Friend
Professional
- Messages
- 2,653
- Reaction score
- 851
- Points
- 113
A single video frame was a fatal mistake by an elusive cybercriminal.
Hacker Judische made about $2 million by hacking companies and extorting data, according to the attacker himself. At the beginning of the year, Judische staged a series of attacks, hacking into Snowflake's cloud databases and stealing sensitive data. According to some reports, up to 165 companies were hit, including Ticketmaster, Santander Bank and Neiman Marcus. The hacks caused serious consequences for various industries.
One of Judische's most notable attacks was the AT&T data breach, when he and his co-conspirator, John Binns, stole information on millions of users. In the data obtained, it was possible to trace the history of calls and messages of subscribers, which provided the criminals with a rich picture of the personal lives of the victims. Judische and Binns met through SIM Swapping, one of their early scams where criminals hijacked victims' phone numbers to further hack into their online accounts.
Binns was arrested in Turkey after the AT&T hack, but Judische continued its activities, increasing the number of attacks. Judische used the pseudonyms "zfa", "catgwuirrel", "scarlet", and others. The hacker's messages on Telegram are chaotic and threaten cybersecurity researchers. One strategy is so-called "detrace" – where he blames others for his attacks to confuse investigators.
In addition to blackmail, Judische actively interacted with intermediaries who helped him structure data for further extortion. One of these intermediaries was Vinny Troia, who offered Judische his services to sell stolen data. Troia actively corresponded with the hacker's companions, offering options for monetizing the stolen information.
Judische's activities began to attract the attention of cybersecurity specialists. One of the experts, Austin Larsen, a senior threat analyst at Mandiant, focused his efforts on finding traces that the hacker could have left. At the LABScon cybersecurity conference, Larsen will present his findings about the identity and location of the hacker.
As part of the investigation, Larsen examined Judische's public and private Telegram posts, where he was active. Gradually, the researcher began to form an idea of who Judische was and where he might be.
Judische made one critical mistake that allowed investigators to get on the trail of the hacker. During the recording of one of the videos, where Judische allegedly deleted the victim's stolen data, the host name of the computer was in the frame, which helped Larsen track the location of the hacker's server. Using the Censys search engine, Larsen was able to identify the infrastructure that supported Judische's activities. The server was found in Ukraine, and access to it was soon blocked.
The blocking of the infrastructure slowed down the hacker, as now he did not have access to part of the stolen data, which delayed further attempts to blackmail companies. Judische reacted with a storm of angry messages on Telegram, where he complained about the interference of the Ukrainian authorities and claimed that the server was allegedly returned due to a misunderstanding. However, soon after, Mandiant was able to block several more Judische servers.
Larsen and Mandiant's research identified several hundred indicators of compromise associated with Judische's activities. These included IP addresses, hostnames, and other technical tags that helped track the hacker's actions on various platforms.
Based on the collected data, Mandiant was able to form a more complete picture of the attacker's identity. Judische is a young man in his early 20s, presumably from Canada, who is passionate about video games and "catgirls" (a popular image in anime), and can also stay awake for days when hacking via Telegram.
At the moment, investigators from both Mandiant and law enforcement agencies of the United States and other countries, actively continue to investigation, coordinating their actions for the final identification of the hacker and the suppression of his activities.
Source
Hacker Judische made about $2 million by hacking companies and extorting data, according to the attacker himself. At the beginning of the year, Judische staged a series of attacks, hacking into Snowflake's cloud databases and stealing sensitive data. According to some reports, up to 165 companies were hit, including Ticketmaster, Santander Bank and Neiman Marcus. The hacks caused serious consequences for various industries.
One of Judische's most notable attacks was the AT&T data breach, when he and his co-conspirator, John Binns, stole information on millions of users. In the data obtained, it was possible to trace the history of calls and messages of subscribers, which provided the criminals with a rich picture of the personal lives of the victims. Judische and Binns met through SIM Swapping, one of their early scams where criminals hijacked victims' phone numbers to further hack into their online accounts.
Binns was arrested in Turkey after the AT&T hack, but Judische continued its activities, increasing the number of attacks. Judische used the pseudonyms "zfa", "catgwuirrel", "scarlet", and others. The hacker's messages on Telegram are chaotic and threaten cybersecurity researchers. One strategy is so-called "detrace" – where he blames others for his attacks to confuse investigators.
In addition to blackmail, Judische actively interacted with intermediaries who helped him structure data for further extortion. One of these intermediaries was Vinny Troia, who offered Judische his services to sell stolen data. Troia actively corresponded with the hacker's companions, offering options for monetizing the stolen information.
Judische's activities began to attract the attention of cybersecurity specialists. One of the experts, Austin Larsen, a senior threat analyst at Mandiant, focused his efforts on finding traces that the hacker could have left. At the LABScon cybersecurity conference, Larsen will present his findings about the identity and location of the hacker.
As part of the investigation, Larsen examined Judische's public and private Telegram posts, where he was active. Gradually, the researcher began to form an idea of who Judische was and where he might be.
Judische made one critical mistake that allowed investigators to get on the trail of the hacker. During the recording of one of the videos, where Judische allegedly deleted the victim's stolen data, the host name of the computer was in the frame, which helped Larsen track the location of the hacker's server. Using the Censys search engine, Larsen was able to identify the infrastructure that supported Judische's activities. The server was found in Ukraine, and access to it was soon blocked.
The blocking of the infrastructure slowed down the hacker, as now he did not have access to part of the stolen data, which delayed further attempts to blackmail companies. Judische reacted with a storm of angry messages on Telegram, where he complained about the interference of the Ukrainian authorities and claimed that the server was allegedly returned due to a misunderstanding. However, soon after, Mandiant was able to block several more Judische servers.
Larsen and Mandiant's research identified several hundred indicators of compromise associated with Judische's activities. These included IP addresses, hostnames, and other technical tags that helped track the hacker's actions on various platforms.
Based on the collected data, Mandiant was able to form a more complete picture of the attacker's identity. Judische is a young man in his early 20s, presumably from Canada, who is passionate about video games and "catgirls" (a popular image in anime), and can also stay awake for days when hacking via Telegram.
At the moment, investigators from both Mandiant and law enforcement agencies of the United States and other countries, actively continue to investigation, coordinating their actions for the final identification of the hacker and the suppression of his activities.
Source
