In the last few weeks, more than half a billion passwords stolen from some of the biggest social media websites in the world have been traded and sold in the internet's underground.
The data, taken years ago from sites such as LinkedIn, MySpace, Tumblr, and others, has already led to countless account takeovers, hitting regular people as well as celebrities and big names such as Mark Zuckerberg, Katy Perry, Lana Del Rey, and Twitter cofounder Biz Stone.
For weeks, no one knew who was behind these hacks and leaked data. The only name that surfaced was that of Peace, or Peace of Mind, a cybercriminal who was selling the hacked data on a dark web market. But when a website that serves as a repository of hacked credentials announced the MySpace hack, another name came out: Tessa88.
"The whole world will get to see some good stuff soon. :-) I'm just warming up the audience."
Until now, Tessa88 has acted mostly in the shadows, talking briefly with a few reporters. No one really knows for sure who they are, or what their role is in all these megabreaches. But now, thanks to an interview with Tessa88, as well as interviews with multiple sources who have been tracking them, Motherboard has been able to piece together a rough sketch.
"I am a very old inhabitant of the network :))," Tessa88 told us in a chat conducted in Russian, when asked who they are. They added that their real name isn't Tessa, because that's just the name of "a whore from Australia."
The handle Tessa88, however, apparently first surfaced in the web's darkest corners only around April 2016, perhaps a few weeks earlier, when the cybercriminal started selling hacked databases on Russian cybercrime forums.
Since then, Tessa88 has made between $50,000 and $60,000 worth of bitcoin, according to Andrei Barysevich, the director of Eastern European research and analysis for the security firm Flashpoint Intel, who claimed to have found Tessa88's bitcoin address.
Barysevich said "it's very likely" that behind the alias Tessa88 there are actually two people, perhaps a female and a male, and only one who's a native Russian speaker, judging from how they portray themselves and how they speak. (Our interpreter, who translated our chat with Tessa88, also said she thought we were talking to two different people.)
Tessa88 isn't just selling the data. They might also be the one (or one of a group) who stole it a few years ago from the companies' servers.
"VK.com, LinkedIn, MySpace, Fling, Dropbox, Tumblr, OK.ru, Twitter," Tessa88 said. "It was I who let it all come to light :-)"
"VK.com, LinkedIn, MySpace, Fling, Dropbox, Tumblr, OK.ru, Twitter. It was I who let it all come to light :-)"
Several people who've been studying Tessa88 and lurking in hacking forums confirmed that the hacker was likely part of the original team of cybercriminals, most likely Russian or Eastern European, who hacked LinkedIn, MySpace, and the other companies.
What happened between that time and now is a little unclear. But some speculate that the hackers used the credentials for years without ever publicizing the hack.
"The intention was not to have the information released or sold online but to used by the group," said Mark Arena, the CEO of Intel 471, a security firm that monitors the dark web.
The idea, Barysevich said, was to see if the passwords and username combinations from LinkedIn or MySpace would also work on other services, especially those where the criminals could steal money, such as PayPal, for example. Criminals have created automated tools that can take hundreds if not thousands of credentials and test them on a target site of choice, according to Barysevich.
After doing this for a few years, Tessa88 and the others had no more use for the data, and decided to try to make "the final dollar," as Barysevich put it, by selling the databases on the open market.
Tessa88 said that they started selling the data now because they are "severely" ill, and need money "to recover," although the hacker declined to specify the exact ailment.
This is where the story gets a bit muddy. A couple of months after Tessa88 started selling databases in Russian underground forums, the data surfaced also on the data breach notification site LeakedSource, as well on The Real Deal, a dark web market that specializes not only in drugs and other illicit physical goods, but also hacking tools and stolen data.
But it wasn't Tessa88 selling data on The Real Deal. It was another hacker, this one identifying himself as male and using the pseudonym Peace Of Mind. The two hackers apparently have some sort of rivalry going on, as ZDnet explained in a recent article.
"Peace_of_mind [is] a fagot who takes undue credit," Tessa88 told Motherboard, adding that Peace was not part of the team that originally hacked the companies. "I shared a dump for analysis! And he started selling it."
Peace said something similar about Tessa88.
"He stole [the hacked databases] from an old buddy," Peace said in an online chat. "Long ago. And he started to sell them."
The two don't appear to be done. For a couple of weeks, there have been rumors of an impending dump of hundreds of millions of Facebook accounts. Earlier this week, in their chat status, Tessa88 was advertising 500 million Facebook accounts for 5 bitcoin, or around $3700 at the time of writing. But in a chat, the hacker said they actually have more than 800 million accounts.
Despite promises to share a sample, however, neither Tessa88 nor Peace have produced any data yet. Whether the Facebook data is legitimate or not, there's a good chance there's more to come.
"The whole world will get to see some good stuff soon. :-)," Tessa88 said, before vanishing for days. "I'm just warming up the audience:-) I'm good at it, am I not?"
Joseph Cox contributed reporting for this article.