{
	"id": "2916fce6-c01f-43a6-8a8d-9198fc8e38df",
	"created_at": "2026-04-06T00:22:08.276382Z",
	"updated_at": "2026-04-10T03:28:17.455808Z",
	"deleted_at": null,
	"sha1_hash": "1e51f426f0221326d091b97ff62446ee41ebeffc",
	"title": "Dark Web Profile: SiegedSec",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78907,
	"plain_text": "Dark Web Profile: SiegedSec\r\nPublished: 2023-10-18 · Archived: 2026-04-05 13:56:07 UTC\r\n[Update] July 11, 2024: “SiegedSec Disbands”\r\nIn the ever-changing digital landscape, new cyber adversaries continuously emerge. One of the latest entrants in\r\nthis arena is SiegedSec, an emergent cyber threat group that gained momentum during Russia’s invasion of\r\nUkraine. Positioning themselves as masters of data leaks, they have expanded their reach, targeting many sectors\r\nacross the globe. This article seeks to demystify SiegedSec, offering insights into their attack methodologies,\r\ninstruments, victims, and most recent activities, while also offering advice on how businesses can fortify their\r\ndefenses against such cyber onslaughts.\r\nSiegedSec Threat Actor Profile card\r\nWho is SiegedSec?\r\nSiegedSec is a hacktivist group that appeared coincidentally days before Russia’s invasion of Ukraine. Under the\r\nleadership of a hacktivist known as “YourAnonWolf”, the group has swiftly advanced in its potency, announcing\r\nan increasing volume of victims after they appeared.\r\nThe group self-identifies itself as “gay furry hackers” and is known for its comical slogans and vulgar\r\nlanguage. They have connections with other hacker groups like GhostSec and have members probably\r\nranging in age from 18 to 26.\r\nThe group created its Telegram channel on April 3, 2022, which can be taken as the date of the first\r\nappearance of the group.\r\nThe group also has a chat channel where, apart from attacks, a lot of casual conversation and sexual jokes\r\nare made:\r\nFig. 1. Telegram chat channel of SiegedSec\r\nThe last thing that caught our eye was the group’s Twitter account, which was continuously suspended:\r\nFig. 2. Twitter page of SiegedSec\r\nWe see that the Twitter page of SiegedSec has been inactive for a long time; we think this is due to the fact that\r\nthey are frequently suspended.\r\nFig. 3. Some of SiegedSec’s Telegram posts complaining about their Twitter accounts being\r\nsuspended\r\nThe founder/administrator of the group is “YourAnonWolf”. When we look at the chat channel, we see that the\r\nuser is currently managing the group under the nickname vio.\r\nhttps://socradar.io/threat-actor-profile-siegedsec/\r\nPage 1 of 5\n\nWe have seen posts about vio leaving the group at various times, but we don’t know which user was running the\r\ngroup when vio left.\r\nFig. 4. One of vio’s messages leaving SiegedSec\r\nHow does SiegedSec attack?\r\nSiegedSec’s attacks include:\r\nDefacement and compromise of websites,\r\nLeaking sensitive information,\r\nGaining unauthorized access to databases and emails.\r\nFig. 5. A database leak post made by a member of the group on BreachForum (Source:SOCRadar)\r\nTheir attacks often include juvenile and crude language and graphics. Based on some of the group’s posts, the\r\ngroup says that the attacks are for fun.\r\nFig. 6. An example of an attack announcement made by the group\r\nSiegedSec’s attacks are primarily carried out using basic SQL injection and Cross-Site Scripting (XSS) attacks.\r\nThe group’s technical prowess has been compared to Lulzsec, a high-profiled cyber threat group from the early\r\n2010s.\r\nWhat are the targets of SiegedSec?\r\nSectors\r\nThey have targeted companies across diverse industry sectors, including healthcare, IT, insurance, legal, and\r\nfinance.\r\nIncluding current events, such as NATO, it is observed that it mostly attacks the sector called “Public\r\nAdministration”, in other words, government organizations.\r\nFig. 7. Distribution of industries in which companies are affected by SiegedSec (Source:\r\nSOCRadar)\r\nCountries\r\nSiegedSec has successfully targeted companies across various industries and locations, including India,\r\nIndonesia, South Africa, USA, Philippines, Mexico, and others. They have leaked data from at least 30 different\r\ncompanies since their start in February 2022, showing no preference for industries or locations.\r\nFig. 8. Countries Affected by SiegedSec (Source: SOCRadar)\r\nChecking the countries where the organizations they attacked are located, it is seen that the majority (about 32%)\r\nis the organizations located in the United States.\r\nhttps://socradar.io/threat-actor-profile-siegedsec/\r\nPage 2 of 5\n\nFig. 9. Affected country distribution from SiegedSec (Source: SOCRadar)\r\nIs there any relation between SiegedSec and other groups?\r\nLooking at some of the group’s posts, it seems that they have a friendly relationship with GhostSec, another\r\nhacktivist group.\r\nFig. 10. SiegedSec’s announcement that they will assist GhostSec’s “Operation Iran” activity\r\nAt the same time, in SiegedSec’s chat group, we see that there is a user who manages the GhostSec’s Telegram\r\nchannel and in the profile information of SiegedSec’s administrator vio, we see that vio is a GhostSec member.\r\nFig. 11. GhostSec420, a member of the SiegedSec Chat group and Founder of GhostSec\r\nWhat are the latest activities of SiegedSec?\r\nIn recent months, SiegedSec has claimed to have defaced over 100 domains and leaked significant volumes of\r\nstolen data from compromised networks.\r\nAtlassian\r\nOn February 15, 2023, one day after Valentine’s Day, SiegedSec shared a post with a Valentine’s Day reference\r\nand Atlassian data with employee information.\r\nFig. 12. SiegedSec’s Telegram post about Atlassian\r\nNewsVoir\r\nIn late May, they targeted an India-based online news distribution outlet, NewsVoir, leaking extensive documents\r\nand data.\r\nThey have also hinted at a possible interest in financial compensation for their campaigns. Communication\r\nbetween them and WebGuruz Technologies shows that the possibility of SiegedSec turning to a data extortion\r\nteam, such as Karakurt, is increasing\r\nFig. 13. Chat between SiegedSec’s admin vio and WebGuruz Technologies LTD\r\nCommunities of Interest (COI)\r\nNATO is actively investigating a claim by the hacking group SiegedSec regarding an alleged data theft from the\r\nCommunities of Interest (COI) Cooperation Portal, an unclassified platform for NATO members. SiegedSec\r\nposted what they claim to be hundreds of documents stolen from the portal on Telegram, including 845 MB of\r\nfiles and 8,000 rows of sensitive user information. The leak, if confirmed, could impact 31 NATO member\r\nnations.\r\nFig. 14. Communities of Interest data leak post of SiegedSec\r\nUS Government Websites\r\nhttps://socradar.io/threat-actor-profile-siegedsec/\r\nPage 3 of 5\n\nIn late of June, SiegedSec claimed cyberattacks on five state-run websites, including those related to Nebraska’s\r\nSupreme Court, South Dakota’s Boards and Commissions, Texas’s Behavioral Health Executive Council,\r\nPennsylvania’s Provider Self-Service, and South Carolina’s Criminal Justice Information Services (CJIS). Photos\r\nof the defaced websites and allegedly stolen data were shared by the group.\r\nFig. 15. SiegedSec’s Telegram post about breached US Government websites\r\nBreaches of ONAC, First Credit and Investment Bank\r\nOn August 18, SiegedSec claimed responsibility for breaches against Romania’s National Office for Centralized\r\nProcurement (ONAC) and First Credit and Investment Bank, mentioning an associate of another threat actor, 6ix,\r\ncontributing to the latter attack.\r\nFig. 16. ONAC, First Credit and Investment Bank post of SiegedSec\r\nFig. 17. All resources related to the group or its mentions can be found in the Threat Hunting\r\nmodule of SOCRadar XTI (Source: SOCRadar)\r\nConclusion\r\nSiegedSec is a rising threat in the cyber landscape, with the potential to evolve into a high-consequential cyber\r\nthreat. Their activities, though currently small-scale, indicate the involvement of advanced cyber hacktivists. The\r\nsimilarities between SiegedSec and other notorious hacking groups are noteworthy, in conclusion, their\r\nprogression should be closely monitored.\r\nSiegedSec Disbands\r\nIn a recent event, the notorious hacking group SiegedSec announced its disbandment. The announcement was\r\nmade through a Telegram post, where the group cited reasons such as mental health, the stress of mass publicity,\r\nand the desire to avoid legal scrutiny as driving factors behind their decision.\r\nSiegedSec’s latest Telegram post\r\nSecurity recommendations against SiegedSec\r\nAs far as we know, the group performs SQL injection, XSS attacks and in some research we found information\r\nthat they use automated tools for scanning. In this case, it is vital to seriously check and monitor the ports and\r\nassets open to the outside.\r\nIncluding these, we can list the security measures as follows:\r\nRegularly update security measures: Ensure that all systems are up-to-date with the latest security\r\npatches to prevent vulnerabilities that SiegedSec might exploit.\r\nMonitor for Unusual Activities: Keep an eye on network activities and look for any signs of unauthorized\r\naccess or suspicious behavior.\r\nhttps://socradar.io/threat-actor-profile-siegedsec/\r\nPage 4 of 5\n\nEducate Employees: Train staff to recognize phishing attempts and other malicious activities that could\r\nlead to a breach.\r\nImplement Strong Authentication: Utilize multi-factor authentication to add an extra layer of security.\r\nCollaborate with Cybersecurity Experts: Engage with cybersecurity professionals to assess and\r\nstrengthen the organization’s security posture.\r\nPenetration Testing Emphasis: It is crucial to emphasize the importance of regular penetration testing. By\r\nidentifying vulnerabilities in your system through penetration tests (also known as pentests), you can patch\r\nthem before they are exploited.\r\nRate Limiting: If the SiegedSec group is utilizing automation for their attacks, it is advisable to set up rate\r\nlimits. Implementing rate limits will help prevent volumetric requests, effectively thwarting automated\r\nbrute-force or DDoS-type attacks.\r\nBy understanding SiegedSec’s methods and targets, organizations can take proactive measures to protect\r\nthemselves against this emerging threat.\r\nMITRE ATT\u0026CK TTPs of SiegedSec\r\nTechnique ID\r\nReconnaissance\r\nActive Scanning T1595\r\nInitial Access\r\nExploit Public-Facing Application T1190\r\nDrive-by Compromise T1189\r\nCollection\r\nArchive Collected Data: Archive via Utility T1560.001\r\nExfiltration\r\nExfiltration Over Web Service T1567\r\nSource: https://socradar.io/threat-actor-profile-siegedsec/\r\nhttps://socradar.io/threat-actor-profile-siegedsec/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socradar.io/threat-actor-profile-siegedsec/"
	],
	"report_names": [
		"threat-actor-profile-siegedsec"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "93b7776d-9b37-496d-94a5-30bc36fd8800",
			"created_at": "2023-11-07T02:00:07.10019Z",
			"updated_at": "2026-04-10T02:00:03.407781Z",
			"deleted_at": null,
			"main_name": "GhostSec",
			"aliases": [
				"Ghost Security"
			],
			"source_name": "MISPGALAXY:GhostSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c29ed071-678d-4023-a954-7138fb534056",
			"created_at": "2023-11-05T02:00:08.079228Z",
			"updated_at": "2026-04-10T02:00:03.39948Z",
			"deleted_at": null,
			"main_name": "SiegedSec",
			"aliases": [],
			"source_name": "MISPGALAXY:SiegedSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434928,
	"ts_updated_at": 1775791697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e51f426f0221326d091b97ff62446ee41ebeffc.pdf",
		"text": "https://archive.orkl.eu/1e51f426f0221326d091b97ff62446ee41ebeffc.txt",
		"img": "https://archive.orkl.eu/1e51f426f0221326d091b97ff62446ee41ebeffc.jpg"
	}
}