A cybercriminal from Eastern Europe who has been hacking a Chinese company for years appears to have carelessly exposed his own real identity.
Image: Konstantin Kolosov/Shutterstock
The world is full of hackers. There are hackers who do espionage work for various governments, hackers who hunt for bugs to help companies fix their products, and those who have more malicious intentions and try to make money with stuff like ransomware or stealing people's passwords.
And then there's this guy called Igor, a "lone wolf" and "highly-skilled petty cyber criminal with lofty ambitions" who's also made a series of puzzling, dumb mistakes that allowed a security firm to totally dox him.
Igor uses some techniques worthy of nation-state hackers, according to a new report by Symantec and its accompanying technical analysis. But his goal isn't to attempt to influence an election or hack into a nuclear reactor. Apparently, he steals car diagnostics software that he can then sell for a few hundred dollars on the black market, and it appears Igor also has a day job at an auto parts store.
Symantec researcher Jon DiMaggio discovered that Igor has used his own malware, a trojan called "Bachosens," to infiltrate an automotive parts supplier in China for years. He's also targeted an aviation company in Russia, and some online gambling companies. There's probably a lot of hackers just like him out there, but Symantec decided to expose him because it was a strange case. Igor is good enough to use custom-made malware, but also careless enough to make almost no effort to protect his real identity, DiMaggio argued.
To hide his tracks in his more recent attacks, Igor has used covert channels such as randomly generated domains to communicate with his malware. But in 2013, when he uploaded an early version of the same malware to Virus Total, an online repository where anyone can upload files to check whether they are detected by antivirus companies, he used a regular domain, according to Symantec.
That was one of his key mistakes. The other one was that throughout his years-long hacking career, Igor has used his real name—or at least a consistent persona or alias—to register domains associated with his hacking activities, as well as to then go out and sell the data he stole in online forums, according to Symantec.
"It's pretty dumb to put all your information out there and post it all over the internet."
The company isn't flat out identifying him in its report, but anyone can check the WHOIS registration details on some of the domains the hacker used to find what looks like his full name, the city where he lives in Moldova, and an email address that's a combination of the two. And from there, it's possible to even find what looks like his personal Facebook profile and a potential last name, among other data.
Just like most other security firms out there, Symantec usually doesn't identify who's behind the malware or hacking activities that it comes across. But in this case, DiMaggio argued, the identifying information was out there for all to see.
"You gotta have some common sense if you're gonna be a criminal," DiMaggio told Motherboard during a phone call. "And it's pretty dumb to put all your information out there and post it all over the internet."
I reached out to Igor to ask him if he's really who Symantec says he is and whether he uses the malware the company accuses him of deploying.
"I don't understand what you mean. What the trojan??" Igor answered, from a Gmail account that was used to register a domain that Symantec says was used in the attacks.
Igor confirmed that his phone number was indeed the one Symantec identified, but he declined to answer other specific questions about his name and his activities. He also denied Symantec's accusations.
"No, I am not hacker. And I don't know why they think I am hacker," Igor wrote.
Of course, that's what a hacker would say, I guess.
And, of course, this could all be a very convoluted, sophisticated false flag operation. For DiMaggio, however, the evidence is "as clear as day" and would even hold up in court if Moldovan authorities decided to go after him. After all, this wouldn't be the first time hackers or malware developers made dumb mistakes and doxed themselves.
Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.