Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:10 PM
Connect Directly

Researchers ID Hacktivist Who Defaced Nearly 5,000 Websites

Opsec mistakes lead a Check Point researcher to an individual in Brazil who was behind a longtime hacking campaign.

A politically motivated hacktivist who since 2013 defaced nearly 5,000 websites in 40-plus countries has been tripped up by a series of operational security mistakes he made during his seven-year hacking spree.

Security researchers at Check Point Software Technologies, who were commissioned by a foreign government to hunt down the hacker, this week identified him as a 20-something individual living in the municipality of Uberlandia in Brazil.

The security vendor did not release the name of the hacker, citing privacy reasons. But Check Point claimed that it had notified Brazilian law-enforcement authorities about the individual and his activities. It's unclear whether Check Point's information has resulted in the hacktivist's arrest.

The hacker, who used the handle "VandatheGod," defaced websites belonging to governments in Brazil, Argentina, Thailand, Vietnam, and dozens of other countries. Over the last year, a majority of his targets – 57% — were US-based and included websites belonging to cities, states, and healthcare organizations.

Many — but not all — of the attacks appear to have been motivated by anti-government sentiment. The messages the hacktivist left on defaced websites suggest they were carried out to express opposition to what he perceived as social injustices perpetrated by governments worldwide, Check Point said in a newly published report on how its researchers tracked down VandaTheGod.

According to the security vendor, its investigation showed that while anti-government sentiment was a major driving factor, the hacker was also motivated by other reasons. One of them was to try and achieve a personal goal he had set for himself of defacing 5,000 websites worldwide. Data from a service that maintains a record of web defacement incidents showed that VandaTheGod had defaced some 4,820 sites since 2013.

"While most of these websites were hacked by mass scanning the Internet for known vulnerabilities, the list also includes numerous government and academic websites, which VandaTheGod seems to have deliberately selected," Check Point said in its report.

At least a few of VandaTheGod's attacks appear to have been financially motivated as well. In one incident, for instance, the hacker claimed to have accessed records of one million patients in New Zealand, which he put up for sale for $200. He also appears to have stolen credit card data and sensitive personal information. "This hacker was initially motivated by a strong anti-government ideology," says Lotem Finkelsteen, Check Point's manager of threat intelligence. But as with most cybercriminals, he pivoted to other malicious activity, Finkelsteen says. "He picked his targets based on popular news and opportunities he found."

Opsec Mistakes

VandaTheGod's extensive tweets and his social media activity are what ultimately led to his exposure. Check Point researchers analyzing his activity discovered that he had operated under multiple aliases in the past including Vanda de Assis and SH1N1NG4M3. They discovered many of his tweets were in Portuguese and contained references to his being part of the so-called Brazilian Cyber Army (BCA). Screenshots of websites he defaced would often contain the logo of the BCA.

One such screenshot contained an open Facebook tab with the Vanda De Assis's name on it. The led Check Point researchers to a Facebook profile from which they were able to get information tying profile with the Twitter accounts the hacker operated. The screen shot also revealed the initials M.R, which Check Point researchers surmised referred to the hacker's true identity. The theory was based on the fact that a first name matching these initials appeared in several other screenshots the hacker had posted.

A subsequent search on Facebook for people named M.R ultimately led Check Point researchers to one belonging to an individual in Uberlandia and which also contained a BCA logo. The researchers had already previously established the hacker was likely a native of Uberlandia based on information he provided when registering his VandaTheGreat domain.

The researchers were also able to dig up other information from the hacker's public posts on Twitter and Facebook — including photos of his living room from different angles — that allowed them to establish a firm connection between the individual named M.R and VandaTheGod. According to the security vendor, the data its researchers gathered establish with a high degree of certainty that VandaTheGreat and M.R are one and the same individual.

Finkelsteen says the research took a few weeks to complete. "We are well trained to do it and we have done it several times over the past years," he says.

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.