The notorious hacker tessa88, who sold personal data from a string of high-profile breaches including those from LinkedIn, Facebook and Twitter, has been named by Recorded Future after an extensive research effort. Rob Scammell looks at the hacker’s track record and how the company unmasked him
The identity of tessa88, the hacker who sold databases stolen in some of the biggest data thefts in US history from companies including LinkedIn, Facebook and DropBox, has been revealed as Maksim Vladimirovich Donakov by cybersecurity company Recorded Future.
Donakov, from Penza, Russia, sold databases containing millions of personally identifiable information between February and March 2016 on underground hacker forums.
Sales included more than half a billion username and passwords, which were then used in a number of account takeover, phishing and other attacks.
The comprehensive investigation by Recorded Future found, with a “high degree of confidence”, that Donakov is the man behind the sale of these extensive databases.
Other stolen databases believed to be sold by Donakov include 32 million Twitter accounts, 360 million Myspace credentials and 500 million Yahoo account details.
Donakov is also believed to have sold data stolen from Badoo, QIP, Rambler, VKontakte and Mobango.
Prolific hacker made $90,000
Analysis of Donakov’s Bitcoin wallet show that he earned the equivalent of at least $90,000 for his criminal activity. His 168 Bitcoins were laundered through peer-to-peer exchange LocalBitcoins.
In May 2016 he was banned from underground forums because of accusations by other members that he was scamming them. Since then, tessa88 ceased all communication with the media and public and their identity has remained unknown until now.
A number of attempts had previously been made to uncover the identity of tessa88, who also went by the online aliases stervasgoa, janer93. Many previously believed that tessa88 was female.
Unmasking Donakov: Investigation timeline
Recorded Future’s threat intelligence group, Insikt Group, used a combination of their own data, open-source intelligence and dark web analysis to uncover Donakov.
Here’s how they did it:
Linking tessa88 to email accounts
Dark web analysis connected tessa88 to multiple chat and email accounts, including instant messaging Jabber account firstname.lastname@example.org. This account was used in sales threads on dark web forums. This led to the Twitter account @firetessa, which featured posts confirming that it belonged to tessa88.
The first picture of tessa88
A member of the underground community named TraX confirmed that tessa88 is a man behind the LinkedIn, Myspace and Yahoo megabreaches. TraX posed an alleged picture of tessa88 wearing a Guy Fawkes mask perching on top of a car.
Connected Imgur account
Open-source intelligence led to the Imgur account tarakan72511, which contained screenshots of a discussion with two people, one of who claimed to have the original Yahoo and Equifax database dumps in 2017. The Imgur account also contained a close-up picture of a man who matched the body type and hairstyle of the picture posted by TraX. The picture was captioned “tessa88”.
Further analysis of the dark web revealed that a member of the underground forums named Paranoy777 also used the Jabber username tarakan72511@chatme[.]im. Paranoy777 was also a selling off stolen databases between February and May 2016.
A member of the cybercriminal community lodged a complaint on dark web forums against a Russian-speaking scammer going by the name Daykalif, who also used the Jabber account tarakan72511@chatme[.]im, and was also selling stolen databases. This connects the Jabber account tarakan72511@chatme[.]im to Paranoy777 and, in turn, tarakan72511. Recorded Future concluded that it is likely the same person.
Further analysis of tarakan72511’s Imgur account revealed the user as an “avid” dog lover. A Youtube account with a similar username – Tarakan72511 Donakov – showed a video of someone feeding stray dogs. In this video, a voice can be heard stating they are in Penza. Crucially, the same style Guy Fawkes mask worn in the picture posted by TraX can be seen in the boot of a Mitsubishi Lancer.
Taking the name Donakov from the YouTube username and running it through Penza records revealed a man by the name of Maksim Vladimirovich Donakov. Running the name through a Russian crime database showed Donakov committed several crimes, and was involved in a car accident while driving a Mitsubishi Lancer – the same type of car identified in the Youtube video.
Recorded Future confirmed via confidential sources that Maxim Donakov is a real person who spent time in jail in 2014. Further open-source intelligence identified a number of accounts tied to Dokanov on Russian social media site Odnoklassniki. The pictures matched those on Imgur and also included a picture of a Mitsubishi Lancer.
Was tessa88 working alone?
It is unclear if Donakov was part of the Russian cyber gang that stole the main bulk of data in 2012. A 2016 report by cybersecurity company InfoArmor claimed that tessa88 was the seller for the group of hackers.
“Based on our research, it is evident that Donakov was responsible for monetisation of stolen data,” Andrei Barysevich, director of Advanced Collection at Recorded Future told Verdict.
“We have not found evidence that he was the main hacker, though.”
Another name that crops up is Peace_of_Mind. Recorded Future’s report indicates that tessa88 and Peace_of_Mind made an agreement in May 2016 to share some of the databases in a “likely attempt to expedite monteising the massive amount of data between the two”.
However, this relationship seems to have deteriorated, as shown by an interview with Motherboard, in which tessa88 described Peace_of_Mind as a “fagot who takes undue credit” and that tessa88 “shared a dump for analysis! And he started selling it”.
Peace_of_Mind alleged that tessa88 stole the hacked databases from “an old buddy” and started to sell them.
Hacker profile: tessa88, aka Maksim Donakov
Maksim Vladimirovich Donakov (Максим Владимирович Донаков)
Place of residence
Penza, Russia Known aliases: tessa88, stervasgoa, janer93, Paranoy777, Daykalif
Selling databases containing personally identifiable information relating to millions of users on the dark web
What happens now?
Recorded Future told Verdict that they shared their findings with federal law enforcement “well in advance” of releasing their report. But is Donakov likely to face any charges?
“We have seen plenty of cases where foreign nationals were indicted for their roles in cybercrimes,” explained Barysevich. “However, whether Donakov will be apprehended and face justice on US soil remains to be seen.”
One such example of extradition for cybercrimes is the closely connected case of Yevgeniy Nikulin. In October 2016, the FBI arrested the Russian national for the very same 2012 LinkedIn breach that Donakov profited from. Nikulin was extradited from the Czech Republic in March this year to face criminal proceedings.
To make matters murkier, Nikulin is now a person of “great interest” in the US probe of Russian interference in the 2016 US presidential election, Bloomberg reports.
His extradition to the US heightened tensions with Russia, who had been fighting the US to extradite him back to Russia. It is unclear if Nikulin was involved with or knows anything about Russia’s meddling in the US election, or what his connection is to Donakov.
The exact methods used to steal the databases are also unknown, as is the exact role of Donakov in the theft.
It is hoped that the upcoming criminal case of Nikulin will shed some light on the gaps in the story.