Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Researchers Reveal Identity of Hacker Behind Massive Data Breaches

Who is tessa88? Security Researchers Believe They Know Hacker’s True Identity

Recorded Future security researchers believe they were able to correctly identify the individual who in 2016 leaked data stolen in high profile data breaches such as LinkedIn, Twitter, Tumblr, and others. 

Who is tessa88? Security Researchers Believe They Know Hacker’s True Identity

Recorded Future security researchers believe they were able to correctly identify the individual who in 2016 leaked data stolen in high profile data breaches such as LinkedIn, Twitter, Tumblr, and others. 

In early 2016, using various aliases, the individual posted on several underground forums, attempting to sell an extensive list of compromised, high-profile databases, such as LinkedIn, VKontakte, Yahoo, Yandex, Rambler, Myspace, Badoo, QIP, and Mobango.

Mostly known as tessa88, the hacker was banned from dark web communities within several months, and ceased all communication with both the media and the public. Previous attempts to determine the hacker’s true identity were unsuccessful. 

In May-June 2016, information on various data breaches started to emerge, painting a bleak image of the security of online accounts. Some of the largest incidents exposed at the time impacted millions of accounts at LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Twitter (32 million) and Russian social network VK (170 million).

Recorded Future now says that their investigation into the leaks has allowed them to link the tessa88 persona to an individual named Maksim Vladimirovich Donakov, who lives in Penza, Russia. 

In 2016, a report from InfoArmor suggested tessa88 was only a proxy that sold accounts and personally identifiable information (PII) to the “Group E” hackers. In May 2016, he allegedly partnered with another hacker, Peace_of_Mind, who also sold PII, to share the databases between them, but the relationship deteriorated after their customers started complaining about the poor quality of sold data. 

During their investigation, the Recorded Future researchers managed to connect tessa88 to multiple chat and email accounts, including Twitter, Imgur and YouTube accounts. This eventually led the researchers to photos of Maksim Donakov, as well as to information about him being located in Penza, Russia. 

Advertisement. Scroll to continue reading.

The researchers also linked various details observed in the photos and videos posted on the analyzed online accounts with data collected from publicly available sources and determined that the individual behind all accounts is indeed Donakov, who was born on July 2, 1989, in Pervomaysk, Ukraine. 

Recorded Future also discovered that the hacker had received at least 168 Bitcoins (or $90,000 at the time) to the confirmed tessa88 Bitcoin wallet. The funds were laundered through the popular peer-to-peer exchange service LocalBitcoins. The wallet was used until August 2017.

“Insikt Group assesses with a high degree of confidence that tessa88 is one of many monikers created by Maksim Donakov to sell high-profile databases on underground criminal forums. Furthermore, it is likely that Donakov was active on the dark web since at least 2012 and also used the monikers Paranoy777, Daykalif, and tarakan72511,” the security researchers say. 

In 2016, the Czech police in cooperation with the FBI arrested a Russian national named Yevgeniy Nikulin, who is allegedly connected to the LinkedIn breach. The ongoing investigation in this case might shed more light on the tessa88 story as well, Recorded Future says. 

Related: Mirai Author Gets House Arrest for DDoS Attacks on University

Related: Russian Police Arrest Man Involved in Android Banking Trojan Scheme

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.