{ "id": "8e73e845-b634-4d96-a357-34f696165f48", "created_at": "2026-04-09T02:23:37.054316Z", "updated_at": "2026-04-10T13:11:28.41265Z", "deleted_at": null, "sha1_hash": "1c9a07b62b7e772a4a2870aeaf5d374e6084c5fb", "title": "\"I'm Not Pro-Russia and I'm Not a Terrorist!\" —- InfraGard and Airbus Hacker “USDoD” Unveils His New Campaigns - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 97309, "plain_text": "\"I'm Not Pro-Russia and I'm Not a Terrorist!\" —- InfraGard and\r\nAirbus Hacker “USDoD” Unveils His New Campaigns -\r\nDataBreaches.Net\r\nPublished: 2023-09-17 · Archived: 2026-04-09 02:14:14 UTC\r\nThe first time DataBreaches remembers hearing about the man who calls himself “USDoD” was when he posted a\r\nsales listing for member data from InfraGard. He had not only managed to acquire data on 80,000 members of an\r\norganization dedicated to protecting critical infrastructure, but his revelation of his method exposed some\r\nembarrassingly inept security on InfraGard’s part.  But that incident and his newest leak involving 3,200 vendors\r\nof Airbus aren’t the only reasons to pay attention to him. In a somewhat rambling interview with DataBreaches,\r\nconducted over several days online, USDoD reveals some of his current operations and future plans with respect\r\nto US defense agencies and firms.\r\nThis post is divided into two major sections. The first provides some background on USDoD as he describes\r\nhimself. The second part reveals some of his current operations and developing projects. Because USDoD is not a\r\nnative English speaker and requested that typos and errors be corrected, there are numerous instances where typos\r\nor confusing phrasing have been edited for clarity. At other points, his writing has been left as in the original.\r\nThose parts reflect his usual writing style.\r\nPart 1. Background\r\nWho is USDoD?\r\nUSDoD is a man in his mid-30’s. He describes himself as single but as being in a serious relationship with his\r\ngirlfriend, who is a doctor. When asked if she knows what he does, he said that she does know. USDoD tells\r\nDataBreaches that he was born in South America but moved to Portugal. He holds dual citizenship in Brazil and\r\nPortugal, but currently lives in Spain. USDoD speaks three languages:  Portuguese, English, and German.\r\n“English is not my main one,” he told DataBreaches, who had pretty much already figured that out quickly.  When\r\nasked whether he speaks Russian, he responded that he is first starting to learn it this year.\r\nWhen Did He Start Hacking?\r\nUSDoD states that he first got started in 1999 after joining a Brazilian gaming community. He was 11 at the time,\r\nand says he was able to use social skills to help take down a pedophile. He also states that a moderator of that\r\ncommunity, who was also a developer for r3x software, took him under his wing and encouraged him and helped\r\nhim develop skills. He says he was also greatly impressed by Kevin Mitnick. “Sadly, I never met him, but damn,\r\nthis guy is a legend in my generation. His social engineering skills inspired me a lot to become what I am now.”\r\nUSDoD’s preferred learning style is to attack real, but small and unknown, companies. “I learn in real scenarios.\r\nGot my hands really dirty to get experience. I wasn’t learning in local labs and stuff like that. I don’t like that,” he\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 1 of 11\n\ntold DataBreaches.\r\nEarly Campaigns Against the Military and Defense Contractors: 2021-2022\r\nUSDoD was known as “NetSec” on RaidForums. “As ‘NetSec’, I breached a number of entities, but my most\r\nnotorious one was my own operations against the U.S. Army and defense contractors in my #RaidAgainstTheUS\r\ncampaign,” he told DataBreaches.\r\nIn February 2022, Cyble Research Lab wrote a report on NetSec, describing him as a pro-Russian threat actor. The\r\nreport provided a timeline of his activities:\r\nSource: Cyble\r\nThe incidents included a US Defense Technical Information Center database, a US Army Special Operations\r\nCenter of Excellence database, a US Strategic Command database, a US Central Command database, a U.S.\r\nSpecial Operations Command database, and a Lockheed Maring database. All of those releases were within a two-day period in February 2022. The report also included screenshots of how USDoD listed and explained the\r\nattacks.\r\n“I’m Not Pro-Russia”\r\nBecause a number of NetSec’s posts referred to Russians or collaborating with a Russian or Russians, it was\r\nunderstandable that Cyble and others might view him as pro-Russia, but USDoD takes strong exception to that.\r\nHe tells DataBreaches that what others seem to assume was a political alliance of some kind was not political at\r\nall. He got involved because of a  private request from a friend to whom he felt indebted.\r\nIn other cases, he may have collaborated with Russian individuals or sold data to Russian individuals, but not due\r\nto any political views on his part.\r\nPerhaps it was partly an English problem, but USDoD really didn’t seem to have insight into how his words were\r\ncreating an impression that he was pro-Russia. And to show me that such claims were not true, he started telling\r\nDataBreaches about U.S. clients and what some of the February 2022 posts were really about.\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 2 of 11\n\nAs a specific case in point, the “Russian” referred to in February 2022 posts that Cyble reported was an\r\nindependent security researcher he is close to. The researcher had showed him an AI platform he was developing\r\ncalled “Tulip” and asked him to collect any military data that may or may not help him in that project. Believing\r\nthat there was no intention to harm U.S. critical infrastructure, USDoD agreed to help. He still believes the project\r\nwas and is an innocent one.\r\n“Since that time and my work on it, there has never been any evidence publicly or in private that there was any\r\nharm done by what I did or any leak of intel. This was never political,” he said. “Maybe I messed up my writing\r\nwhen I wrote I was selling to “the Russians” as if there was something political about it.  No. I just got info for\r\nthem for what an AI project that is not targeting the U.S.”\r\nIn addition to telling DataBreaches that he also has U.S. clients, USDoD noted that shortly after the Cyble report\r\nappeared in 2022, he was contacted by someone very close to the Iranian government who tried to buy the intel he\r\nhad described in his posts, “but I declined to sell it to him. I won’t attack certain countries but I also won’t do\r\nbusiness with their governments or political people or military. I don’t do political business with anyone at all.\r\nSame rules apply to all,” he told DataBreaches.\r\nMore on Standards and Ethics\r\nSome hackers avoid hacking entities in specific countries, like CIS. When DataBreaches asked USDoD if he\r\nexcluded any countries or sectors, he answered that, for ethical reasons and standards he created for himself, “I\r\nwon’t attack Russia, China, South and North Korea, Israel, and Iran. The rest I don’t care,” he said.\r\nWhen asked why he thought it would be unethical to hit those countries, he replied, “Because I got people that I\r\ntruly know and I truly respect there. People that I care enough to not pissing any gov or corp off.  My beef with\r\nUSA is not personal. I don’t hate the USA culture. I like what they do. I just have zero respect for any govs.”\r\nSomewhat baffled by his response, DataBreaches asked, “But you will hit U.S. gov even though you have people\r\nin this country you like and respect?”  “Good question,” he responded, and then told me about a personal incident\r\nin his life that was significant. He spoke of being in New York in 2012 for cancer treatment and how he got deeply\r\ninvolved with an employee at the hospital where he was a patient. But being a hacker and suspecting corruption in\r\nthe hospital, he hacked the hospital. He says the employee knew what he was doing and helped him, but the day\r\nbefore he was scheduled to meet with the media and expose the hospital’s corruption, she disappeared. He says he\r\nwas never able to find her again, despite searching and hiring a private investigator. Because she disappeared\r\nsuddenly that way, he never went public that day with what he had found, and without any support in New York,\r\nhe finished his treatment and left, taking with him a personal grudge against the U.S. and great sadness and grief\r\nabout her leaving him that way. Although he is clear that he will never attack U.S. hospitals or childcare facilities,\r\nhe harbors some resentment against the U.S. and says he still gets very emotional about her disappearing that way.\r\nIt was difficult to understand how that one experience of personal betrayal could translate into a lasting grudge\r\nagainst our government. So till trying make sense of it all, and feeling something like the ghost of Senator\r\nMcCarthy, DataBreaches asked him directly:  “Are you now, or have you ever been, paid by or financially\r\nsupported by any government for your hacking activities?”\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 3 of 11\n\n“No. I don’t like politics,” he answered. “The world should live free of politics. I won’t take any money from\r\ngovernments, no matter how much they might offer.” He also denied any religious, racial, or ethnic biases in his\r\ndecisions and operations.\r\n“My reasons are purely personal vendetta. I don’t take sides. I play both sides of the war and no politics.”\r\nIt’s Not Political, But It’s Not Just Vendetta or Business, Either\r\n“A lot of hackers tell me that ‘It’s just business’ and their motivation is financial. You have said it’s not political\r\nand it’s personal vendetta. Do you have any other motivation?” DataBreaches asked him.\r\n“It is not only business. It is about challenge. I like a real challenge.” USDoD would later illustrate just how much\r\nhe likes a challenge when he gave DataBreaches a glimpse into his current and future activities. Those are\r\ndescribed in Part 2 of this article.\r\nUSDoD on Breached.vc and the InfraGard Incident\r\nLike many other RaidForum members, USDoD made his way to Breached.vc when it was opened by\r\n“Pompompurin” after the seizure of RaidForums.  On Breached, he used “NetSec.”  USDoD first used the\r\nmoniker “USDoD” in December 2022 when he posted data from InfraGard. “I picked USDoD as a joke for people\r\nto think that DoD breached InfraGard. I also used their seal as my avatar. It was literally just a joke to make the\r\nFBI feel even worse after seeing it in the news. I don’t use their seal anymore as my avatar, though,” he told\r\nDataBreaches. These days, his avatar is a cute kitten.\r\nThe InfraGard incident captured media attention because InfraGard is a public and private partnership between the\r\nFBI and private sector firms that work together to protect critical infrastructure.  USDoD managed to get access to\r\ntheir membership data by simply applying to become a member and getting accepted. He didn’t apply under his\r\nown name. He used the name of a CEO of a financial firm who was not a member but whose application would\r\nlikely be accepted. The application was submitted with an email address that he controlled. To his surprise, his\r\napplication was accepted without any further vetting. But there’s more to the story than was revealed last year.\r\nUSDoD told DataBreaches that his method involved a prior test run application.\r\n“First I created a sketchy application with some false information and submitted it to see how InfraGard would\r\nrespond. Once I saw what they said was wrong with my application, then I knew what I had to be accurate about. I\r\nwas very surprised, though, that they accepted the final application because I did not use the professional email for\r\nthe CEO I was impersonating. I had created a fake Tutanota email address and impersonated a staff member.” \r\nAccording to USDoD, the email address he used for the application with the CEO’s application was staff@tuta.io.\r\n“I really don’t understand why InfraGard approved the application at all,” he said. Neither do we, but we note that\r\nInfraGard was compromised by someone impersonating someone who wasn’t an employee or member and had an\r\nanonymous mail service. When DataBreaches asked USDoD how much he relies on social engineering to gain\r\naccess, he replied, “100%, but I’m not perfect. I have failed sometimes. It is normal.”\r\nWhen asked about his preferred social engineering technique, he replied that it was impersonation. “My technique\r\nis to become someone else. I love impersonating and becoming someone else. This is how I got access to\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 4 of 11\n\nInfraGard, NATO Cyber Center Defense, and CEPOL.”  [Note: the NATO and CEPOL attacks are discussed in\r\nPart 2]. USDoD says that he also researches his targets using ZoomInfo to see how big the potential target is in the\r\nmilitary and defense sector.\r\nUSDoD says that he felt somewhat badly after the InfraGard incident when some people suggested it might be the\r\nreason Pompompurin was arrested and the forum subsequently seized. DataBreaches does not know who\r\nsuggested that, but it’s extremely unlikely that InfraGard was the proximal cause of the arrest and seizure. Those\r\noccurred quickly after the D.C. Health Links incident involving the personal and health insurance-related data of\r\nmembers of U.S. Congress, their families, and employees in the D.C. region. Supporting that hypothesis is the fact\r\nthat the Office of the Inspector General of the U.S. Department of Health and Human Services was involved in\r\nboth disrupting the forum and getting it seized. They would likely not have been involved if the concern was\r\nInfragard, which was three months earlier.\r\nIs He Ever Scared?\r\nBecause he has often picked high-value targets in the defense sector, DataBreaches asked USDoD if he worried a\r\nlot about getting caught.\r\n“Well it depends on my mood and what is going on, but due to the nature of my work, I always stand in high alert\r\nand monitor some platforms to keep an eye on what researchers are doing or what some key figures are saying,”\r\nhe responded.\r\nBut at other times during this interview, USDoD would say that he was not worried and that he “had that part\r\ncovered.” When asked to explain what that meant by that, he replied that he “got a green card or free pass to\r\noperate in Spain or do whatever I want in Spain. It’s from some key people in Spain. Sadly, I can’t share any more\r\nintel as it could compromise the situation.”\r\nIn response to that somewhat surprising claim, and having been told by him that he worked in the field of\r\ncybersecurity and occasionally came to the U.S., DataBreaches asked if he had any coverage outside of Spain or if\r\nhe would be at risk if he came to the U.S.  “You are right, but I would still risk everything going there if something\r\nis worth it. It depends on the situation, and you are one of these that I am willing to risk,”  he replied. Not sure that\r\nI understood him correctly, and because he had mentioned several times that he would like to meet in person for\r\ncoffee in New York, DataBreaches followed up, “You are willing to risk getting caught for this interview, or to\r\ncome to NY to meet me???“ “Not only an interview,” he answered. “To come to you, meet you, drink a cup of\r\ncoffee,” he answered. That could be a really costly cup of coffee for him, and it flies in the face of OpSec that\r\nmost hackers would employ.\r\nPart 2. Current Activities and Future Plans\r\nRIP Breached.vc, Hello BreachForums!\r\nOn September 12, USDoD announced on BreachForums.is (BreachForums) that he was back, and he indicated he\r\nwould be working on some solo projects.  He quickly made headlines again with a post announcing that he was\r\nleaking data from 3,200 vendors for aeronautics giant Airbus:\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 5 of 11\n\n“This month I got access to airbus site using a emploey acces from some turkish airline and this got me inside of\r\nalot of stuff plus their vendors data. (sic)\r\n3200 records. It is their entire vendors data,” he wrote in a thread on BreachForums.\r\nAfter providing some sample data and a link, he included this line:\r\n“Lockheed martin, Raytheon and the entire defense contractos I’m coming for you bitchs” (sic)\r\nNeither his post nor that last line went unnoticed. Hudson Rock reported on the breach and leak, claiming they had\r\nidentified the Turkish airline employee whose credentials had been compromised by an infostealer. Airbus\r\nsubsequently confirmed their analysis. NOTE:  some news outlets seem to have misunderstood USDoD’s post and\r\nHudson Rock’s reporting. DataBreaches has seen some sites claiming that USDoD infected the employee’s\r\ncomputer. He didn’t.  He simply found the login credentials in infostealer logs and used them. Using infostealer\r\nlogs is a fast and easy way to find credentials for a target and saves the time of trying to figure out how to gain\r\naccess. Many forums have sections where such infostealer logs are posted freely for anyone to download and\r\nmisuse.\r\n“I Am Not Pro-Russia, and I Am NOT a Terrorist, Either!”\r\nBrian Krebs, who had reported on the InfraGard story in 2022, also picked up the Airbus story. In a post\r\nheadlined, “FBI Hacker Dropped Stolen Airbus Data on 9/11,” Krebs wrote, in part:\r\n“USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was\r\ndefinitely an aircraft theme to the message that accompanied the leak, which concluded with the words,\r\n“Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”\r\nTo say that USDoD was upset by Krebs’ reporting would be an understatement and he told DataBreaches that he\r\nfelt like Krebs was calling him a terrorist. USDoD submitted the following statement to DataBreaches and asked\r\nthat it be included in this article. With only one small typo correction, this is his full response to Krebs’ reporting:\r\nStatement About Krebs’ Report\r\nFirst off i would like to apology to every single USA Citzen.\r\nAirbus breaching shouldn’t come in 911 but for more than one month I’m out of my usual routine so\r\nIm working more than 20h a day without proper sleep time and this is fucking me off so much that when I\r\nbreached airbus and leaked i didn’t noticed that as 911.\r\nI will never trying get attention or fuck a corp or person in people pain.\r\nIt is not who am I. i wasn’t raised like that so  my truly and honest apology to every single USA Citizen.\r\nIt was the first and last time.\r\nNow lets put something right because this shit is not right.\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 6 of 11\n\nMr krebs know that almost 1 year ago he approach me to interview about the infragard situation and it is not the\r\nfirst one who asked.\r\nand i told personally to him that I will only speak to him because I have seen his work how very detailed it is his\r\nreport and I always liked of his work and I even admire him and that is why I talked with him but this guy after the\r\nAirbus situation have zero respect for his career or his collogues who work in same sector.\r\ni feel stabbed in the back with that statement from him.\r\nHe should contact me. not publishing a lie to get more views.\r\nHe as so disrespectful that no one on the media sector fall for his non sense. Dirty move from a dirty fucker and\r\nthat is why I keep doing my business, for people like this kind of guy.\r\nHe will fall from his own acts.\r\nThis was a personal attack.\r\nMaybe because he is mad of his friend who work in Alaska not able to catch me.\r\nBoth are useless asset from FBI time to put jersey off folks and retire  this is not a playground it is real business.\r\nDataBreaches reached out to Krebs with a copy of USDoD’s statement to give him an opportunity to provide a\r\nresponse or comment. He did not offer one.\r\nBut What Was That Raytheon and Lockheed Warning About?\r\n“Lockheed martin, Raytheon and the entire defense contractos I’m coming for you bitchs (sic),” USDoD had\r\nwritten in his post leaking the Airbus data. Was he serious?\r\nNo, he wasn’t. USDoD informed DataBreaches that he has no interest in Raytheon and Lockheed and he named\r\nthem simply to misdirect people while he was pursuing other targets. Those other targets, he says, were Deloitte,\r\nNATO, CEPOL, Europol, and Interpol.\r\n“I was happy to have Raytheon and Lockheed spending most of their time and efforts in fixing their issues while I\r\ngot access to Deloitte, NATO, and CEPOL all in the same day,” he told DataBreaches.\r\nNATO? CEPOL? What Was He Doing??\r\nUSDoD claims he has targeted a number of entities, including Deloitte, Interpol, Europol, NATO, and CEPOL. He\r\nalso claims that he has already gained access to some of them and provided DataBreaches with some screenshots\r\nas proof.\r\n“I have already accomplished access to NATO and CEPOL, so Phase 1 of operations is finished and now I will\r\npivot to Phase 2. In Phase 2, I will be exploiting that, but I need to study and exploit their weak spots,“ he says.\r\nUSDoD gained access to CEPOL by registering for an account as Greek police officer, “Gran Kolettis”\r\n\u003cg.kolettis[at] police[.]gr\u003e. USDoD also sent DataBreaches an email from that email address, showing that he still\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 7 of 11\n\nhad access to that police officer’s email account.\r\nImage provided by “USDoD.” In the upper right corner, it shows that the user logged in is “GK.” \r\nUSDoD also provided DataBreaches with screenshots from the NATO Cyber Security Defense Center showing he\r\nhad successfully registered and had access to them, too. Only someone who has registered and logged in would\r\nsee the menus displayed in the second screenshot below.\r\n“USDoD’s” attempt to register for the NATO portal was successful. Image provided by “USDoD.”\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 8 of 11\n\nImage taken from with portal provided by “USDoD” and redacted by DataBreaches.net.\r\nUSDoD gained access by registering as “Karlaina Ustinov” \u003ct.g.papakarmezis[at]army[.]gr\u003e. He also sent\r\nDataBreaches an email from that Greek army email account showing he still had access.\r\nBut USDoD’s plans failed, in part. After accessing the center, he requested access to community services. When\r\nhe didn’t get a reply and tried to login, he found an “under maintenance” notice.\r\nImage provided by “USDoD.”\r\nThere has now been a maintenance note for the last four days. NATO has not responded to two email inquiries\r\nsent to it asking whether the maintenance notice was an unplanned response to some possible cybersecurity\r\nincident. Did they detect something and are hardening security? He does not know, but it seems reasonable to\r\nthink that they may have detected something wrong.\r\nBut why was USDoD even publicly revealing his targets if his operations are not really completed?\r\n“This will capture their attention,” he told DataBreaches, “and tbh, I want this. I want to beat them while they are\r\nwatching.”\r\n“Why?” DataBreaches asked.\r\n“For the lols. fun. challenge,” he answered.\r\nAnd why these targets? Were there any U.S. defense targets?\r\nWhat’s the Endgame?\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 9 of 11\n\nAfter acknowledging that he had failed with Deloitte and needed to find other methods to access them, and after\r\nhaving been unable to access community services in NATO’s portal, he started to explain why these targets:\r\n“CEPOL is an Elearning platform for law enforcement from Europe and it is directly associated with Europol.\r\nThey have plenty of programs together. I got entire access to how CEPOL teaches their agents, so I will find their\r\nweak spots for my end game. NATO uses custom and modifed versions of endpoint security and AV. Plus they\r\nhave their own version of policy, browser, etc. So put both together and I can take them down because I know\r\ntheir methods and I know how they protect themselves. This is enough for me to get more access.”\r\nDataBreaches pressed for a more complete roadmap or explanation: “I don’t understand when these ops will end\r\nor how they will end. Can you explain?”\r\n“Alright,” he said, “the end game is an ongoing situation. This is not a country-scaled attack. it is an entire\r\ncontinent attack. Something that I have considered at this point.\r\nI will use their entire resource to increase the size of my operational.”\r\n“You know? The door is already opening. It is a golden opportunity. The challenge comes along.\r\nThis is the endgame: grow up my influence.\r\nThere is no comeback.\r\nI will keep moving forward.\r\nI guess this will clear our confusion:\r\nI crossed the line of point of no return and you asked my end game.\r\nI can’t lie to you.\r\nThis is the endgame: full control.”\r\n“So you have no plans to leak or sell any of the data from CEPOL, NATO, or other agencies?” DataBreaches\r\nasked.\r\n“Yes that is right. I will not leak that,” he replied. “My intention in getting full control of some system is to get\r\naccess to even more private data. I want to find more data points and expand my operational and take part of some\r\nEuropean critical infra. It is a crucial part of my endgame.”\r\n“Let’s be clear here,” he continued (while DataBreaches prayed for even a little clarity by now):  Besides the\r\ncountries that I will never atttack that I already told you, the rest of around the globe should stay alert.”\r\n“Stay alert because you might attack them?” DataBreaches asked.\r\n“That’s right. And I’m telling you this because I want to beat them in their max capabilities.”\r\n“But what about U.S. defense? You mentioned CEPOL, NATO, EUROPOL, and INTERPOL as targets. Do you\r\nhave any current operations against any U.S. defense firms or agencies now?”\r\n“Yes I do have some operations going on behind the scene right now,” he answered. “But this will never go public\r\nor leak anywhere. It is a private request for a private user case. After my contracts end, I will tell you my targets.”\r\nWhen asked if he could say a bit more, he responded:\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 10 of 11\n\n“I will explain. I entered a new level of data acquisition. My main focus on USA will be military intelligence –\r\nevery single military intelligence info from classified to private ones.”\r\n“This is for a private user contract or just for your own interest/challenge?” DataBreaches asked.\r\n“My own use case,” he answered. I’m building a new private company solely run by myself. I will be selling\r\nmilitary intelligence on the dark web. After Breached was seized, I always thought to run my own business.”\r\n“So you will sell intel?” DataBreaches asked.\r\n“Yes, from classified to private intel. This is related to European endpoint. I need European endpoints for this.\r\nThis will not run only on USA. I can even give you a name. My first target will be Constellis.”\r\nOnce again, it seems, USDoD is throwing down a gauntlet – announcing his target and plans. DataBreaches had\r\nnever heard of Constellis, but hopes they have good defenses against his social engineering tactics and use of\r\ninfostealer logs or their information may become his first offering on his new business when it opens.\r\nAnd Then There’s BreachForums\r\nUSDoD announced his return on BreachForums and it seems that in addition to having a business plan involving\r\nthe acquisition and sale of intel, he also wants to help BreachForums grow.\r\n“I want to see the community get more engaged like it used to be. Having someone who’s active and engaged can\r\nbring more people. ShinyHunters used to do that for RaidForums. He was and still is a beast and a legend, but he\r\nis not really involved in the forum he now owns. Everyone keeps waiting for him and he doesn’t seem really\r\ninterested in the forum.”\r\nUSDoD had a very high positive reputation on Breached.vc, and almost certainly will have one again on Breach\r\nForums. And he engages in activities that will likely bring media attention and interest to the forum. He tells\r\nDataBreaches that he was disappointed when he reached out to ShinyHunters this week to offer his help and Shiny\r\nsaid “no” without any explanation and without saying that Shiny would do anything himself.\r\nWhat Next?\r\nIt was difficult to get a clear understanding of what USDoD is doing and what he plans to do, but it seems clearer\r\nnow that he has a business model involving U.S. military intel. Should defense contractors and agencies remain\r\nvigilant about him? Given how skilled he is at social engineering and how he loves a challenge, it would seem\r\nwise to keep an eye out for him.\r\nSource: https://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nhttps://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.databreaches.net/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/" ], "report_names": [ "im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "82a51997-1402-41c3-86df-6f9e522b2ba8", "created_at": "2024-04-27T02:00:03.554045Z", "updated_at": "2026-04-10T02:00:03.63698Z", "deleted_at": null, "main_name": "USDoD", "aliases": [], "source_name": "MISPGALAXY:USDoD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0cfbbc-2acf-4cc8-afe1-1859679c522c", "created_at": "2022-10-25T16:07:24.373716Z", "updated_at": "2026-04-10T02:00:04.963615Z", "deleted_at": null, "main_name": "Vendetta", "aliases": [ "TA2719" ], "source_name": "ETDA:Vendetta", "tools": [ "AsyncRAT", "Atros2.CKPN", "Nancrat", "NanoCore", "NanoCore RAT", "ReZer0", "Remcos", "RemcosRAT", "Remvio", "RoboSki", "Socmer", "Zurten" ], "source_id": "ETDA", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701417, "ts_updated_at": 1775826688, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c9a07b62b7e772a4a2870aeaf5d374e6084c5fb.pdf", "text": "https://archive.orkl.eu/1c9a07b62b7e772a4a2870aeaf5d374e6084c5fb.txt", "img": "https://archive.orkl.eu/1c9a07b62b7e772a4a2870aeaf5d374e6084c5fb.jpg" } }