The culprit hacked his PC and left an SVF file with ransom information, we need to find out with OSINT: His name, Email, Location, install his crypto-transactions and see what else he does on DarkWeb.
Here is the picture the hacker left us.
Using the command line in Kali linux, enter the command strings and the name of the file, it will look something like this: $ strings sakurapwnedletter.svg | less
This is how the output will look like
By clicking on the namespaces line, we find out that our subject's name is SakuraSnowAngelAiko
SakuraSnowAngelAiko - Here comes the first result! The name is there, it's time to figure out the E-mail.
Let's turn to google and see what it gives us.
Not a lot of information, but it's already something you can work with.
But we still need his email. As stated in his work profile, Aiko is a software engineer, so he must have GitHub.
And here it is: https://github.com/sakurasnowangelaiko
Now let's turn to his PGP.
This decoder will help us decode it: https://cirw.in/gpg-decoder
Well, here's the E-mail: SakuraSnowAngel183@protonmail.com
Next is a little more complicated, we will do financial intelligence and identify the hacker's crypto-purses, and what transactions he made on them.
Based on the activity, we see that ETH is very often used.
Sometimes we post information that would be better not to share, there in the category update lies our hacker's crypto-wallet.
0xa102397dbeeBeFD8cD2F73A89122fCdB53abB6ef
Now we need to determine from which mining pool our hacker received transactions.
To do that we will need the service https://etherscan.io. It is free and allows us to look up what our Aiko was doing by wallet address.
There we can also see that the hacker sent from his Tether wallet
Next action, the hacker realized that we are looking for him and sends us the following message:
What can I say. Nerves make mistakes, but it's good for us.
Of course, at this stage, we already understand that our Hacker is not the smartest in the world, because by deleting the old account, he mentions his nickname in the new one.
The next question, also points to the iq - 100 of our "object" of research, namely: At what url are the passwords stored. It would seem to be a task on the level of CIA, but no. It's simpler than that.
Next comes the trick, there is a place in the dark web where you can easily throw your passwords, the thing is that only you have to know the hash.
It looks like this for anons like this, the answer is in the upper left corner.
Next, we need to find the MAC address of our hacker's wifi, and we do this with the wigle.net tool. wigle.net.
Works. The right entry DK1F-G (you have to register on the site, but it's worth it)
We are in the final phase of finding our hacker, now we need to set his geo-location.
We need to find:
The airport he flew out of, where he rested before he left, and the lake he posted on his Twitter.
The last picture he took before his flight looks like this:
I won't spell it out, but through a Google Lens search, you can come to the conclusion that this is Washington.
And from this picture you can quite understand where our hacker was resting before the flight.
The lake is established by a simple Google Earth search
So where does our hacker live?
We already know the answer from this picture:
This material is a translation of the M o t a s e m H a m d a n video by S c h w a r z _O s i n t.
Basically, it's over, and no intelligence or special services were required.
Most of the current OSINT tools you can find: