Whose data are these — and are they real? NightLion v. Troia, Round 2
July 28 — Please see the correction notice and update at the bottom of this post.
On Sunday, a person or persons calling themself “NightLion” revealed that they had hacked DataViper.io. Data Viper is a service its founder, Vinny Troia, describes as “A Threat Intelligence Platform Designed To Provide Organizations, Investigators, And Law Enforcement With Access To The Largest Collection Of Private Hacker Channels, Pastes, Forums, And Breached Databases On The Market.”
NightLion, who claimed to have had access to the server for months, created an onion site. The site links to a zine they created about Troia and the hack, as well as a list of databases from the server and other data from the server. To top it all off, their in-your-face-and-up-your-left-nostril attack included putting 50 databases up for sale on a well-known dark web marketplace.
Being a security service that got hacked is not a great look. Having your assets dumped publicly can really hurt even more. But was DataViper’s collection of databases from nonpublic breaches acquired by NightLion?
In Round 1 of the NightLion-DataViper hack, Troia initially claimed that the list of databases posted by NightLion definitely did NOT come from his server (a server that he said was a dev server and not his production server). NightLion pointed to the MySQL table proof that the list was taken from a database, and Troia eventually walked back his denial, telling this site:
The db list IS my list. 100% accurate. That just came from a MySQL table. It was nothing special, just a list. I recently purchased breachtracker.org. That table is meant to be the basis of the new site to keep track of breaches. It’s just a table though. The problem is… and what they didn’t know, is that table is not 1:1 with what’s actually in my database. So things that they are claiming they got from me, they didn’t.
Welcome to Round 2: Whose Is It?
While NightLion claimed the databases for sale were all hacked from DataViper’s server, Troia claimed that none of them came from his server and that they are all either fake data or databases that came from NightLion’s own data stores. Of significant note, Troia claims that “NightLion” is associated with threat actors he will outing tomorrow in a conference presentation. Troia claims that they are desperate to harm his reputation before his talk. Indeed, they do seem determined to raise issues of character and reputation that might make potential clients leery of using Troia’s services.
DataViper advertises that its collection of breached databases includes undisclosed breaches. NightLion’s zine asserts:
MGM Grand Hotels is included in the dataset with 142 million entries and was imported by Vinny on November 30th 2019 . This number is very different to the 10.7 million number that they stated were affected  . This indicates that MGM knowingly misreported information regarding this data breach and that Vinny is aware of this misrepresentation .
The discrepancy between the 10.6 million reported publicly and 142 million understandably got media attention, and ZDNet has done some great reporting on this issue. But ZDNet’s coverage doesn’t reveal that Troia was intimately involved in MGM’s incident response– or so he told DataBreaches.net. And without naming MGM, he had actually discussed the MGM hack in his book:
One of the more recent investigations I worked on involved the hack of a multibillion dollar organization. Their stolen data was posted for sale in private circles, and upon finding this out, I immediately contacted the organization. The organization had many questions, and given my prior investigative work, I was able to reach out to the threat actor on their behalf and obtain information on how the breach occurred.
In a private chat, Troia would later hint that a nondisclosure agreement prevented him from revealing more in response to questions posed to him about the MGM incident. But he wrote up the incident in his book, identifying the RaidForums member known as “NSFW” as the hacker, and listing MGM in a list of “confirmed hacks” by NSFW. Troia wrote:
The following text is a portion of the writeup provided by NSFW, a threat actor we will be covering in much greater detail throughout this book, where he describes, in detail, how he was able to hack this organization’s network. The process he used was sophisticated, and by no means a run-of-the-mill drive-by hack.
You can read the write-up in Troia’s book, Hunting Cybercriminals. In chats with DataBreaches.net, NSFW acknowledged that he had responsibility for the MGM hack and that the amount of data was significantly more than what had been leaked publicly. He also confirmed that Troia had gotten him to do a write-up for MGM. Over a period of months, NSFW was reportedly in frequent communication with Troia, with Troia allegedly urging him to try to cut a deal to turn himself in. Troia would later blame this blogger for allegedly talking NSFW out of turning himself in, never realizing that NSFW had just been trolling him for months to learn what Troia knew about him and to try to misdirect him. It was not the first time, nor the last time, Troia would seem to be tricked by threat actors and to wind up believing and repeating misinformation or lies.
In any event, we have “NightLion” claiming that they obtained an MGM database with 142 million from Troia’s server and it is up for sale on a dark web market. We also have Troia claiming that NightLion did not get that database from his server. But did or does Troia have that database on DataViper? It seemed perfectly plausible that he might have it if it is real and if he had acted on MGM’s behalf. Certainly statements made by NSFW suggest that there was a lot more data than had ever been publicly leaked and that Troia had it all.
When asked directly today, Troia said that he doesn’t have the full data set. “I only have what was publicly posted,” he stated, adding, “From what i understand though it’s mostly garbage. That’s why they released only 10m. The larger set is just a ploy”
MGM has already been sued over the breach involving the 10.6 million database. The new listing may cause additional litigation problems for the resort if it turns out the data are real data on additional customers. MGM’s statement to ZDNet suggests that there aren’t any additional customers who need to be notified. But there’s still the issue of who’s lying about the source of the 142+ million database that NightLion has put up for sale.
The claimed MGM database was not the only eyebrow-raising result of the NightLion hack of DataViper.io. As the zine notes, the FiveStars data had never been publicly shared:
FiveStars is another data breach that is in DataViper but not publicly disclosed . It was imported in November 2019 . It is unclear where it was reported to them and they failed to notify their users or if Vinny did not notify FiveStars .
As Brian Krebs discovered when he investigated that claim, Troia had tweeted about that database being added to DataViper’s database in August of 2019.
Where and how did Troia get those data — data from a hack that FiveStars told Krebs it never knew about until this story came out? It would seem to be from private circles. Did “NightLion” have their own copy of FiveStars, as Troia’s claims would suggest? Were they the hackers?
Proving whether data for sale is coming from Troia’s databases or theirs poses a challenge. Troia may be telling the truth, but if databases with personal information were exfiltrated from his server, he might have expensive legal and notification expenses that would accrue.
Is it Ethical? Is it Legal?
When a presumed “whitehat” and a presumed “blackhat” provide conflicting claims, whom do you believe? I’ve occasionally believed blackhats more than their victims in some cases, and the present controversy between Troia and NightLion is one of those situations where Troia’s questionable behavior may make it a bit harder for some people to take his word for things. Specifically, the zine raised issues about whether Troia is engaging in criminal conduct by buying and selling data or trading it — issues that have been raised about him before.
In conversations with DataBreaches.net, and publicly, Troia has maintained that if he purchases a client’s database on a client’s behalf and with their authorization, then he has done nothing unethical or illegal. There is some justification for that or at least ethical justification — the client learns that data of theirs is allegedly up for sale and they want to see it so they can investigate a potential problem. But Troia has seemingly done far more than that. In his interactions, he has occasionally seemed to be claiming that he has bought, sold, or traded data — or was willing to. And when challenged about his sometimes appearing to do things that cybercriminals do, he once responded that he is “undercover” or has to build the credentials of his personas in dark web forums. In response, irate threat actors want to know why they should be prosecuted if he isn’t being prosecuted for the same conduct. They point out that Troia is not law enforcement or “undercover” law enforcement. Even if he provides data and information to law enforcement, that should not give him a get out of jail free pass if he is engaging in criminal conduct.
But is he? Possession of stolen data is a crime in some areas, even if it’s not bought, but just received. If Troia has acquired hacked data and is using it to develop his commercial business that makes him money, would a prosecutor or grand jury say that he has crossed lines he should not have crossed? Would prosecutors even be willing to prosecute him if they do not prosecute SpyCloud for its business? And who would prosecute anyone considering how law enforcement personnel may appreciate having access to the databases they acquire and make available?
And even if what he does should turn out to be declared legal by some court or courts, what about ethically? Do whitehat researchers and investigators really want to have a public image that includes buying and selling hacked data? I don’t think that’s a good look for the ethical researchers this blog has communicated with over the years. Brian Krebs’ column When Security Researchers Pose as Cybercrooks, Who Can Tell the Difference? raised a number of good questions, and both he and this site have pointed to DOJ’s guidance on threat intel a number of times. Neither the guidance nor Brian’s column are the first to raise concerns, of course, and the questions are likely to keep coming up until there is serious discussion and some sort of industry standards or court cases that address these questions.
What about just pressuring people or bullying them or extorting them into giving you hacked data? Is that legal? Is it ethical?
Over the past few years, a number of people have claimed that Troia uses a lot of pressure or extortion to get others to provide him stolen data or information that he wants. And recently, a few individuals have claimed that among Troia’s aliases is “Valentin0.”
“valentin0” posted Comodo.com data for tokens sale in May. He also posted Chronicle.com data and issued a threat to others if they didn’t share data with him.
Troia claims he is not “Valentin0:”
I have never even heard of Valentino
Actually I take that back. I have heard of him. This isn’t the first time I have been accused
I believe someone was trying to extort Chris and he assumed it was me.
Later in a chat, he expanded on that and seemingly admitted some involvement with valentin0:
Valentine keeps coming up. Megadimarus thinks its me because this person was blackmailing him. I dont know why chris/mega suddenly think I would be blackmailing him, but ok. Anwyay Valentino was used in this plot. That does not mean I am him, it just means I used him.
When asked to clarify what he meant by “used him in this plot” Troia stated:
It means I used him to relay information
I’m not the person, but I leveraged him because I knew he would share what I needed.
So he went from saying he never even heard of him and wasn’t him to saying that he wasn’t him but he used him in some plot? His answers do not sound totally credible.
Tomorrow, Troia will keynote a virtual SecureWorld conference where he intends to identify (and name) the members of thedarkoverlord, GnosticPlayers, and ShinyHunters. He is quite convinced that has tied the threat actors of all three groups together — that all three groups involve the same individuals. I look forward to seeing his proof or evidence to support the attributions.
Correction and Update:
A previous version of the post stated, “But Troia has seemingly done far more than that. He has admittedly sold data and traded it.” Troia contacted DataBreaches.net to note that he had never admitted any such thing and he requested a correction. That statement has now been edited because when I looked into it, I realized that he was right — I had nothing that showed him actually admitting to trading or selling data — especially since he continues to assert that he is not Valentin0 and that threat actors are feeding me fabricated or doctored logs. In any event, DataBreaches.net has replaced the “admitted” sentence with one that suggests that Troai had appeared to claim these things. And the post was also edited to remove a subsequent “Given that” preface and to replace it with an “If” preface. DataBreaches.net apologizes for having misunderstood and mischaracterized Troia’s public statements.
DataBreaches.net asked Troia for a statement that would explain his actual practices more. Here is his statement:
Researching and infiltrating groups of hackers and dark web forums is not easy, and often requires proof of activity. Often times extreme thinking prevails, and posing as a seller and listing fake data was a good way to get people’s attention. I have also worked with organizations, on numerous ocassions, to use this position to help them track down and purchase data that has been allegedly stolen from them. Not everyone knows how/when/where an attack happened, and sometimes acquiring the data is the only way they can figure it out. Purchasing data for a customer in this context is not illegal, I am doing it under supervision, with approval. The idea that I would somehow break trust with my customers and turn around and sell or trade the data which I acquired on their behalf is absolutely absurd. That has never happened, and never will happen.