{ "id": "f068e413-1f2a-43e3-8ac9-dcc19133b8f5", "created_at": "2026-04-06T00:22:05.62363Z", "updated_at": "2026-04-10T03:34:59.558482Z", "deleted_at": null, "sha1_hash": "44df47143b0c20c40effc0746157391edbd65c48", "title": "Dark Web Profile: USDoD", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73320, "plain_text": "Dark Web Profile: USDoD\r\nPublished: 2023-09-20 · Archived: 2026-04-02 11:55:02 UTC\r\n[Update] October 17, 2024: See the subheading: “Brazilian Arrest Tied to USDoD”\r\n[Update] August 26, 2024: See the subheading: “Is USDoD’s Identity Revealed?”\r\n[Update] April 22, 2024: See the subheading: “Update on USDoD’s Activities: Departure from Public\r\nBreaches”[Update]\r\n[Update] November 7, 2023: See the subheading: “UsDoD Continues Ambitious Claims; Now Its LinkedIn’s\r\nTurn.”\r\nEmerging from the shadows of the cyber realm, “USDoD” first caught attention by exposing the data of 80,000\r\nInfraGard members, revealing significant security lapses within the organization. This audacious act, coupled with\r\na subsequent leak involving 3,200 Airbus vendors, has solidified his reputation in the cybersecurity world. Behind\r\nthe pseudonym is a man in his mid-30s with roots in South America. Influenced by many, USDoD has been an\r\neyecatcher for some time in the digital landscape.\r\nEarly Activities and Background of USDoD\r\nPreviously known as “NetSec” on RaidForums, USDoD gained notoriety with his “#RaidAgainstTheUS\r\ncampaign,” targeting the U.S. Army and defense contractors. In February 2022, a report highlighted his breaches\r\nof multiple U.S. defense databases, painting him as a pro-Russian threat actor. However, USDoD refutes this\r\nlabel, clarifying that his collaborations with Russians were based on personal or business connections, not political\r\nmotivations. One such collaboration involved an AI project named “Tulip,” aimed at collecting military data.\r\nTimeline of the #RaidAgainstTheUS attacks now known as USDoD (Cyble)\r\nHis transition to the “USDoD” moniker occurred on Breached.vc in December 2022, where he posted data from\r\nInfraGard, a partnership between the FBI and private sector firms. Using social engineering, he impersonated a\r\nCEO and successfully gained membership, exposing a significant security lapse within InfraGard.\r\nUSDoD’s hacking approach heavily relies on social engineering, particularly impersonation. This technique has\r\ngranted him access to high-profile entities, including NATO Cyber Center Defense and CEPOL. Despite targeting\r\nsuch entities, he remains confident, claiming to have protection in Spain from influential figures. His motivations\r\nintertwine personal vendettas with a love for challenging cyber exploits, revealing a multifaceted character behind\r\nthe hacker alias.\r\nCurrent Activities and Future of USDoD\r\nReturn to BreachForums and Airbus Breach\r\nhttps://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nPage 1 of 5\n\nUSDoD marked his return on BreachForums with a significant leak: data from 3,200 Airbus vendors. He\r\naccessed Airbus using an employee’s credentials from a Turkish airline, which he found in infostealer logs. His\r\npost also contained a warning for Lockheed Martin and Raytheon, though he later revealed this was a diversion\r\nwhile targeting other entities like Deloitte, NATO, and CEPOL.\r\nMetropolitan Club of the City of Washington Database Breach\r\nMost recently, USDoD has announced a security breach, revealing the database of the Metropolitan Club of the\r\nCity of Washington. The incident stands apart from an earlier breach linked to the same threat actor and the\r\n“Ransomed.vc” ransomware group. He asserts that by obtaining Personal Identifiable Information (PII) about the\r\nGeneral Manager, he was able to crack the login details for the organization’s admin panel.\r\nMisunderstandings and Clarifications\r\nBrian Krebs’ report on the Airbus leak, which tied the data release to the 9/11 anniversary, deeply upset USDoD.\r\nHe clarified that the timing was unintentional and expressed his frustration with Krebs’ insinuations. USDoD\r\nemphasized that his actions were neither politically motivated nor terrorist-driven by saying, “I won’t attack\r\nRussia, China, South and North Korea, Israel, and Iran. The rest, I don’t care”.\r\nUsDoD Continues Ambitious Claims; Now Its LinkedIn’s Turn\r\nUsDoD, which managed to make a significant impact on its own, continues its operations. He claims to have\r\nreleased 2.5 million records, alleging a breach of the LinkedIn Database.\r\n“haveibeenpwned” founder Troy Hunt made the following comment in his Twitter account, regarding this\r\nincident: “Interesting data. Allegedly 2.5M, but almost 6M unique addresses. One fellow Aussie has 5 addresses\r\nacross telco, bank, publisher, and 2 e-comm sites. Their LinkedIn reflects this, so this data could tie together\r\nidentities.”\r\nAlleged LinkedIn database leak\r\nAccording to UsDoD’s statement, the actor shared alleged data breaches of the hp-medical and dhsi2 on\r\n“breachforums” recently, also shared a screenshot in his Twitter account from the Interpol website’s interface,\r\nlabeling it as a preview of his upcoming operation.\r\nUsDoD’s tweet\r\n**USDoD has expanded the amount of data leaked from LinkedIn. According to his claims, this new dataset\r\ncomprises 35 million entries and expands to 12 gigabytes when uncompressed. Troy Hunt has shared that the\r\nadditional collection of scraped and compiled data linked to LinkedIn has now been incorporated into Have I Been\r\nPwned . This inclusion has introduced an extra 14 million unique e-mail addresses, increasing the total scope of\r\nthe security breach to nearly 20 million records. It’s worth noting that 13% of these e-mail addresses were already\r\npresent in Have I Been Pwned.\r\nFurthermore, Troy Hunt published a blog post about the dataset. He stated that the dataset is a blend of data\r\nextracted from publicly available LinkedIn profiles, fictitious e-mail addresses, and, to a limited extent,\r\nhttps://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nPage 2 of 5\n\ninformation from other sources listed in the column headings. However, it’s important to note that the individuals\r\nare real, the companies are legitimate, the domains are authentic, and, in many instances, the e-mail addresses\r\nthemselves are valid.\r\nReal Targets and Motivations\r\nDespite the public threats against Raytheon and Lockheed, USDoD’s real interests lay elsewhere. He targeted and\r\naccessed entities like CEPOL and NATO, aiming to understand their security and training methods. His ultimate\r\ngoal? Full control and influence. He plans to establish a private company to sell military intelligence on the dark\r\nweb, with Constellis being his first target.\r\nUSDoD claiming successful access to CEPOL (DataBreaches)\r\nUSDoD claiming a successful attempt to register for the NATO portal (DataBreaches)\r\nUSDoD’s Future Endeavors and BreachForums\r\nUSDoD’s vision extends beyond hacking. He aims to revitalize BreachForums, lamenting the lack of\r\nengagement from its current owner, ShinyHunters. He believes active participation from influential members can\r\nrestore the forum’s former glory.\r\nUSDoD’s activities and plans are multifaceted; as he ventures into selling military intelligence and continues to\r\nchallenge high-profile targets, defense entities should remain vigilant.\r\nUpdate on USDoD’s Activities: Departure from Public Breaches\r\nUSDoD, known for his audacious breaches and public releases, has announced his departure from the threat\r\nlandscape. In a post on a hacker forum, he bid farewell to the community and federal agencies, expressing his\r\ndecision to step into the shadows and prioritize his personal life.\r\nIn his final act, USDoD shared a significant breach involving Bureau van Dijk Database 2024 and US Consumer\r\nDatabase, totaling millions of data entries. This farewell post marks the end of his public hacking endeavors.\r\nUSDoD’s latest post in BreachForums\r\nHere is the message from USDoD on the hacker forum:\r\n“Hello BF community, federal agencies, and all friends around the globe, this is it, this is my way to say goodbye.\r\nI know I already showed a lot, and I’m done with it.\r\nI don’t expect anything more from the scene, from the community. It is my time to go into the shadows and think\r\nabout myself, my family, and my life.\r\nI would not come back; this is the end. This is me giving all good luck to the BF community and staff, for all the\r\npeople that I ever contacted since 2019. I wanted to say that I liked being there, even when I started with zero\r\nreputation, with a lot of people saying a lot of bullshit. But even the worst shit I ever heard, they made me get into\r\nthis, and they made me not give up or simply rise and keep at the top for years.\r\nhttps://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nPage 3 of 5\n\nI’m not a group, I’m not a gang, I’m an only one-man army. I started with this, and I will finish it. This is the\r\nend.”\r\nIn his farewell post, USDoD shared the following alleged breaches:\r\nBureau van Dijk Database 2024: Partial data with 9 million entries\r\nUS Consumer Database: 2.8 million entries\r\nTherefore, these breaches mark his final act in the public hacking sphere, as he transitions away from dealing with\r\npublic breaches.\r\nUSDoD’s departure from the scene could signify the end of an era in the cyber threat landscape. While his actions\r\nhave garnered attention and concern, his decision to step back underscores the evolving nature of cybersecurity\r\nand the impact of individual actors in the digital realm.\r\nIn a recent interview, he didn’t indicate any intention to halt operations, asserting his ongoing commitment.\r\nHowever, he clarified that this isn’t exactly a retreat but rather a shift to independent work. It could be alleged that\r\npersonal ambitions and a desire for reduced scrutiny from security forces may also drive this decision.\r\nConclusion\r\nThe enigmatic figure of “USDoD” stands as a testament to the evolving landscape of cybersecurity. From his\r\naudacious breaches to his intricate web of motivations, he represents the new age of hackers who blend personal\r\nvendettas, business ambitions, and sheer love for the challenge. His journey, from exposing significant security\r\nlapses in reputed organizations to announcing ambitious future plans, underscores the need for heightened\r\nvigilance in the digital realm. As the lines between personal, political, and professional motivations blur, entities\r\nworldwide must recognize and prepare for the multifaceted threats posed by individuals like USDoD. In a world\r\nwhere information is power, understanding the motivations and methods of those who seek to control it is\r\nparamount.\r\nIn today’s digital age, the dark web has become a hotbed for illicit activities, including the trade of stolen data and\r\nthe planning of cyberattacks. SOCRadar’s dark web monitoring offers a solution to this growing threat. By\r\ncontinuously scanning the shadowy corners of the dark web, SOCRadar provides timely alerts to businesses and\r\nindividuals when significant players make a move or when their sensitive information appears in these hidden\r\nrealms. This system allows for swift action, minimizing potential damage and ensuring that stakeholders remain\r\none step ahead of cyber adversaries.\r\nSOCRadar Dark Web News\r\nIs USDoD’s Identity Revealed?\r\nIn a surprising twist, the hacker known as USDoD, linked to major data breaches, has revealed his identity.\r\nUSDoD, also called EquationCorp, is actually Luan G., a 33-year-old from Minas Gerais, Brazil. This comes after\r\nhis involvement in significant hacks, including leaking 3.2 billion Social Security Numbers from National Public\r\nData and breaching the FBI’s InfraGard platform, exposing 87,000 members’ details.\r\nhttps://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nPage 4 of 5\n\nLuan G. confessed after reportedly being doxed by CrowdStrike, a cybersecurity firm he previously targeted.\r\nHowever, Luan claims that other cybersecurity groups, like intel421 Plus, had already identified him before the\r\nInfraGard hack. In a statement to Hackread.com, Luan expressed his wish to leave cybercrime behind and\r\ncontribute positively to Brazil, acknowledging that it’s time to take responsibility for his actions.\r\nRevealing USDoD’s identity as a Brazilian citizen has legal consequences. While the extradition treaty between\r\nBrazil and the U.S. could allow Luan to face charges in the U.S., Brazil’s policy of not extraditing its citizens\r\nmight prevent this. Even if not extradited, Luan could still face charges in Brazil. His desire to reform may\r\ninfluence a more lenient legal approach focused on rehabilitation.\r\nBrazilian Arrest Tied to USDoD\r\nIn a significant breakthrough, Brazilian authorities arrested a 33-year-old male in “Operation Data Breach,”\r\nbelieved to be the infamous USDoD (aka EquationCorp), responsible for multiple large-scale cyberattacks.\r\nAlthough the press release didn’t explicitly name USDoD, the arrested individual boasted about compromising\r\nInfragard, a breach previously claimed by USDoD.\r\nUSDoD has been linked to major cyber incidents, including the National Public Data breach, which exposed the\r\npersonal data of millions of Americans. His involvement had been referenced in U.S. court documents since 2022,\r\nnotably in connection with the arrest of notorious hacker Pompompurin.\r\nSource: https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nhttps://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/" ], "report_names": [ "unmasking-usdod-the-enigma-of-the-cyber-realm" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "80edca9f-dcd6-491e-92f3-87ad1f575631", "created_at": "2023-10-14T02:03:14.694988Z", "updated_at": "2026-04-10T02:00:05.021046Z", "deleted_at": null, "main_name": "NetSec", "aliases": [ "NetSec", "Operation Data Breach", "ScarFace_TheOne", "USDoD" ], "source_name": "ETDA:NetSec", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "82a51997-1402-41c3-86df-6f9e522b2ba8", "created_at": "2024-04-27T02:00:03.554045Z", "updated_at": "2026-04-10T02:00:03.63698Z", "deleted_at": null, "main_name": "USDoD", "aliases": [], "source_name": "MISPGALAXY:USDoD", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "adf68b66-8287-44de-9cdc-3277508a8126", "created_at": "2023-11-05T02:00:08.082461Z", "updated_at": "2026-04-10T02:00:03.400457Z", "deleted_at": null, "main_name": "RansomVC", "aliases": [ "Ransomed.vc" ], "source_name": "MISPGALAXY:RansomVC", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434925, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/44df47143b0c20c40effc0746157391edbd65c48.pdf", "text": "https://archive.orkl.eu/44df47143b0c20c40effc0746157391edbd65c48.txt", "img": "https://archive.orkl.eu/44df47143b0c20c40effc0746157391edbd65c48.jpg" } }