Yesterday, the threat actor known as “USDoD,” “NatSec,” “EquationCorp,” and other aliases admitted to HackRead that he is a Brazilian national named Luan and that he lives in Brazil. In a statement to HackRead, he wrote:
So congrats to Crowdstrike for doxing me, they are late for the party, intel421 Plus and a few other companies already doxed me even before the Infragard hack. I want to say thank you, it is time to admit I got defeated and I will retire my Jersey. Yes, this is Luan speaking. I won’t run, I’m in Brazil, the same city where I was born. I am a huge valuable target and maybe I will talk soon to whoever is in charge but everyone will know that behind USDoD I’m a human like everyone else, to be honest, I wanted this to happen, I can’t live with multiple lives and it is time to take responsibility for every action of mine and pay the price doesn’t matter how much it may cost me. This is not my end. Thank you, see you around. Don’t worry Brazilian authorities, I’m coming to meet you, I’m not a threat, in fact, I can do much for my country.
USDoD subsequently confirmed his plans to DataBreaches in a Telegram chat, saying that he would speak with his lawyer and then turn himself into Brazilian Federal Police. But when asked what charges they might have against him if he never attacked any Brazilian entities, he was uncertain. Could they and would they even hold him on a request from the U.S. for extradition? Would there be any other basis for charging him in Brazil?
He told DataBreaches that as soon as he spoke with his lawyer about his plans to turn himself in, he’d be back in touch with the details and a statement he hoped this site would publish. “This is not the end.” he reiterated.
What a Difference a Day — or Lawyer Consultation — Makes
He didn’t return. Or at least, he hasn’t returned yet. Instead, he asked a third party to forward a screenshot of a chat he had with that person:
The gist of the chat was that USDoD spoke with his lawyer and found out that Brazilian authorities had not been investigating him at all until the CrowdStrike and TecMundo articles, and that they had no charges against him.
“If I turn me him, They Will think im crazy,” he wrote to the third party.
He asked his lawyer if he could leave the country, and she told him that he could and that he would not be stopped.
“Screenshot this for dissent,” he asked the third party.
“im not turn myself in” (sic).
So What Next?
USDoD’s real identity (Luan Barbosa Gonçalves) and location in Brazil (Minas Gerais) are now known. He could stay in Brazil and probably have no trouble with authorities there. As he and others have noted, Brazil is unlikely to extradite him, even if extradition is requested.
But now that he has been identified and his picture has been shown, previous criminal associates might come looking for him or his family if they fear he might “snitch” on them or if they have any gripes about him.
He could leave Brazil and go somewhere else, but can he even afford to do that? He never seemed to be successful financially as a threat actor, and for many of his operations, the motivation didn’t really seem to be financial as much as him posing challenges to himself to be able to gain access to targets that should be better protected or secured.
So what will he do? Time will tell.