About a year ago, Brazilians discovered that a huge leak was for sale: it included 223 million CPFs – even those of the deceased – and personal information such as income, education level, address and list of relatives. That database remains for sale on the deep web, and could have netted as much as $5 million to the hacker who originally marketed it, according to an exclusive analysis shared with the technoblog.
What’s in the megaleak
In January 2021, the technoblog exclusively revealed the details of the mega-leakage of 223 million CPFs. He brought 37 folders including all kinds of personal data, such as RG, credit score, telephone, INSS registration, among others.
The hacker made the announcement on a forum, sharing a sample of the data to confirm it was real; he charged prices ranging from US$0.075 to US$1 per CPF, depending on the volume purchased. Payments were made in bitcoin.
Two months later, the hacker lowered the prices: he divided the leak into 40 equal parts sold at $750, the first of which was offered without payment. Whoever wanted all the content would end up paying $30,000.
Up to $5 million
Cybersecurity firm Kzarka claims to have tracked the various cryptocurrency wallets used by the hacker who sold the CPF mega-leak. The company’s focus is on discovering security breaches: between 2017 and 2020, it monitored more than 200 different leaks that, together, reach 15.2 billion results.
Gwin specializes in cryptocurrency forensics at Kzarka. In an interview with technoblog, he explains that the company has been tracking the various transactions associated with the first person who sold the leak.
“We tracked cryptocurrencies related to the leak, and we have wallet data that is certainly the hacker’s; it’s 100% sure that they really belong to the person”, says Gwin. He guarantees that more than US$ 250 thousand were moved by the invader.
Or value jumps to $4 million to $5 million when considering wallets with a high probability of belonging to the hacker, that is, with a chance greater than 70%.
E this value can increase: Some wallets that were 40% or 50% sure they were from the hacker jumped to 100% certainty, explains Gwin. “He used the address again, took two separate wallets and signed the same transaction, so we know for sure it’s from the hacker, and so we discover more funds.”
OK, but are the police aware of this? Well, Kzarka set up a siege on the hacker’s wallets, analyzing the money movements, and sent everything to the authorities. “We sent reports to the Civil Police regarding the cryptocurrency investigation that came from the leak,” says Gwin. However, he says no one has returned it.
“We participate a lot in investigations beyond this one”, explains Gwin. “When an investigation goes to the Federal Police, they take all the documents received by the Civil Police”.
Hackers wait to spend
The analysis of each wallet needs to be done on an ongoing basis: depending on how it is moved, it may end up revealing its owner. “As time goes on and the owners of the wallets spend or move the money — which is no longer just bitcoin, but now has other types of currency — it becomes clearer whether these wallets only have relationship with this hacker, or if they actually they are this hacker,” says Gwin to technoblog.
This ongoing analysis is also necessary because, in order to take less risk, the hacker usually avoids tinkering too much with illegally obtained money. “Usually he’s afraid of making a mistake,” explains Gwin. “He knows he’s good at what he does, but he’s afraid that maybe there’s a better person there, that he doesn’t know exists… that’s why the criminal leaves cryptocurrencies in wallets for a long time.”
In terms of cybersecurity, this can be understood as decreasing the attack surface, says Gwin. By taking fewer actions, you have fewer situations to worry about, so you end up having more security – even if it’s just a perceived security.
“It’s a very complex thing, isn’t it? It has a lot of moving parts, so you think, ‘the less I move, the lower my risk,’” notes Gwin. The expert still makes one caveat: the money was spread across different cryptocurrencies, including some that Kzarka does not track.
Bitcoin is traceable
This type of analysis is possible because bitcoin transactions are public. They are recorded on the blockchain (ledger), including the value, date, time and wallet; and can be accessed by anyone. The same goes for currencies like ether.
Blockchain does not reveal the identity of who makes each transaction, but if you know who owns a bitcoin wallet, you can track the money. Of course, tracking is not so simple because the hacker has his tricks to try to hide – using money laundering, for example.
Therefore, it is not always possible to determine that a wallet belongs to a particular person; but, thanks to advanced monitoring systems, the probability can be calculated. These systems do something called clustering, scouring the transactions of certain wallets to find out where the money went – and find out where it might have come from.
Megaleak is sold by other people
So far, we’ve only talked about selling the original megaleak. However, the base is now in the hands of more people, who have reorganized the information to resell it. To the technoblog, Gwin mentions seeing four adaptations of these data; in some cases, the objective is to make everything more machine-readable, that is, for analyzes carried out via a computer program.
“But there are certainly more than four versions now,” says Gwin, “so in 2023, 2024, 2025, we will continue to see this information being sold, each time by smaller values.
The price of the leak goes down because it follows market forces: supply increases as data spreads across the internet; and demand decreases because the information has an “expiration date” (shelf life). “For example, income data is important, but you might not be in the same job for ten years,” explains Gwin; thus, this data loses value as time passes.
Meanwhile, other information can be used longer; this is the case with the CPF, which cannot be changed. “In the crime of fraudulent misrepresentation on the internet, someone can use your name or CPF to open a bank account… The criminal doesn’t have that many options, he basically goes to the database and chooses a random CPF, from a random person, and uses,” explains Gwin.
Due to this diversity of data in the leak, the Kzarka expert believes that this information will continue to be sold for quite some time, about three years. “And crimes of different types will still happen as a result of this leak”, he warns.
A curiosity: the specialist identifies himself only as Gwin because “the job requires hiding the name due to possible reprisals from criminals”. He explains that he used that nickname to access online games and then kept the nickname to explore the deep web.
Collaborated: Laura Canal