Cyber Threat Actor: VandaTheGod
| Actor Type | Location | Known Incidents |
Hacker
|
Brazil
|
10 incidents |
|---|
Profile
VandaTheGod, also known as Vanda the God, is the online alias used by Marcos Roberto Correia da Silva, a 24‑year‑old individual operating from Brazil. The actor first came to public attention in early 2021 when Brazilian Federal Police arrested him during Operation Deepwater for allegedly orchestrating the country’s largest personal data leak. Authorities alleged that confidential records – including CPF and CNPJ numbers, full names and addresses of roughly 223 million Brazilians – were illicitly obtained and subsequently offered for sale on cybercrime forums such as RaidForums. A second individual using the handle “JustBR” was identified as the party who advertised the stolen data on those forums. The arrest resulted in the seizure of the suspect’s computer and mobile device, and law enforcement noted that several government officials were among those whose data appeared in the compromised set. The actor’s age and true name were confirmed in contemporaneous reporting, linking the alias to a specific Brazilian resident.
Beyond the data‑sale operation, VandaTheGod has been linked to a series of website defacement and disruption campaigns targeting government, educational and healthcare entities in multiple countries. In August 2019 the actor claimed responsibility for taking down the Tu Ora Compass Health server in New Zealand, which rendered the websites of four affiliated medical centres inaccessible; initial messages described the act as a protest, later statements indicated the intended targets were government or educational domains. Similar defacements were reported against the University of Florida’s websites and dozens of government sites worldwide, where the actor posted vulgar anti‑government messages demanding more jobs, hospitals and condemning corruption and law enforcement. These actions were publicized through the actor’s Twitter account, which also served as a platform to claim responsibility and to communicate with journalists. No public reports associate VandaTheGod with specific malware families, exploit kits or sophisticated intrusion tools; the observed tactics consist of web‑site defacement, service disruption and the illicit exfiltration and sale of personal data. The actor’s communications have included phrases such as “spam my mensage” and have fluctuated between claiming protest motivation and denying intentional harm to medical facilities, reflecting an inconsistent narrative about target selection. The cumulative effect of these activities has been intermittent downtime for the affected online services and the widespread distribution of sensitive personal information on illicit markets.
