OSINT: Who am I? (200pts)

Challenge Description

We’ve been tracking an up-and-coming cyber-crime group Red Spider (APT83). A user we suspect of being part of the group has been posting on a reddit burner account u/Sufficient_Stay_7509. Find out what their name is.

Approach

First, we start with the reddit user that we are given: u/Sufficient_Stay_7509. Scrolling through their posts, we can extract the following things:

• Named after either John Keating or Robin Williams?
• Name is similar to Alex?
• “Risky man”?

This isn’t really much to go off, and we’d be guessing if we drew any conclusions right now. Let’s take a look at the web archive.

Searching the wayback machine for reddit.com/user/Sufficient_Stay_7509 shows a capture on June 26th. If we open the snapshot, we can see a now deleted comment referring to a GitHub account HackermanRISCy.

Visiting this GitHub profile reveals a repository, BRUTUS, which has a single file. Clearly this person is a real hacker, since their python files have txt extensions :^)

At this point, unfortunately, the LinkedIn account we had set up got banned for some unknown reason. This account was linked at the bottom of the script, and visiting it would reveal a person named “John Riscman”. Given the context, this seems a pretty likely candidate for the name. Matches “risky man”, and named after John Keating.

So, the flag is:

RISC{John_Riscman}

Solved!