The US-based threat intelligence company Recorded Future’s Insikt Group recently posted an article on its blog alleging that it had disclosed the identity of the infamous database vendor tessa88, who made the news in mid-2016 for selling databases of high-profile services such as Linkedin, Dropbox, Myspace, Badoo, VK and more.

Insikt Group's logo

The actor behind the “tessa88” persona made a smart move by using a generic user name, or at least he thought so. Insikt Group’s results show that tessa88 is in real life Maksim V. D, a Russian citizen in his late 20s.

But how exactly did they do this? Well, the answer is easy: they linked the evidences left by tessa88 in multiple sites.

I will highlight the main points that led to the exposure of tessa88, but I recommend you to read the full article.

  • Insikt Group researchers found an imgur account called “tarakan72511” where one of the posts contains a picture of a man, with the title “tessa88”. The account also contains records of messages from other database vendors.

Tessa88's imgur post

  • An underground forum post claims that the actor “tarakan72511@chatme.in” is scamming users.
  • A YouTube account named “Tarakan72511 Donakov” was found with a single video uploaded. In the video, the voice says they are in Penza, Russia and the person filming shows a Mitsubishi Lancer
  • Searching for “Donakov” in “Penza, Russia” on Sudact.ru reveals that a person named Maksim V. D. has committed multiple crimes and had an accident involving a Mitsubishi Lancer
  • Searching for “Maximo Donakov” on OK.ru led to an account in which the user showed off a Mitsubishi Lancer and published photos of the same man found on the imgur account “tarakan72511”
  • Additional searches in the leaked databases located, in Penza, a resident called “Maksim Donakov”, born on July 2, 1989, matching the user profile information from the OK.ru profiles found

Insikt Group ends their article claiming:

with a high degree of confidence that tessa88 is one of many monikers created by Maksim Donakov to sell high-profile databases on underground criminal forums.

Moral of the story? Do not reuse usernames. Do not put your real information on sites. If you’re doing something like selling databases of many online giants, you probably do not want to publish your face on another page with the same nickname you post on questionable forums.

I must say however that I am not convicted that tessa88 is tarakan72511. In the digital era it is very easy to frame people. Very easy. It seems that after finding the imgur account, the Insikt Group skiptracers focused the investigation on this account. What if that account was created by tessa88 to leave fake digital footprints? Find a belieavable online target so that researchers think it’s you (someone who has a criminal past like Mr. Donakov) and simply create an account on a social networking site under his name.

Message log between tessa88, helloworld and ibm33a14 on Android.
Message log between tessa88, helloworld and ibm33a14 on Android.

Or maybe I’m wrong, maybe tessa88 is Donakov. Afterall, the imgur account had screenshots from tessa88 downloading and selling database on his Android phone. Someone who wants to commit legally questionable activities on a smartphone is someone who does not care about privacy.

Really?
Really?