When Cybercrooks Pose as Security Researchers, Who Can Tell the Difference?

Nov 15, 2021

Vinny Troia. Chances are you've heard of him before if you're reading this blog post, and if not then buckle in. You're about to read the story of a madman.

Should start this off by saying, no "ethical" security researcher of any kind dumps data from open databases to then either post online // trade it, or to use it for their own personal purposes such as doxing people. If it was an "ethical" pentest (Something Vinny claims to do), he wouldn't be dumping all the data before reporting it to the website owner(s). It is not a responsible disclosure if you steal data from a website and then report the vulnerability after the fact.

569.095. Tampering with computer data — penalties. — 1. A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization:

(1) Modifies or destroys data or programs residing or existing internal to a computer, computer system, or computer network; or

(2) Modifies or destroys data or programs or supporting documentation residing or existing external to a computer, computer system, or computer network; or

(3) Discloses or takes data, programs, or supporting documentation, residing or existing internal or external to a computer, computer system, or computer network; or

(4) Discloses or takes a password, identifying code, personal identification number, or other confidential information about a computer system or network that is intended to or does control access to the computer system or network;

(5) Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person;

(6) Receives, retains, uses, or discloses any data he knows or believes was obtained in violation of this subsection.

(Source: https://revisor.mo.gov/main/OneSection.aspx?section=569.095 )

Ignoring his various aliases on RaidForums where he has leaked data for a minute, he is still in violation of the law. Vinny has publicly acknowledged that he has at least dumped Exactis, as he's the one who provided it to Have I Been Pwned. He also dumped the Apollo.io database. "The data was discovered by security researcher Vinny Troia who subsequently sent a subset of the data containing 126 million unique email addresses to Have I Been Pwned." - Excerpt from Have I Been Pwned entry for Apollo.io databreach.

Vinny and the Astoria Breach

For this section, I suggest you read https://nightlion.com/blog/2021/astoria-company-breach/ first. Then read this. It will help you understand what I'm talking about in this part, and will give context to what I'm talking about.

He also somehow has the full Astoria breach, which from my understanding only 3 people had some type of involvement in. DonJuji, Vinny, and "Seller13". ShinyHunters was never involved with the breach, as stated here by him. It's up to you if you believe Shiny, I personally trust that he wouldn't lie about such a thing. Vinny obtained the entire dump somehow, since he provided it to Have I Been Pwned. "In January 2021, over 11M unique email addresses were discovered by Night Lion Security" - Have I Been Pwned entry.

Full Astoria Breach in BreachCheck.io (Import-Date is incorrect, Vinny hasn't learned dates as of yet)

Vinny fails to prove that Shiny ever even had the breach, despite naming him as the main person who supposedly dumped it. Shiny wouldn't be using a separate XMPP Account for selling Astoria either, yet the screenshot provided on Vinnys blog shows a "shinyhunters@xmpp.gg" as the contact method on the sales thread.

Screenshot provided by NightLion.com - https://nightlion.com/blog/2021/astoria-company-breach/

In another screenshot, Vinny shows a screenshot of the popular database tool Adminer - claiming that it was "Permanently logged into".

"we noticed immediately that the admin credentials for user “adminastoria” were pre-saved, allowing anyone complete access to the database from a public URL — no authentication needed."

This is also horrifyingly inaccurate, Adminer does not work like this. Here is a simple demonstration I did to prove that Adminer does not save credentials. You can do this yourself.

To experiment, I downloaded the same version of Adminer provided in the screenshot.

Before logging in, making sure we have the "Permanent login" (Really just a "Remember me" checkbox) to show I am indeed logging in correctly.

Login page for Adminer

Okay, great I now logged in.

Now, to test if a login is actually "Permanent" as Vinny claims, and not just a session cookie stored in your browser, I visited the same page using the TOR Browser.

Weird... it's almost like that the "Permanent login" feature is just a weirdly named "Remember me" feature. This means that Vinny had to of logged into Adminer for it to show as it did on his screen.

While Vinny could've wiggled out of this by saying he was simply confused about the "Permanent login" feature and he dug around the Webshell uploaded on one of Astorias domains - he very firmly states that "We did not progress any further into the web shell – we only took this single screenshot.".

Vinnys misunderstanding of how Adminer works while writing up his fake story proves that he is indeed lying about something. He either got the login from DonJuji, or he looked through the files on the webshell to find the password, to then login. Which one was it? He should have no reason to lie.

TL;DR for that section: Vinny lied about an Adminer being "permanently" logged into. He either got the credentials from someone and then logged in, or he found them himself by going through a webshell he claims he never touched besides taking a single screenshot.

Also, no hacker that wishes to sell data would leave the system vulnerable after taking the data. They would either patch the vulnerability themselves, delete all the files they uploaded or inform the company so it gets fixed. It's generally understood by people that if you list something for sale, people will start poking around at the company, which is why you always cover your tracks and remove the vulnerability. Vinnys claims of somehow "Finding" this himself  after a sales thread was put up make no sense. ShinyHunters would not make such a stupid mistake.

Lastly, there is no webshell called "Corex" like Vinny states there is. It is just WSO Webshell renamed (A webshell DonJuji commonly uses by the way). From the wordlists I looked through, I could not find "Corex.php" anywhere, so how did Vinny "Find" it? He would've needed to send thousands of requests to even have a chance of scanning for the file, and it isn't a common filename.

If you wish to read more about Vinny's shady practicies, and how he lied about even more stuff, check out the report by Databreaches.net, way way more proof and a comprehensive look at the astroia breach: https://www.databreaches.net/wp-content/uploads/WhatHappened-rev1.pdf

RaidFourms accounts, leaking databases

Vinny has gone by multiple aliases on RaidForums - and he commonly leaked databases to be able to obtain "credits" on RaidForums (Which are used to unlock database threads).

Bishop99 = VinnyTroia

Vinny attempting to say someone could've "Stole" his account to leak databases on. He references I dox I made on him, where I logged into a bunch of his old accounts as proof that he reuses passwords, but all the accounts were from before 2013.
Username history for the "Bishop99" account.

"v1per" = dataviper.io, nightcat = Night Lion. Vinny isn't the best with coming up with aliases.

Vinny being a skid, trying to get help starting DataViper
Vinny breaking character

Databases leaked by "Bishop99" on RaidForums, alongside the date that they were added to Vinnys databreach search engine:

Jan. 2018         - Gametuts loaded into DataViper // BreachCheck owned by Vinny Troia.
March 04, 2018    - "Gametuts Database - Leaked, Download!" posted by "Bishop99" on RaidForums

Jan. 2019         - EliteFitness loaded into DataViper // BreachCheck owned by Vinny Troia.
August 15, 2019   - "EliteFitness.com 334k" posted by "Bishop99" on RaidForums

Feb. 2018         - hounddawgs loaded into DataViper // BreachCheck owned by Vinny Troia.
March 07, 2018    - "Hounddawgs.org - 40k users list" posted by "Bishop99" on RaidForums

All "Import dates" are sourced from here: https://breachcheck.io/data-sources/

"A practitioner must avoid doing anything that furthers the criminal objectives of others on the forums." - https://www.justice.gov/criminal-ccips/page/file/1252341/download

Wouldn't you say, posting previously private hacked data on a Forum would help everyone wishing to commit crimes on the forums?

"In some criminal forums, participants may be required to establish their criminal bona fides by assisting in a criminal act or furnishing proof that they have committed a prior offense. Do not provide any valid, useful information that can be used to facilitate a crime. Doing so could result in civil or criminal liability."

I stand my case. Vinny Troia is just as much a criminal as me, or anyone else on RaidForums who leaks databases. If you are a federal agent and you're reading this for whatever reason you may have, look into Troia also. Thanks.

Have more proof for me to add to this? Contact me via one of the methods on https://pompur.in