Just before midnight on Sunday, Oct. 14, an individual with the handle DiabloX entered an ongoing X.com (Twitter) Space that was discussing the recent hackings on Philippine government agencies and spoke to listeners. According to him, it was alright that his words be recorded as it was his last “play” in cyberspace.
The speaker claimed to have been the one behind 2023 hackings and data leaks of the Philippine Statistics Authority (PSA), the Department of Science and Technology (DOST) OneExpert portal, Philippine National Police (PNP) Forensic Group, Clark International Airport, and Technical Education and Skills Development Authority (TESDA).
The individual claimed that no one had pushed him to do his actions and asked forgiveness, that he knew that he would need to answer to the law, and that he was getting out of the cyber scene and was just going to live a normal and peaceful life.
According to him, he had hacked another person’s GMail account and used it to leak PSA data and that he was sorry about it. He also claimed to have used Open Source Intelligence (OSINT) tools and manual tinkering to get into the systems of PSA and PNP.
He claimed that he did not release the full PSA database — just a sample of it — and stated that he held critical data, which he vowed to delete as he had no intention to sell or release the rest.
He also stated that he was able to get everything from the PSA website, which contained sensitive data — 42 billion records which he had no plans to release, because if he did, Filipinos would drown in scams.
The individual claimed that he entered the PSA website through a registration form vulnerability which did not have a “blocker” on the inside, that he had difficulties with the username and password of the database which were hidden, but he was eventually able to get in because he had certain tools and eventually got them. He claimed that the application layer was good and that hackers would have difficulty accessing it.
He also claimed that he had an “advance” backdoor on the website which previous hackers had uploaded to rifle through files, and that he did not run out of strategies to penetrate the system. He claimed that he had released a small amount of data from the PSA website in order for them to know that their systems had been breached.
He also claimed to have used registration form vulnerabilities on other websites so he immediately knew what to do in order to enter. For those that did not have them, he said he had tools to detect and get SQL-type data.
He cited Clark International Airport as another example of a website that had a registration form vulnerability, that he bypassed the uploader, and mentioned the uploading of scripts.
On PNP and TESDA, he claimed that he had gotten a lot more data, but would not comment on them, and that he had no plans to sell them.
He stated that the contents of the PNP samples that he leaked were frightening — they were labeled “forensic” and that they were really sensitive, and asked what would happen if he put out the entire dataset. He then stated that he had no plans to release them as it would alter the background of the Philippines.
He also claimed that the systems had backdoors where hackers could go in and out of, and that he used ransomware-related tools to enter TESDA to obtain and release 300,000 emails, but not the names and numbers of data subjects.
He claimed to have a lot of data from TESDA, names and emails, and the same for PSA, with IDs, emails, and passwords. With DOST, he only had 10,000 such information.
He stated that he wanted the government would give importance to cybersecurity, but he did not know if the government could fix the problem. He added that if the government did its job, the cyberattacks would not happen.
According to him, the government has been remiss in its duties and responsibilities. He said that cybersecurity folks knew the problem because they were experts and that those who did not know their jobs should be removed.
Also according to him, if his main Facebook had not been deleted, the public would know the full extent of how the government was hit by the data leaks. He claimed to have mostly accessed just government sites, and only a small number of education sites.
He also claimed that he had no other aspiration than to test and practice on government websites, that he already had a job as a “red teamer” (offensive security tester) with a cybersecurity group, and that he was a 19-year-old guy from Mindanao. He claimed to be a simple farmer from the poor who started early.
He said that his story behind being DiabloX was that he was defending his countrymen and that he did his actions in the service of humanity. He added that he was out to counter the corrupt whom he was really angry at, and that it was why he hit the PSA and really wanted to crush the data.
He claimed to be really angry at the government and vowed never to work with them. He then reiterated that he was furious at the government and the corrupt.
He claimed that PSA, PNP, and TESDA were problematic. He said the government was just pocketing the people’s money that was meant for protecting cybersecurity systems, and that he was fighting for a cause.
The individual using the handle DiabloX then claimed that he would no longer be available for interviews.
On the morning of Oct. 17, the same individual resurfaced and released a public video of himself on X (formerly known as Twitter), speaking behind a Guy Fawkes mask popularized by the movie V for Vendetta and Anonymous hacker groups. In the video, he showed images of government agencies and screenshots of purported data that was obtained.
He stated that he was begging for forgiveness for all the individuals affected by the data he leaked, and also from the owner of the GMail account that he hacked and used to leak the PSA data.
He claimed to have no ill intentions with the data he held. He claimed that his hacking of government websites was simply his passion and that no one else pushed him to do these.
He reiterated that he used OSINT methods and manual examination of directories of subdomains to detect their security measures. He stressed that he had no intention to sell the data he held and that he assured the public that he would delete the data.
He stated that after this incident, there would no longer be a DiabloX that would live on in cyberspace, and that he was signing off to live a peaceful life. He again stated that he wished that the government would give cybersecurity proper attention and importance.
His final words were to ask for forgiveness once more.
