The identity of a notorious figure in the hacker underworld has possibly come to light, due to new research from threat intelligence firm Recorded Future.
In a blog post published Tuesday, the company’s Insikt Group points to evidence that unmasks “tessa88,” a prolific data broker who sold access to information stolen in high-profile breaches. The company claims that tessa88 is tied to Russian national Maksim Donakov.
Operating from February to May 2016, mostly on the dark web, tessa88 sold access to stolen databases, including LinkedIn, VKontakte, Facebook, MySpace, and Twitter, according to the research.
Andrei Barysevich, Recorded Future’s director of advanced collection, told CyberScoop that while tessa88 was a was a constant on many dark web forums, the holder of that alias was purely a broker and there is no reason to believe that person carried out the hacks.
“He was the seller of the data,” Barysevich told CyberScoop. “We did not find any evidence that he possesses sufficient technical knowledge to facilitate hacks.”
In order to broker deals, Donakov had a host of aliases — Paranoy777, Daykalif, and tarakan72511 — across the open web and dark web. It was this trail of data, mainly pictures and videos, that allowed researchers to pinpoint that Donakov was behind the “tessa88” account. Recorded Future suggests that accomplices may have had access to the same accounts, but Donakov is the only person the company identifies.
“Even if you maintain very good [operational security,] there’s always a trail of evidence,” Barysevich told CyberScoop. “Once you have accumulated a huge data set — not only from the dark web, but from the open web — it’s only a matter of connecting the dots.”
Tessa88 was highly watched in 2016, when news of the LinkedIn and MySpace breaches when public. Someone behind tessa88 gave an interview to Vice’s Motherboard in June 2016, which unearthed another account that may have been tied to the stolen LinkedIn data.
Recorded Future’s research shows that another actor besides tessa88, known as “Peace_of_Mind,” also was selling a LinkedIn database as early as May 16, 2016, on dark web marketplace TheRealDeal. According to the Motherboard interview, Peace_of_Mind didn’t get along with tessa88, claiming that the LinkedIn data was stolen to sell to a friend.
U.S. officials have charged another Russian national, Yevgeniy Nikulin, with a number of hacking-related crimes for his alleged role in the LinkedIn breach.
Recorded Future’s research does not link Peace_of_Mind with Nikulin. However, another report published by cybersecurity firm InfoArmor in 2016 claimed that tessa88 and Peace_of_Mind agreed to share at least some of their respective databases in order to maximize the amount of money they could make.
Barysevich told CyberScoop that the company handed over its research regarding tessa88 to the FBI, but has not heard whether officials have used the company’s information with regards to the LinkedIn case.
CyberScoop has reached out to both the FBI and Nikulin’s lawyer for comment, and will update this story as necessary.
Since his extradition, Nikulin has been extremely uncooperative with his lawyers, speaking only to Russian government officials who visited him earlier this year. The trial is scheduled to begin in January.