Hacker in handcuffs on the street showing data breaches

Hacker “USDoD” Arrested in Brazil for Long String of Data Breaches

One of the world’s most flamboyant and high-profile criminal hackers has been picked up by Brazilian authorities. Luan BG, who operated under the names “USDoD” and “EquationCorp,” was behind the major data breaches of National Public Data and InfraGard among others.

Brazil’s Polícia Federal picked the hacker up shortly after his real identity was publicly outed by CrowdStrike, seemingly in response to an attack on the security firm. The arrest was part of a project the authorities call “Operation Data Breach” that is targeting hackers that have attacked the national police and other agencies.

USDoD arrested for federal police data breaches

USDoD has a years-long history of data breaches, leaking the stolen information or offering it for sale on hacking forums. This has included some extremely damaging collections of information, the largest of which thus far has been the National Public Data breach involving 2.9 billion records including some that contained US Social Security numbers and other sensitive personal information from Canada and the United Kingdom. In April the hacker offered this database for sale on a well-known underground hacking forum for $3.5 million.

The hacker also boasted of breaching InfraGard, a public-private partnership between the FBI and critical infrastructure meant to bolster national security via threat information sharing. Those two hacks certainly earned him special attention from international law enforcement, but what ultimately seems to have done him in is a brazen attack on CrowdStrike combined with two older data breaches against Brazil’s Federal Police that provided authorities there with ample motivation and opportunity to pick him up once he was identified.

The CrowdStrike attack saw the hacker steal and leak the firm’s internal threat actor list. CrowdStrike did not directly dox USDoD, but Brazilian tech publication Techmundo received a CrowdStrike report from an anonymous source that contained the hacker’s real name. For whatever reason USDoD decided to publicly confirm the Techmundo report, boasting to media outlets that other companies were already aware of his identity. He was summarily picked up by the police in Belo Horizonte.

While CrowdStrike triggered the public unmasking of USDoD, the immediate charges for his arrest stem from prior data breaches involving the Federal Police. The agency charged him with two instances of offering data stolen from them for sale on May 22, 2020 and February 22, 2022. The second incident reportedly involved him offering the email addresses and passwords of 659 officers and employees.

Still unclear why hacker confessed to data breaches

Considering that Techmundo published an unverified internal CrowdStrike report from an anonymous source, it is not entirely clear why USDoD essentially went out in public and offered himself up for arrest by confessing to his data breaches. A post from shortly before his arrest mentioned planning to “retire his jersey” and a desire to “take responsibility,” “pay the price” and “do (something) for my country.” Though this might indicate some remorse, a few days later the hacker was observed on one of his usual underground forum hangouts posting exploit code for a known vulnerable WordPress theme.

The pressure may have gotten to him after the National Public Data incident made the jump from niche cybersecurity news to the mainstream, thanks to initial breathless reporting that every US Social Security number had been exposed (later tempered by security analyst research). That incident essentially put the data broker out of business, as it declared bankruptcy in the face of multiple class-action lawsuits. USDoD claimed that he merely stole the data, but was not the one who leaked or sold it.

The hacker might also be looking to angle his way into a security analyst job at some point, particularly after managing to social engineer his way into the FBI’s InfraGard program. USDoD managed to successfully pose as the CEO of a major US financial firm to get access, which was quickly used to steal the contact information of some 80,000 of the program’s members.

Other known data breaches that involved USDoD include Airbus and Transunion. The Federal Police say they are investigating materials seized from the hacker to determine if he participated in any other previously unknown data breaches, something that is very much a possibility given that his career stretches back at least four years.

USDoD racked up some of the biggest numbers in terms of recent data breaches. Other major breaches for 2024 include a loss of Social Security numbers at AT&T, payment information from TicketMaster, and an assortment of sensitive personal information from background check outfit MC2 Data. All of these involved tens to hundreds of millions of customer records, but were still eclipsed by the total count of the National Public Data breach.