Catching My Hacker via Leaked Databases

mthcht

Published in

OSINT TEAM

8 min readOct 4, 2023

This blog post was made in 2016, which I was able to recover through some data carving on old backups

I got Hacked

In 2009 I was living in France and before the French company ‘Free Mobile’ disrupted the mobile market, we all had to deal with useless and expensive mobile plans.

I was still in school and didn’t have much money, so I used a basic mobile plan that cost me 20€ per month for phone calls and text messages. Sometimes, I didn’t use all of my credit, so I found a website that allowed me to transfer some of it to a PayPal account by calling a premium-rate phone number.

The website had a sponsorship option, which I thought was a great way to earn extra money. I posted my referral link on a forum, encouraging people to sign up under me. Every time one of my referrals called the premium-rate number, I earned 5% of the money :)

Within a few weeks, I had amassed more than 50 refferals and was making decent money (about 80€ per month) without lifting a finger. Over a year, I earned more than 1200€ just from this sponsorship arrangement. Life was good for a teenager!

Then disaster struck. Someone hacked my account and stole around 90€ by the time I realized I couldn’t log into the website. :(

I managed to regain control of my account by communicating with customer support via email. At the time, I didn’t think much of it and didn’t pursue any action. The only clue I got from customer support was the hacker’s username, which he had changed on the website.

I’ve altered his username and the locations for the purpose of this blog post.

Username: charle50140

I know exactly how he got my password but can’t say this publicly

Investigating

Fast-forward to 2016. I was going through my old emails and stumbled upon the correspondence with the website’s support, which included the hacker’s username. Around that time, I started a project with a friend aimed at compiling leaked databases and organizing the logs to make them easily searchable — much like the famous haveibeenpwned.com, but with all the juicy details !

From 2014 to 2016, there were many database leaks from big companies, publicly available on the internet. I began collecting all the leaks I could find. Some were hard to come by, but I mainly sourced them from Twitter and forums like LeakForum, Siph0n (@datasiph0n), and 0dayforum (TOR site)

Given the hacker’s unique username, i thought it shouldn’t be that hard to find this guy, I wrote a simple python script to guess his email address from famous email providers used at the time and leverage the old HaveIBeenPwned API to check if he had been pwned since 2010.

#!/usr/bin/env python
import requests  
import sys  
import json  
import time

providers=['hotmail.fr', 'free.fr', 'orange.fr', 'live.fr', 'sfr.fr', 'yahoo.fr',\  
           'gmail.com', 'outlook.fr', 'hotmail.com', 'yahoo.com', 'laposte.net']
headers = {'User-agent': 'haveibeenpwn'}

for i in providers:  
    account = "{}@{}".format(sys.argv[1], i)
    try:
        r = requests.get("https://haveibeenpwned.com/api/v2/breachedaccount/"+account, headers)
        if r.status_code == 429:
                break
        if r.status_code == 404: 
            time.sleep(2)
            continue
        infos = json.loads(r.text)
        print "\n---"+account+"---\n"
        for sites in range(0, (len(infos))):
            print "{}PWNED on {} the {}{}".format('\033[93m', infos[sites]['Title'], \
                    infos[sites]['BreachDate'], '\033[0m')
    except Exception as j:
        print "\n {}       ERROR -- {} \n".format(account, j ) 
    time.sleep(2)

I thought I could have some fun here. Although I don’t have access to the Dropbox dump, I have everything else already😈

At the time, i was just in the collecting phase so nothing structured, I used grep on all the raw dumps. The xsplit datas had this structure:

username, name, email, Salted_MD5hash

I managed to crack this MD5 hash on hashkiller

password: dijon50140

He recycled this password for Gamigo as well. Aside from Adobe’s dump, I successfully decrypted the other hashes using Hashcat and a python script I created for french caracters password guessing, I won’t share the script here, it’s too embarrassing now but nice ASCII art x)

So, now I have all his passwords (he just added a uppercase and a 0)

xsplit: dijon50140
gamigo: dijon50140
Gametuts: Dij0n50140
000webhost: dij0n50140

As I suspected, these were useless; he’d changed his passwords. However, I managed to pivot to a different username from his xsplit account: {redacted}Usher{redacted}.

I ran my HaveIBeenPwned script again to guess an email address with the ‘…usher…’ username. I found nothing. A Google search, however, led me to a Twitter conversation involving a deleted account @…usher… with the name:

Charle B.

Okay, so we have Charle B. — the ‘B’ likely being the initial of his last name. What’s his full name? Still unclear. Although his account has been deleted, he was tagged on twitter in a photo with another kid back in 2012.

Here is the young hacker (cropped):

The other kid in the photo doesn’t offer any more clues and account is inactive.

Charle, our suspected hacker, has a YouTube channel with his other username …usher…where he uploads content about hacking techniques as well as Call of Duty gameplay. His most recent video from 2015 showcases a RAT tool and displays his list of victims…

Using his username as a lead, I found that Charle frequents several hacking forums. One such forum is crackingforum.com, which, as luck would have it, recently suffered a database leak found here !

I searched for his username in the leaked crackingforum.com database and found a matching email, charle50140@gmail.com, confirming it’s the same person. Interestingly, this particular database wasn’t available on haveibeenpwned.com at the time.

I opted not to crack the salted hash, as the crackingforum.com dump contained the user’s IP address, 88.154.16.50 ! This IP address was active in 2011 in the database, and though it may have changed by now, a quick geo-IP lookup confirmed it as a French IP address. Interestingly, the location didn’t match the city I suspected the hacker was in, based on the ZIP code (postal code in France) 50140 but probably his real IP address back then.

Deciding to dig deeper, I crawled through all the dumps I had, specifically searching for this IP address 88.154.16.50. After two days of searching, I struck gold. The IP address popped up in the Ashley Madison dump, but with a different username and birthdate — 1970, I also got the city and last login date, likely indicating his father ? I didn’t think french people used this site…

dcafman, 50140, Caen, 1970–03–01, 2015–04–09 07:19:12

I’m now convinced this is his dad and that he lives in Caen. After Googling the dad username dcafman, I found his eBay account where he’s selling all kinds of old stuff in Caen.

So, what’s next? I’ve got the hacker’s face, voice, first name, the first letter of his last name, and his city (Caen). Time to hit up Facebook !

There are 269 Charles in the city of Caen and 23 of them with a last name starting with B.

I immediately spotted a facebook profile featuring the flag of Dijon’s football team, which was part of his password back in 2011.

I didn’t recognize him at first, but after scrolling through his friends’ posts from 2012 (found in likes from public pictures of him), I found the same photo that was on Twitter ! It’s definitely him !

Nice! Now that I have his real name, it’s time to find his address !

On facebook he had hidden his friends and personal information, we can just see 3 public pictures of him. I noticed a comment on the public profile picture from his sister.

Since her friends list was visible, I searched for the hacker’s last name there and Voila! I found the entire family:

That was easy!

After spending a few hours digging into his family history, I found his mother’s address and phone number on a French Christian church website. I doubt she’d be thrilled to learn what her son is up to 🤣

By the way, they have a nice little house (thanks, Google Maps)

According to posts on his sister’s Facebook wall, the hacker no longer lives there. He’s 20 and has been living not too far away with his girlfriend since September 2016, how do i know this ? The girlfriend posted the exact location of their new home on facebook…

on google map :

All the sensitives data i have on the hacker:

Real name (facebook)
emails
skype (from one of his hacking site and facebook)
Birthdate (hacking site + sister’s facebook posts matched)

The family house address and phone number (church site)
His House address(facebook)
Old highscool (facebook)
Workplace (facebook)
All the family members and friends names (facebook)

What is he up to 7 years later ?

It’s 2023, he has Linkedin now, he’s currently an engineer in the travel industry and still with his girlfriend. They’ve recently moved to Miami.

He enjoys traveling:

Let’s hope it’s not funded by his victims’ money.

The End. (or not)

Conclusion

So, you’ve heard my story, but let’s take a step back. This isn’t just about me catching a hacker when I was a teenager in school. It’s also about how leaked databases can be goldmines for the good guys.

CTI (Cyber Threat Intelligence) teams are doing the exact same thing. They search for emails, usernames, domain names, and IP addresses — anything related to your company — in these leaks so they can identify potential targets and prevent the risk !

Even though this story was released in 2016, I think it still serves as an eye-opener for people to realize what anyone can find out about you through your online activity.

What goes on the internet, stays on the internet!