VandaTheGod: the person who has been hiding behind a hacktivism campaign for 7 years
The latter has targeted governments in many countries, including Brazil, the Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam and New Zealand. Numerous posts on degraded websites have suggested that the attacks were motivated by anti-government sentiment and were carried out to combat social injustices that the hacker believed were the direct result of government corruption.
While it was these degrading website activities that drew attention to VandaTheGod, the theft of bank card data and the leakage of sensitive personal data are also among them.
By closely examining these attacks, we were able to map VandaTheGod’s activities over the years, and ultimately discover the true identity of the hacker.
Activity on social networks
The person behind “VandaTheGod” has operated under several aliases in the past, including “Vanda de Assis” and “SH1N1NG4M3”, and was very active on social networks, mainly on Twitter. She often shared the results of her hacking activities with the public:
A link to this Twitter account was even sometimes added to the message that VandaTheGod left on compromised websites, confirming that this profile was well managed by the hacker.
Many tweets on this account were written in Portuguese. The hacker also claimed to be part of the “Brazilian cyber army” or “BCA”, often displaying the BCA logo in screenshots of accounts and compromised websites.
Hacktivism or simply piracy?
VandaTheGod has not only attacked government websites. He also launched attacks on public figures, universities and even hospitals. In one case, the hacker claimed to have access to the medical records of a million patients in New Zealand, who were sold for $ 200:
While the public announcement of a hacker’s activities can sometimes deter him from attacking new targets, VandaTheGod seems to appreciate the attention and often boasts of announcements about his exploits. He even posted some of the videos from this media coverage on his YouTube channel.
Most of VandaTheGod’s attacks on governments were politically motivated, but a closer look at some of the tweets shows that the hacker was also trying to achieve a personal goal: to hack a total of 5,000 websites.
According to data from zone-H (a service which records incidents of website degradation), this objective has almost been achieved, as there are currently 4,820 reports of pirated websites linked to VandaTheGod. Although most of these sites have been hacked due to their vulnerabilities, the list also includes many government and academic sites, which VandaTheGod appears to have deliberately selected.
Hiding behind the mask
VandaTheGod’s major role in several hacking groups, as well as his love of advertising, means that he has kept in touch with other members of the hacking community via his many social media accounts, his rescue accounts, email addresses, websites and more. Over the years, this activity has left a long trail that we have now been able to follow.
For example, WHOIS data on VandaTheGod[.]com show that the site was registered in the name of a person in Brazil, specifically in Uberlândia, using the email address fathernazi @ gmail[.]com. It turns out that in the past, VandaTheGod claimed to be a member of the UGNazi hacking group.
This email address has been used to register additional websites, such as braziliancyberarmy[.]com
This is not the only case where the details published online by VandaTheGod have provided valuable information about the identity of the hacker. For example, the following screenshot shows the compromised email account of Myrian Rios, a Brazilian actress and television presenter:
The screenshot also shows an open Facebook tab with the name “Vanda De Assis”. A search on this name led us to a profile belonging to the hacker:
Although this profile does not give any details on the real identity of VandaTheGod, we could see many similarities with the Twitter accounts exploited by the hacker, because the same content was often shared on both platforms:
The most interesting is that the screenshot above revealed the name of a user that we will only identify here by his initials: M. R.
At first, we weren’t sure if Mr. R. was the real initials of VandaTheGod, but we decided it was worth investigating, as a first name with those initials also appeared in several screenshots shared by VandaTheGod on Twitter, as the username of the machine used for this hacking activity.
We tried to search Facebook for people called Mr. R., but of course we ended up with too many possibilities.
The trigger occurred when we looked for Mr. R. in connection with the city that we had previously observed in the WHOIS information of vandathegod[.]com: UBERLANDIA
We obtained many Facebook profiles, but we were able to locate among them an account containing an image supporting the Brazilian cyber army.
We knew then that we were on the right track. It only remained for us to link this individual’s account to one of the known accounts of VandaTheGod.
We were able to make several cross-checks between the newly discovered profile and the Facebook account of Vanda de Assis.
We ended up locating shared photos of the same environment from different angles, including the article author’s living room. This confirmed that the accounts of Mr. R. and VandaTheGod are controlled by the same person.
Police service notification
Check Point reported these findings to the appropriate police. All the profiles on social networks still exist, but many photos on the personal profile of the hacker which are related to those of the pseudonym VandaTheGod were subsequently deleted. These profiles have been showing no activity since the end of 2019, and no one has posted new posts since.
Since 2013, VandaTheGod’s hacking activity has targeted governments as well as businesses and individuals. He degraded government websites, sold corporate information, and posted credit card information to many individuals.
While many tend to view hackers who degrade websites as mere cybervandals writing slogans on websites, VandaTheGod has proven, through many successful attacks on reputable websites, that hacktivism often crosses the border for extend to other criminal activities, such as theft of identifiers and bank cards, and that it is effectively part of the wider cybercrime community, making it a very real security threat online. .
VandaTheGod managed to carry out many hacking attacks, but ultimately failed from an OpSec perspective, as it left many traces that led to its true identity, especially at the start of its hacker career. In the end, we were able to link with certainty the identity of VandaTheGod to a Brazilian individual living in the city of Uberlândia. We have forwarded our findings to the authorities to enable them to take appropriate action.