July 2, 1989, matching the user profile information from the aforementioned Odnoklassniki profiles and the image titled “tessa88” posted by the Imgur user tarakan72511, which depicts the same person. Again, all of this indicates that tessa88 is indeed Maksim Donakov.

The analysis of tessa88’s confirmed Bitcoin wallet, with the majority of funds being laundered through LocalBitcoins.

L'analyse par Insikt Group des transactions associées au portefeuille Bitcoin tessa88 confirmé à l'aide de Crystal Blockchain a révélé que le pirate informatique a reçu au moins 168 Bitcoins, soit environ 90 000 dollars, et que la plupart des fonds ont finalement été blanchis via LocalBitcoins, un service d'échange peer-to-peer très populaire. Malgré la disparition de l'acteur en mai 2016, il a continué à utiliser son portefeuille Bitcoin jusqu'en août 2017.

Outlook

Insikt Group assesses with a high degree of confidence that tessa88 is one of many monikers created by Maksim Donakov to sell high-profile databases on underground criminal forums. Furthermore, it is likely that Donakov was active on the dark web since at least 2012 and also used the monikers Paranoy777, Daykalif, and tarakan72511.

Maxim Donakov, also known as tessa88, Paranoy777, and Daykalif.

Maksim Donakov, whose full name is Maksim Vladimirovich Donakov (Максим Владимирович Донаков), was born on July 2, 1989. Donakov is a resident of the Russian Federation who previously lived in Yaroslavl and later moved to Penza. Analysis of social media accounts and other sources from Recorded Future further confirm our findings.

According to the conducted analysis, the monikers tessa88, Paranoy777, and Daykalif were created intentionally to sell compromised data on the dark web. Considering the contradictory information regarding the breaches of the aforementioned companies, it is difficult to identify real tactics, techniques, and procedures (TTPs) applied by the hackers. However, the pending investigation of Yevgeniy Nikulin’s case, tied with the LinkedIn data leak, may shed light on this story and fill the remaining gaps.

¹Recorded Future observed tessa88 selling PII from high-profile databases on a Russian hacking forum as early as February 2, 2016.

² SudAct (sudact.ru) est le plus grand site Web russe non gouvernemental d’archives judiciaires.