Researchers Reveal Identity of Hacker Behind Massive Data Breaches

Who is tessa88? Security Researchers Believe They Know Hacker’s True Identity

Recorded Future security researchers believe they were able to correctly identify the individual who in 2016 leaked data stolen in high profile data breaches such as LinkedIn, Twitter, Tumblr, and others. 

In early 2016, using various aliases, the individual posted on several underground forums, attempting to sell an extensive list of compromised, high-profile databases, such as LinkedIn, VKontakte, Yahoo, Yandex, Rambler, Myspace, Badoo, QIP, and Mobango.

Mostly known as tessa88, the hacker was banned from dark web communities within several months, and ceased all communication with both the media and the public. Previous attempts to determine the hacker’s true identity were unsuccessful. 

In May-June 2016, information on various data breaches started to emerge, painting a bleak image of the security of online accounts. Some of the largest incidents exposed at the time impacted millions of accounts at LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), Twitter (32 million) and Russian social network VK (170 million).

Recorded Future now says that their investigation into the leaks has allowed them to link the tessa88 persona to an individual named Maksim Vladimirovich Donakov, who lives in Penza, Russia. 

In 2016, a report from InfoArmor suggested tessa88 was only a proxy that sold accounts and personally identifiable information (PII) to the “Group E” hackers. In May 2016, he allegedly partnered with another hacker, Peace_of_Mind, who also sold PII, to share the databases between them, but the relationship deteriorated after their customers started complaining about the poor quality of sold data. 

During their investigation, the Recorded Future researchers managed to connect tessa88 to multiple chat and email accounts, including Twitter, Imgur and YouTube accounts. This eventually led the researchers to photos of Maksim Donakov, as well as to information about him being located in Penza, Russia. 

The researchers also linked various details observed in the photos and videos posted on the analyzed online accounts with data collected from publicly available sources and determined that the individual behind all accounts is indeed Donakov, who was born on July 2, 1989, in Pervomaysk, Ukraine. 

Recorded Future also discovered that the hacker had received at least 168 Bitcoins (or $90,000 at the time) to the confirmed tessa88 Bitcoin wallet. The funds were laundered through the popular peer-to-peer exchange service LocalBitcoins. The wallet was used until August 2017.

“Insikt Group assesses with a high degree of confidence that tessa88 is one of many monikers created by Maksim Donakov to sell high-profile databases on underground criminal forums. Furthermore, it is likely that Donakov was active on the dark web since at least 2012 and also used the monikers Paranoy777, Daykalif, and tarakan72511,” the security researchers say. 

In 2016, the Czech police in cooperation with the FBI arrested a Russian national named Yevgeniy Nikulin, who is allegedly connected to the LinkedIn breach. The ongoing investigation in this case might shed more light on the tessa88 story as well, Recorded Future says. 

Related: Mirai Author Gets House Arrest for DDoS Attacks on University

Related: Russian Police Arrest Man Involved in Android Banking Trojan Scheme