Breach, Content

Report: Surprise, Surprise, Mysterious Tessa88 Hacker is Russian National

What’s in a name? For cybersecurity defenders, apparently plenty.

Cyber investigator Recorded Future said it has hunted down the real name of a notorious hacker known as Tessa88, who in 2016 reportedly offered for sale on the dark web high-profile compromised databases of notables such as VKontakte, Mobango, Myspace, Badoo, QIP, Dropbox, Rambler, LinkedIn and Twitter.

The data included more than half a billion passwords stolen from some of the biggest social media websites in the world. (Note: In July, 2016, Motherboard published what it claimed was an interview with Tessa88 to "piece together a rough sketch" of the shadowy hacker. "I am a very old inhabitant of the network :))," Tessa88 told Motherboard. At the time, no real names were revealed.

Tessa88: Identity Revealed?

Maksim Donakov, a resident of Penza, Russia, is apparently the hacker’s real name, according to Recorded Future threat researchers Insikt Group (“insikt” is Swedish for “insight”). Donakov operated under the aliases Paranoy777, Daykalif and tarakan72511 to sell high-profile databases, Insikt said in a blog post. Insikt believes Donakov is a man not a woman as widely reported. (Scroll down on Insikt’s blog to see pictures of who the researcher believes is Donakov).

Keep firmly in mind that the unearthing of Donakov’s name is heady stuff not all that commonly found by researchers. Insikt appears to have conducted good old fashioned detective work of the digital variety to create a profile of Tessa88. Some breadcrumbs Insikt followed:

  • It used data collected from publicly available sources, Recorded Future data, and dark web analysis.
  • The compiled information helped it to identify the contact information, alternative aliases, and tactics, techniques and procedures used by the actor.
  • As a result, the profile is of most use to email service providers, social media, and technological companies located primarily in the U.S. and Russia, Insikt said.
  • In early 2016, Tessa88 was banned from a series of black market web communities amid allegations of fraudulent activities.
  • Cybersecurity researchers subsequently tried to discover Tessa88’s identity but no clear evidence tied the hacker to an actual person. There was even some speculation that an accomplice helped to maintain the Tessa88 account.
  • Insikt’s sources believe that Donakov is a real person born on July 2, 1989. He reportedly was released under police supervision but was then imprisoned after committing another crime in 2014.
  • Cybersecurity provider InfoArmor claims that Tessa88 acted as a proxy who sold accounts and confidential personal information stolen by a group of hackers.

"Within several months of incredibly active public engagement, the hacker's personas were banned from almost every dark web community for various reasons, and by May of 2016, Tessa88 entirely ceased all communications with the media and public alike," according to the Insikt report. “In either scenario, we firmly believe that Donakov Maksim has directly benefited from the sales of compromised databases and should be viewed as the main actor."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.