Revenge is mine, saith a hacker. No big deal, saith a researcher.

Vinny Troia, a self-described security researcher and and the owner of cybersecurity firms Night Lion Security and DataViper.io, will be the opening keynote speaker at SecureWorld’s virtual conference this coming Wednesday. He has promoted himself and his talk by claiming that he will reveal all of the identities of key members of thedarkoverlord, GnosticPlayers, and ShinyHunters.

But while he may have been working on finalizing his presentation, someone who may be upset by his upcoming talk has been busy trying to discredit him.

DataBreaches.net received an anonymous tip earlier today pointing this site to a site where someone makes it clear that they are out to destroy his career.

“I’m about to end this man’s whole career,” someone promises.

The site contains a zine and other materials, including a list of allegedly all of the databases DataViper.io has amassed. That list, which DataBreaches.net is not reproducing here, includes well-known breaches, but also appears to include more data on some than was made publicly available.

Some of the databases on DataViper.io appear to come from leaks that Troia found, while others may be databases that Troia might have bought from hackers or data resellers, allegedly on behalf of his clients. Troia has occasionally claimed that he is acting ethically if he makes purchases on behalf of his clients with their authorization. It’s not clear, however, whether that is always lawful. The government has tried to provide some guidance as to under what conditions researchers or agents of data owners might purchase stolen data lawfully and under what conditions they might be setting themselves up for legal problems. DataBreaches.net is not a lawyer and offers no opinion on whether Troia’s conduct is always legal, although like Brian Krebs, this blogger has had concerns about reports about him (as well as false statements he has made about me to others).

A number of threat actors have claimed that he buys, sells, and trades databases with them, and acts just like any other threat actor, including trying to get them to give him information he wants in exchange for other information, such as offering to tell one threat actor what the government is doing or not doing about something in exchange for the threat actor giving him something he wanted.

From the zine the anonymous individual created:

DataViper is a data lookup site much like WeLeakInfo, LeakedSource and the others that came before it . For some reason Vinny thinks he’s above the law here given that the aforementioned sites have all been shutdown or seized by Law Enforcement . He will claim that he only gives access to organizations and LE but if you look through the data he gave access to DDB ( a member of GnosticPlayers [1] ) for several months ( August 27th 2019 to March 4th 2020 )[2] during which time DDB hacked many more sites [3] . I suspect as part of this relationship Vinny would get the data that DDB hacked in return which would make him complicit in DDB’s activities . If you go through the release list he has most if not all the Gnosticplayers data as a result of his special relationship with them . Unfortunately the DDB account was deleted before I compromised DataViper and its search history erased so those logs are not available but it’s easy to imagine how useful this lookup would be to the ShinyHunters/Gnosticplayers group as they mainly target developer Github accounts with password reuse . He also gave access to other people from RaidForums and to the WeLeakInfo admin [4] .

[1] https://www.dataviper.io/blog/2019/gnosticplayers-part-1-nclay-ddb-nsfw/
[2] If you look in the DataViper production DB in the user_activity table for references to DDB you can see that Vinny’s account makes a lot of updates to the profile details of DDB beginning in August 2019 and ending in March 2020 when he deletes the DDB account .
[3] https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
[4] Look for [email protected] and [email protected] in the user_activity table .

Obviously, allegations and accusations are just that. But is this a case of where there’s smoke, there’s some fire?

DataBreaches.net contacted Troia for a statement about the hack. He responded:

The post and everything was incredibly overblown, designed to discredit my talk and report which are coming out this week. The only thing they accessed was an old development server. And the “data” they are claiming came from my server is nothing more than NSFW and Gnostic’s data that has been on sale for months.

They are just upset about the fact that I can tie Shiny, Gnostic and TDO all together.

That seems quite true– that someone is upset — but are the data solely the NSFW and GnosticPlayer data that have already been publicly circulated? Doesn’t DataViper.io claim to offer access to private and undisclosed breach data. Will those data be on sale on the dark web, too?

Since I started working on this post, there have been more developments. After I contacted Troia for a statement, he started tweeting about the situation. And then things escalated a bit more, with another Twitter using posting a link to a paste. That paste provides examples of data found on DataViper that have allegedly not been publicly revealed before, I think the post is inaccurate about verifications.io as most of that has been released publicly, but there are other databases where I think the anon writer is correct and that the data have not been made public before now.

The zine-writer also notes that they still have access to the server:

You might be wondering how DataViper was hacked [1] . At the present moment I still have access to the DataViper servers and I think I will have access to them for the foreseeable future so I will not be revealing the entry points in this zine (but if you spot it in the source feel free to exploit it yourself) .

Just for a taste though you can look at the API docs [2] and scroll to the very bottom where you can get a free API key
( KDWkI01TERFzFKYNYwKIjh1vXmCv1g9Z0fcCLEzgg4oA9aNZQLHfjaXlqZ3bqkonMcI3Zm7vWLVNs7UqWnBT7XGxBDaea02ozkIU ) and an admin login ( dvdevops : [email protected] ) .

I may release more details in a follow-up zine if circumstances change .

Access has been maintained for over 3 months and hundreds of GB of data was exfiltrated without anyone noticing, even when he had to pay more money to DigitalOcean for more bandwidth . Great endpoint protection you got there .

At the present time, Troia continues to try to downplay the seriousness of the attack:

But as one reader replied, it does appear that databases were accessed and acquired:

Troia has yet to respond to his question. Or explain how he can say no databases were acquired when they are now up for sale.

Correction:  A previous version of this post incorrectly claimed that most of verifications.io had not been available on RaidForums.  It was.

 

About the author: Dissent

6 comments to “Revenge is mine, saith a hacker. No big deal, saith a researcher.”

You can leave a reply or Trackback this post.
  1. Enza Denino - July 13, 2020

    Just waiting for the day Mr. Vinny Troia (AKA Exabyte) will be arrested after an investigation by Europol and FBI. He has lied countless times and has been proven to be raidforums.com/User-Exabyte , where he sells and trades hacked data, which is illegal. He also blackmails people to share data with him. He uses multiple identities on all of these blackhat data trading websites… All proven to be him. He wants the media to spread misinformation by saying his site wasn’t hacked… all the databases have been access.. Proof of breach: http://app.dataviper.io/proof.txt (check web.archive.org , he brought the whole thing offline, proof is there).

    • Dissent - July 13, 2020

      I will be doing an update on this case at some point — if not later today, then probably tomorrow. And yes, I had seen the uploaded file, which is why I breaking my “no links” rule to let you include a link in your comment, as it’s pertinent to the claim that the server was accessed. The current controversy seems to be Troia’s claim that no databases were hacked/exfiltrated and that the data being sold are data that were already in NightLion’s possession. I’ll have more on that in the update.

      • Enza Denino - July 13, 2020

        Okay, here’s the thing. Even if NightLion/GnosticPlayers/NSFW/any of the guys already had some of the leaks, you can see for yourself in the zine the commands executed to remove the data from Vinny’s servers (the part where he does “curl -XDELETE localhost:9200/dbname”, that commands deletes the database from the local elasticsearch server, where upon successful execution it returns “ackowledged”, further proving those databases existed on Vinny’s server. Also, the Verifications.io database found on Vinny’s server only had 98 million records (word of NightLion). A lot of the databases allegedly from Vinny’s server I’ve never seen, and neither have some of the people on the forums. Of course Vinny has databases in common with other blackhat people, he trades and buys and sells, just like all of the other people. So why is he above the law? He shouldn’t be, and that’s why I hope he gets investigated and arrested.

        • Dissent - July 13, 2020

          I understand your points. But you know that in these situations, someone can claim, “Their proof is faked/fabricated.” And you know we’ve all seen scam reports where people have fudged chat logs or other supposed proof. I have to try to verify claims because Vinny is denying most of them. He says he doesn’t even recognize the db list as that’s not the way he names his files. Those filenames are in the MySql database that got dumped. (Update: he just told me that it is his list afterall). But can I be sure that NighLion exfiltrated databases when Vinny insists that he didn’t and that NightLion is only selling his own or faked data?

          And when someone contacts me and tells me that Vinny is using a particular alias and threatening someone or trying to bully them into sharing data on RF, then I have to see what I can find, especially if Vinny claims he has never used that alias. Spoiler alert: he claims he’s never used “Valentin0.”

          So yeah, this is taking longer than you would like. And even when I get more on the hack, that’s really not going to do what you might want it to do — I need to tackle the questions about ethics and legality separately and start contacting experts and all. I will, but it all takes time. And I really don’t know what they will say. You may not be happy with their answers, but I will pose the questions to them.

          But none of the above will have any impact on his keynote Wednesday. If anything, he will argue it proves he’s right in his attributions as he’s scared people so badly that they are trying to destroy his reputation, etc.

          • Enza Denino - July 13, 2020

            Yes of course, what you are saying makes sense. Also, I don’t remember a username “Valentin0” ever being mentioned, I was talking about the Exabyte alias. Has he denied that too? I don’t understand how he can deny that, when the IP address he used on Exabyte matches the IP address of his household. Maybe the search results for the IP address were fabricated and are not original to the actual breach, but I’ve been told Vinny’s own system (DataViper) has been used to look up those values. A more in-depth search definitely needs to happen, involving forum owners confirming these details and hopefully Vinny responding to these claims. That’s another thing… Vinny doesn’t like to answer many questions, he just responds with some unrelated nonsense trying to avoid them. Of all the questions he’s been asked on Twitter, I don’t think he’s answered (m)any, particularly ones where screenshots were posted. I’d love to watch his keynote but unfortunately it costs $25 to access (unless I’m not looking in the right places). I understand Vinny is a busy man and will probably start answering more questions after the keynote, but by then many more questions will probably arise, unrelated to the DataViper hack, and I think Vinny is using that to push this under the rug… Hopefully that won’t happen.
            Also, you’ve said he didn’t recognize the list, but now he’s admitting it’s real? What?! That’s a huge thing that he’s just said, changes everything… all the times he’s said no databases were breached/taken from his system… And if NightLion had access to the list of databases, he had access to the databases themselves. Both the MySQL and Elasticsearch instances were running on the same server, so it doesn’t matter if the list was from some MySQL table or directly acquired by querying Elasticsearch to list the indices.
            Either way, Vinny just has to admit he has poor security and the entire server was breached. There is a surplus of evidence to support those claims, he can’t just ignore this or say it’s fake.
            Also, please do keep posing questions, even if I don’t expect proper answers from them.
            Thank you for being so unbiased.

          • Dissent - July 14, 2020

            Yes, he acknowledged last night that the list was real and it was pulled from/created by that table. But he offers another explanation for it, while still denying that NightLion got his actual databases. And he also says that they have figured out that NightLion never had root. So I’ll wait a bit and then follow up after he gets through his talk to find out more about this incident and get his final statement on it rather than keep doing this piecemeal. But I do think people have often raised concerns that are worthy of serious discussion, so there are/will be four different follow-ups to this: (1) his accusations/attributions and methods of identifying threat actors he claims are with TDO, GnosticPlayers, ShinyHunters: has he provided solid evidence to support his attributions? (2) the attack by NightLion and what it revealed or didn’t reveal, (3) whether his methods are ethical, and (4) whether they are legal. Those will all be over time… I will be starting with going through whatever report he provides to justify his attributions as to individuals.

            And yes, he acknowledged using Exabyte, but didn’t specifically acknowledge using it on RF. His answer was, “I have used the exabyte name before, as is evident by my IP appearing on OGusers. More than one person can use a name.” He did not specifically say he used it on RF.

            Brian Krebs has also just reported on the NightLion hack. He and I seem to be pointing to the same DOJ guidance as to what is legal and what might cross the line.

Comments are closed.