Brazil Arrests “USDoD,” Hackers in FBI Infragard Breach – Cancer on Security

Brazilian authorities have reportedly arrested a 33-year-old man on suspicion of “USDoD“, a prolific cybercriminal who became infamous in 2022 by infiltrating the Internet FBI InfraGard Program and share contact information for 80,000 members. More recently, USDoD was behind a consumer data broker breach National public data This resulted in the disclosure of Social Security numbers and other personal information to a significant portion of the U.S. population.

The Brazilian News Agency TV Globo first reported the USDoD arrest, saying federal police arrested a 33-year-old man from Belo Horizonte. According to TV Globo, USDoD is wanted in connection with the theft of data on Brazilian federal police officers domestically.

USDoD was known to use the hacker handles “Equation Corp” And “NetSec“, says the cyber intelligence platform Intel 471 NetSec posted a thread about the now-defunct cybercrime community RaidForums on February 22, 2022, in which they revealed the email address and password of 659 members of the Brazilian Federal Police.

TV Globo did not give the name of the arrested man, but the Portuguese tech news channel did Tecmundo released a report in August 2024 naming USDoD as a 33-year-old Luan BG from Minas Gerais, Brazil. Techmundo said it learned the hacker’s true identity after receiving a draft of a detailed, non-public report from the security firm CrowdStrike.

CrowdStrike did not respond to a request for comment. But a week after Techmundo’s article, the tech news publication hackread.com released a report in which USDoD reportedly admitted that CrowdStrike had correctly identified him. Hackread said USDoD shared a statement partially directed at CrowdStrike:

In August 2024, a cybercriminal began selling Social Security numbers and other personal information stolen from National Public Data, a private data broker in Florida that collected and sold SSNs and contact information for a significant portion of the American population.

Further reports revealed that National Public Data had accidentally published its own passwords on the Internet. The company is now the target of several class action lawsuits and recently filed for bankruptcy. In an interview with KrebsOnSecurity, USDoD admitted to stealing the NPD data earlier this year, but claimed it was not involved in sharing or selling this data.

In December 2022, KrebsOnSecurity broke the news that USDoD had socially engineered its way into the FBI’s InfraGard program, an FBI initiative to establish informal partnerships to share information with vetted private sector professionals about cyber and physical threats to critical U.S. national infrastructure .

USDoD applied for InfraGard membership citing the identity of the CEO of a major US financial company. Although USDoD listed the CEO’s actual cell phone number, the FBI apparently never reached the CEO to confirm his request, as the request was granted just weeks later. He then used a simple program to collect all contact information shared by more than 80,000 InfraGard members, according to USDoD.

The FBI declined to comment on reports of the USDoD arrest.

In a long interview in September 2023 with databreaches.netUSDoD told the publication he is a man in his mid-30s who was born in South America and holds dual citizenship of Brazil and Portugal. Towards the end of this interview, USDoD said that they plan to establish a platform to obtain military intelligence from the United States.

Databreaches.net told KrebsOnSecurity that USDoD has been a regular correspondent since that interview in 2023 and that after the doxxing, USDoD made inquiries with a local attorney to see if there were any ongoing investigations or charges pending against him.

“According to what the lawyer learned from the federal police, there were no open cases or charges against him at this point,” said Databreaches.net. “It is clear from his letters to me and the conversations we have had that he had absolutely no idea that he was in imminent danger of arrest.”

When KrebsOnSecurity last communicated with USDoD via Telegram on August 15, 2024, they stated that they “plan to withdraw and get on with it,” citing multiple media reports blaming USDoD for disclosing nearly $3 billion Consumer data from National Public Data was held responsible.

However, less than four days later, USDoD returned to its usual routine BreachForumsby releasing custom exploit code he allegedly wrote to attack recently patched vulnerabilities in a popular WordPress website theme.