Qurium researchers claim to have traced the the the first leak of data allegedly stolen from then French President Emmanuel Macron claiming the then candidate had offshore accounts in the Bahamas during his 2017 campaign to the black hat troll weevlos.
The Qurium researchers tied together several disparate pieces of information and followed a string of clues to come to this conclusion.
The researchers traced the first leak from a “4chan /pol” discussion forum to the nouveaumartel(dot)com domain. This domain was traced to the Cloudflare content delivery network (CDN), which was also linked to the dailystormer(dot)com domain.
“Days before the second round of elections, there were two major data leaks in the ‘4chan /pol' discussion Forum,” according to a Qurium blog post. “The first leak is publicly known as the “offshore account in the Bahamas” (#MacronGate #MacronCacheCash) and the second as ‘Macroleaks' (#EMLeaks, #MacronLeaks), a large leak of data that contains many tens of thousands emails, photos, attachments up to April 24, 2017.”
Researchers then set out to find who ran the CDN domain which lead them to a hidden IPv6 address.
“DNS lookup reveals account name: IPv6 DNS lookup of the IPv6 address 2001:470:c:de6::2 returns: weevlos-1-pt.tunnel.tserv15.lax1.ipv6.he.net,” researchers said in the post. “Who provides the IPv6 address: The IPv6 prefix is announced by Hurricane Electric tunnelbroker{.}net as part of their IPv4 to IPv6 free service.”
Furthermore researchers said the DNS name of the origin IPv6 address is “weevlos” which was provided by a tunnel termination of Hurricane Electric tunnelbroker(dot)net.
Weevlos is the nickname used by blackhat hacker Andrew Auernheimer, Qurium said.
