Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Exposed: the Hacktivist who Defaced Websites in 40+ Countries

May 2020 by Check Point

Check Point researchers identify cyber-criminal who tweeted a personal goal to hack 5,000 websites globally, which he nearly accomplished by spreading anti-government messages to websites of official governments, academic institutions and private companies.

• Hacker nearly reaches goal by hacking 4,820 websites in 40+ countries across the world (USA, UK, Australia, Netherlands, Italy and more)
• USA ranks #1 on hacker’s hit list, making up 57% of hacker’s website attack volume
• Researchers leverage social media to trace hacker’s location to a city in Brazil

Researchers at Check Point have uncovered the identity of a lone hacker responsible for the defacement of thousands of official government websites globally. Active since 2013, the hacker self-identifies as ‘VandaTheGod’, targeting a number of countries including the USA, Brazil, Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam, and New Zealand, among others.

Check Point’s researchers say that the hacker isn’t motivated by money, but hacktivism – the orchestration of cyber-attacks designed to spread a specific ideology. In VandaTheGod’s case, the hacker focused on social injustices and pushed messages centered around anti-government sentiments. For example, the hacker defaced a Brazilian government website with the hashtag: #PrayforAmazonia, as a response to the burnings of the Amazon rain forest allegedly carried out by the Brazilian government.

USA Ranked #1 on Hacker’s Hit List

The United States ranked at the top of the hacker’s hit list, followed by Australia and the Netherlands. In fact, the United States made for nearly 57% of the hacker’s cyber attacks on websites (612 total websites), which included the official website of the state of Rhode Island and the city of Philadelphia, among others. The hacker’s activity also extended beyond hacktivism to include credit card and personal credential theft. The hacker attempted to breach details from public figures, universities and even hospitals. In one such case, the hacker claimed on social media to have access to the medical records of 1 million patients from New Zealand, offering to sell each contact for $200 per record.

VandaTheGod made the habit of publicizing his exploits on social media, primarily on Twitter. Disguising himself under multiple aliases, such as “Vanda de Assis” and “SH1N1NG4M3, the hacker tweeted a public goal to hack over 5,000 websites. VandaTheGod nearly reached his goal, as Check Point researchers linked 4,820 hacked websites to the hacker. However, this prolific social media activity proved to be a double-edged sword, for Check Point researchers first took notice of the hacker’s social activity and scoured it for clues to reveal their true identity.

Check Point researchers used VandaTheGod’s Twitter and Facebook accounts to gather clues on the hackers real identity. After scanning years of posts and tweets, Check Point researchers traced the real identity of the hacker to an individual living in Uberlandia, Brazil. Check Point alerted relevant law enforcement.

Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said: “This case highlights the level of disruption that a single, determined individual can cause internationally. Although ‘VandaTheGod’s’ motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cyber-crime is thin. We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques. Revealing the person’s true identity and disclosing it to law enforcement should put an end to their extensive disruptive and criminal activities.”

# of Hacked Websites by Country

The table below presents the number of hacked websites, per country, in the time frame between May 2019 – May 2020 according to h-zone records, while the hacker’s activities were being traced by Check Point researchers. Many more websites globally were affected between the hacker starting activity in 2013 and May 2019.

See previous articles


See next articles