A joke gone too far: “thekilob” falsely accused of being responsible for DC Links breach

On March 6, a forum post appeared on BreachForums that listed data for sale from the Health Benefit Exchange Authority, DC.gov

The seller, a respected forum user known as IntelBroker, claimed that the data had been hacked within the past hour and contained information on 170,000 users.

In less than a day, the data were listed as SOLD, and members of Congress, their staffs, and their family members were all dealing with the likelihood that their personal information and health insurance information was in the hands of ne’er-do-wells. The FBI would later state that they had bought data from the seller, but it is not clear if they bought all the data or only a sample for verification purposes.

On March 9, a new forum user, “Denfur,” listed the data again. This time, however, the data were not offered for private sale. Anyone paying 8 forum tokens/credits could acquire the data.  Denfur also provided samples of the data and described it as containing the personal information of fewer than 55,000 users. The difference between the 55,000 users in the Denfur post and the 170,000 users in the IntelBroker post was explained as being due to duplication of records in the earlier sample.

Denfur’s post boldly added “Слава России!”  (“Glory to Russia”).

A Joke Puts a Forum Member at Risk?

Because IntelBroker is a respected forum member, some people may have believed them when edited their sales post to claim that they were selling the data on behalf of another forum user known as “thekilob.”

Those who were regular users of the forum might have recognized that it was unlikely that IntelBroker would be a middleman for thekilob. As thekilob stated to DataBreaches in a chat, “I think it is public knowledge that me and intelbroker had certain disagreements on the forum.”

Unfortunately for thekilob, while forum regulars might be aware of that, journalists unfamiliar with the individuals or forum might not know that. Adding to the misattribution, Denfur also claimed thekilob was responsible for the hack in their post.

News outlets such as Associated Press repeated the attribution and it appeared on every news site that syndicated AP’s coverage. Other news media such as Gizmodo also repeated the attribution.

The joke didn’t stop there, even. IntelBroker subsequently appeared to be banned by a forum moderator  for being an “alt” (alternate user account or identity) of “thekilob.”

Given that this breach affected members of the U.S. Congress, one could realistically anticipate   law enforcement would be vigorously pursuing thekilob, someone who is believed to be in Italy and whose real identity may already be known to law enforcement.

From the very first instance of the joke, DataBreaches quietly advised contacts that they should not give any credence to thekilob attribution, but now it is time to say it louder.

Today, “Denfur” removed the attribution to thekilob from their post, writing:

On request of Breached Forum staff, we have removed “thekilob” from our post. To comply with their request, we must state that Kilob was not involved with the hack, and the references to them this far through have been jokes. We would also like to note that we were in no way forced to remove mention of this name, we were simply given the option. Because we support and appreciate the space that Breached has given us, we complied with the request.

And to complete the attempted undoing of the joke,  IntelBroker’s “ban” notice has been changed to reflect that it was really a self-ban (requested by IntelBroker). IntelBroker is not an “alt” of thekilob.

Hopefully, mainstream news outlets will issue corrections or updates and others will no longer repeat what was never a very funny joke.