USDoD: Dark Web Threat Actor Arrested

October 29, 2024

The dark web community of those buying, selling, trading and sharing data is extremely active. Dark web sites such as BreachForums and LeakBase are heavily used by threat actors to trade data, ask about what is available and provide links to stolen data. However, some individuals in this community are more active than others, regularly sharing data leaks from high profile organizations, often claiming they have hacked the data themselves or worked with other hackers to make the data available.  

One such threat actor is known as USDoD. He has been very active on BreachForums, sharing multiple leaks and also claiming to be starting his own site to share data. However, it was reported late last week that he had been arrested in Brazil. Here we will review some of USDoD’s activities and what lead to his arrest.  

USDOD has had a profile on BreachForums since July 2023. In that time, he had posted 112 times, created 33 threads and earned a reputation of 891. His profile also states that he had referred 31 people to join the forum. He also won awards as a “leaker,” “hacker,” and “God.”

Figure 1: USDoD’s BF profile which has been banned subsequent to his arrest

While most threat actors active on the dark web tend to try and hide details about themselves, USDoD shared further information on his profile. While this information is likely false, it is notable that any information at all was shared. The profile also provides links to his Telegram channel and his Twitter/X account.  

Figure 2: Additional information provided on USDoDs BF profile 

While many threat actors are active on Telegram, it is unusual that USDoD linked his dark web profile to an open web social media profile. Linking this digital footprint allows investigators more avenues to identify the true identity behind USDOD’s alias.  

USDoD was known to share posts on Twitter/X which would detail his activities such as, visiting family members in hospital and watching the US election debates. While these details could have been shared to throw off researchers, it is still unusual and risky behavior for a threat actor. His Twitter/X account is currently suspended.  

USDoD leaked a lot of data on BreachForums. Some high-profile leaks and data scrapes included: 

  • LinkedIn 
  • InfraGard
  • National Public Database
  • USA Criminal Records
  • Crowdstrike IoC list
  • Gov UK database
  • EPA.gov

Such high-profile targets meant that many governments and law enforcement operators were likely keen to identify and apprehend USDoD. 

Figure 3: List of threads posted by USDoD highlighting his targets 

When BreachForums was seized in early 2024, USDoD posted on Twitter/X that he was planning to create his own forum, hosted on the surface web which would allow users to continue to share data.  

He claimed that this new site would be completely run by him, as he did not trust anyone else. He also outlined the technology he would use, the domains he had registered and how he would operate the site and what information would be allowed on it.  

He stated that he was launching this platform for the good of the community rather than for financial gain. USDoD named the new site BreachNation, and even spent time uploading profile images and media related to the new site.  

Figure 4: Twitter posts from USDOD announcing BreachNation 

Ultimately USDoD backtracked on his promise to launch this site. In a lengthy post on Twitter/X he stated that he did not have the time to run the site in the way that he wanted to. He stated he had a social life to maintain and if he ran this site it would take up all of his time and he would not be able to live his life.  

By this point, BreachForums was back up and running as usual, albeit with some more security to enter the forum. USDoD continued to use BreachForums to share more leaked data.  

Reporting in August 2024 suggested that USDoD had been doxed and that his true identity had been identified. However, no information was identified on the usual dox sites such as Doxbin and Pastebin.  

Chatter quickly stated that the information had come from CrowdStrike, one of the targets of USDoD. A Brazilian news agency stated that they had been leaked a “detailed report from CrowdStrike” which had identified USDoD as a 33-year-old man living in Minas Gerais, Brazil. 

The article further stated that all of the information relating to this individual had already been passed on to Law enforcement Agencies.  

After this article came out, USDoD appeared to confirm that the information shared, and his true identity were correct. He stated that he would be turning himself in for the actions that he had taken.  

Figure 5: USDoD quote confirming his identity 

However, many in the community thought that the information was incorrect and that the information was made up to protect USDoD’s true identity.  

On October 16, 2024, Brazil’s Policia Federal announced that they had arrested a suspect in Brazil as part of Operation Data Breach, who was allegedly responsible for hacking the Federal Police and other international institutions.

In their release, the police went on to state that the suspect had also boasted of several other “cyber invasions” including the hack of InfraGard.  

The community which USDoD seemed very proud to be a part of was quick to spread the news of the arrest, looking for information to confirm if it was true, with some noting that they were wrong to doubt the authenticity of the “dox.”

Figure 6: Chatter on BF related to USDoD’s arrest 

The arrest of the individual behind USDoD highlights Law Enforcement’s continued efforts to counter the spread of stolen information and apprehend the individuals for hacking into organization’s systems on a global scale.  

However, USDoD presents an interesting case given his transparency about his daily life and his seeming indifference to hiding his identity, usually a hallmark of those individuals who operate on the darkweb. The fact that he was willing to confirm his true identity and suggest that he would turn himself over to law enforcement maybe suggests he had become disillusioned with his criminal activities.  

Whatever the case may be, USDoD was a prolific hacker and sharer of sensitive data. His apprehension by Brazilian authorities will contribute to a safer ecosystem until some other actor steps up to take his place. But a message has been sent to the stolen data sharing community that they are not safe from law enforcement action.  


Keep up to date with DarkOwl. Subscribe to our emails!

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.