Vinny Troia, the cyber-security researcher mentioned in a fake alert sent out to 1,000s of people from the FBI’s own email system on Fri. night, has found the person who allegedly was behind the exploit.

Troia – white-hat threat hunter, cybercrime investigator & founder of security firms Night Lion Security & its re-branded version, Shadow byte – stated in a post published Tues. that he was contacted on Fri. night by the player who claimed responsibility, Pompompurin.

Releasing Alerts

Late on Fri. night, an FBI system – specifically, the Law Enforcement Enterprise Portal (LEEP) – had begun releasing alerts about fake cyber-attacks, sent from the very real FBI address eims@ic.fbi.gov.

The emails went out to about 100k email addresses scraped from the North American Registry for Internet Numbers (ARIN) database. Given that the email headers were real, they caused “a lot of disruption,” according to Spamhaus, which initially detected the exploit.

Software Misconfiguration

The FBI blamed a software misconfiguration. At about the same time that the false warnings were being sent out, the player reached out to security journalist Brian Krebs with this message:

“Hi its pompompurin. Check headers of this email it is actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.”

On that same night, around 10pm. ST, Pompompurin also gave Troia a ‘jeering’ heads-up, direct messaging him on Twitter to say “Enjoy” & then following up on Sat. to see if Troia had in fact enjoyed himself.

Quite a History

“I knew immediately an attack was coming as he typically likes to (sadistically) give me a heads-up right before they stage some sort of attack on me.” Troia explained in his writeup.

It seems that Troia & Pompompurin have quite a history.

The fake FBI alerts tied Troia to The Dark Overlord – a cyber-criminal group that Night Lion Security had published research on in Jan. & which it continues to investigate.

“The purpose of the email was to apparently discredit Night Lion & Shadow byte’s founder, Vinny Troia, claiming that I am a member of that group,” Troia outlined in his Tues. writeup.

Private API Key

Troia gave what he called a brief history of his experience with Pompompurin:

“The last time this happened he sent me a message informing me that the US National Center for Missing & Exploited Children posted a blog naming me as a sexual predator” he wrote.

“Before that it was a heads up on a DDOS attack on our free consumer Breach Check website; before that the player hacked my personal Twitter using a private API key that was stolen from our Data Viper website, in order to send out a number of childish Tweets to reporters; before that he tried to publicly frame me for the hack on Astoria company; & before that, it was something else.”

Real Identity

Troia thinks he knows Pompompurin’s real identity: The player is allegedly a man from Calgary, Canada, who was named in a July 2020 report that described him as “the alleged mastermind” behind several major cyber-crime groups, including The Dark Overlord, Gnostic players & Shiny Hunters.

According to the report, the Canadian who’s allegedly the Pompompurin threat player was responsible for leading groups & engineering attacks – that were “responsible for nearly 40% of all non-credit card-related data breaches over the past 4 years.”

‘Innocent Until Arrested/Extradited/Proven Guilty’

Keenan Skelly, CEO of Shadow Byte, revealed that the findings contained in the 2020 report, “Identifying Pompompurin: Attribution of the hacker behind the FBI email hoax,” have been reported to the St. Louis FBI & the Canadian Calgary Police Dept.

US Congressman Luis (Lou) Correa, CA-46, (US House Committee on Homeland Security, Congressional Cyber Security Caucus), confirmed to the Shadow Byte team that Fri’s breach of the DHS/FBI LEEP email server could be attributed to the Calgary man.

He called the breach “the latest in a long string of data breaches which evidence indicates can be attributed to 1 individual operating in Calgary, Canada.”

Legalities

Legalities are keeping the US from getting their hands-on or extraditing him, however, the Congressman observed: “Unfortunately, Canadian cyber security & privacy law have made it difficult to arrest this individual & extradite him once apprehended.”

“Since July of this year, I have been receiving research & intelligence from the leadership team at Shadow Byte, a Threat Intelligence Company investigating the hacker,” Correa added.

“In reviewing the details of their investigation & evidence, it is clear that we (US) must do better in our coordination with other countries for extradition of cyber-crime suspects.”

Lack of Success

He concluded by lamenting the lack of success the country has had in rooting out cyber-criminals that are right on the country’s doorstep: “While recent efforts at curbing international Ransomware organisations have focused on extradition, this has been limited to Russia & China,” he explained.

“Meanwhile, cyber-criminals in other parts of the world, much closer to our own borders, seem to have carte Blanche while they hide behind their country’s laws. My office will continue to push the importance of this on The Hill & to the White House.”

https://www.cybernewsgroup.co.uk/virtual-conference-december-2021/