Hacking websites is an activity typically condemned. But sometimes hackers are given more leeway based on why they hack. Hacktivists, for example, break into websites not for financial gain but to make a political statement. And often those statements do point to legitimate concerns or complaints. However, the line from hacktivist to full cybercriminal can be an easy one to cross, as revealed by cyber threat intelligence provider Check Point Research.

SEE: Security Awareness and Training policy (TechRepublic Premium)

In a blog post published Thursday, Check Point detailed the exploits of a hacker self-dubbed “VandaTheGod,” describing how this person turned from hacktivist to cybercriminal before being identified and reported to law enforcement.

In the hacking business since 2013, VandaTheGod started by defacing government websites in a variety of countries, including Brazil, the Dominican Republic, Trinidad and Tobago, Argentina, Thailand, Vietnam, and New Zealand. The messages left on the hacked websites implied that this person was motivated by social outrage over government corruption and injustice.

In one instance, the hacker defaced a Brazilian government website with the hashtag: #PrayforAmazonia as a reaction to the burnings of the Amazon rainforest allegedly carried out by the Brazilian government.

Image: Check Point Research

Fond of self-promotion, VandaTheGod used multiple aliases, such as “Vanda de Assis” and “SH1N1NG4M3” to share these hacking exploits via social media, primarily Twitter. Many of these tweets were written in Portuguese, pointing to the nationality of the hacker. In some cases, VandaTheGod also claimed to be part of something called the “Brazilian Cyber Army” or “BCA.”

At one point, though, this person turned the hackings into a game by boasting that the goal was to hack a total of 5,000 websites. To reach this number, VandaTheGod expanded to other countries such as the United States, Australia, and the Netherlands. Over the past 12 months, the US made up almost 57% of these attacks against websites, which included those of the state of Rhode Island and the city of Philadelphia, among others.

Image: Check Point Research

As public reports and news detailed VandaTheGod’s exploits, the hacker seemed to relish the attention, even uploading some of the media videos to the VandaTheGod YouTube channel.

At this point, the urge to make a profit from hacking seemed too strong to resist. VandaTheGod moved on to credit card and personal credential theft by hacking the sites of public figures and universities. As one example, the hacker compromised the email account of Brazilian actress and TV presenter Myrian Rios.

To cement the transition to cybercriminal, VandaTheGod targeted the US health sector by hacking the sites for US Health and Life, Putnam Health, National Employees Health Plan, and Texas Women’s Health Services. In one case, the hacker claimed on social media to have access to the medical records of 1 million patients from New Zealand, offering to sell each contact for $200 per record.

Image: Check Point Research

Based on the records of defaced websites, VandaTheGod came close to the goal with 4,820 hacked websites linked to this attacker. Though most of these websites were hacked by scanning the internet for known security weaknesses, many were government and academic sites that VandaTheGod apparently targeted on purpose.

But VandaTheGod’s need for promotion and publicity became the attacker’s undoing. Analyzing and correlating the hacker’s social media accounts, backup accounts, email addresses, and websites, Check Point narrowed down the person’s identity to a specific Brazilian individual from the city of Uberlândia. Check Point then passed its findings along to the proper law enforcement authorities. Since then, there’s been no profile activity or updates for the VandaTheGod accounts. The Twitter account, for example, shows no updates since November 2019.

“This case highlights the level of disruption that a single, determined individual can cause internationally,” Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said in a press release. “Although VandaTheGod’s motive originally seemed to be protesting against perceived injustices, the line between hacktivism and cyber-crime is thin. We often see hackers taking a similar path from digital vandalism to credentials and money theft as they develop their techniques.”

Image: nantonov, Getty Images/iStockphoto