{ "id": "3a585fb6-e268-4c73-bcdd-bc69aed6c9b8", "created_at": "2026-04-09T02:22:44.534275Z", "updated_at": "2026-04-10T03:29:39.80507Z", "deleted_at": null, "sha1_hash": "226f6210c953e5fab3c0918ba2c7cd175fb124d1", "title": "Exclusive: Advarra hacked, threat actors threatening to leak data (1) - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 380629, "plain_text": "Exclusive: Advarra hacked, threat actors threatening to leak data\r\n(1) - DataBreaches.Net\r\nPublished: 2023-11-01 · Archived: 2026-04-09 02:14:40 UTC\r\nAdvarra describes itself as providing integrated solutions to safeguard trial participants, empowering clinical sites,\r\nensuring compliance, and optimizing research performance for thousands of sponsors, contract research\r\norganizations, institutions, academic medical centers, and research consortia that it services.\r\nOn or about October 25, Advarra was hacked and data was exfiltrated.  According to one of the people involved in\r\nthe attack, the executives knew about the breach on October 25 but would not pay or even negotiate with them.\r\nDataBreaches reached out to Advarra via its website to inquire about the attackers’ claims. Getting no reply from\r\nthem at the time, DataBreaches then reached out to one of their clients to try to verify whether some research\r\nparticipant records provided to this site were real. Within minutes of leaving Diablo Clinical Research a voicemail\r\nabout a possible breach involving their clinical research data, DataBreaches received a call from Lori Vitti, their\r\nDirector of Finance and Administration. DataBreaches read her a patient’s name, diagnoses and medications, the\r\nnumber of records in the database, and the participant’s study ID number. Ms Vitti immediately recognized the\r\ninformation and said that the data had to have come from Advarra or one other entity. DataBreaches then told her\r\nit had been provided to DataBreaches and described as being exfiltrated from Advarra.\r\nDiablo followed up on their prompt response by reportedly reaching out to Advarra and then contacting\r\nDataBreaches again today.\r\nIn the interim, hearing about Diablo’s quick and forthright incident response, the threat actors turned over the data\r\nthey had exfiltrated concerning Diablo to DataBreaches, agreed not to leak it publicly, and said they would destroy\r\ntheir own copy of it. DataBreaches transmitted the data to Diablo this morning and the threat actors stated that\r\nthey had deleted their copy.\r\nOther Advarra clients and Advarra’s employees are not faring as well, it seems. Yesterday, the threat actors listed\r\nthe incident on AlphV.\r\nIn their listing, reproduced below with redactions by DataBreaches, they claim to have acquired over 120GB+ of\r\nconfidential data belonging to customers, patients, and current and former employees.\r\nhttps://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nPage 1 of 5\n\nImage: DataBreaches.net\r\nOf note, the listing, which included a note written in Hebrew, claims that Advarra called the threat actors “digital\r\nterrorists” and one of the executives told them to “fuck off.”  No data was leaked with the posting, but the threat to\r\nleak was posted if the company didn’t reach out.\r\nThe use of the word “terrorists” seemed significant to the threat actors, who informed DataBreaches that they were\r\nconcerned that the company might wrongly believe that they were on some OFAC-sanctioned list and therefore\r\ncould not be paid.  The Hebrew statement at the end of the listing machine translates to, “A company that has\r\nprofited greatly from vaccine development. They don’t pay digital terrorists.\r\nWe are not terrorists, which is why the majority pays us. We are also not tied to any sanctions.”\r\nAdvarra Responds\r\nDataBreaches has since been contacted by Advarra and those involved in the investigation. Advarra sent the\r\nfollowing statement:\r\n“An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to\r\naccess some of the employee’s accounts, including LinkedIn, as well as their work account.\r\nWe have taken containment actions to prevent further access and are investigating with third-party\r\ncyber experts. We also notified federal law enforcement. At this time we believe the matter is contained.\r\nWe further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to\r\nconnect to Advarra’s systems. Importantly, we have no evidence that the Advarra systems and products\r\nthat clients use to interface with us were compromised or accessed. At this time, our business operations\r\nhave not been disrupted as a result of this activity and we continue to operate as normal. In addition, we\r\ncontinue to take steps to enhance the overall security of our systems in line with industry best practices.\r\nOur investigation remains ongoing, and we will provide additional updates as appropriate.”\r\nhttps://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nPage 2 of 5\n\nAccording to the threat actors, they gained access to Advarra by initially phishing an executive’s personal email\r\naccount. When asked about Advarra’s statement to DataBreaches, the threat actors’ spokesperson responded:\r\nWe’re not sure what the company means by the compromise of a phone number , but we believe this\r\nhas to do with some spoof calls made to Advarra leadership, prior to the phish taking place. Of course, a\r\nwholly inaccurate statement from a company that enriched themselves during the pandemic. As you can\r\nsee, there is no mention of employee data being taken too, in their statement. To set the record straight,\r\nthe employee was compromised after her personal email was phished, leading us to placing a cred-stealer in her personal OneDrive. As her PC was actively syncing the contents of the OneDrive, she was\r\ninfected. Because she had also backed up her Authenticator to the cloud, we were able to bypass MFA.\r\nWe then leveraged this to access her work account and work files, present on her device. Stay tuned for\r\nthe leak of this data if no payment is made within 48 hours.\r\nLater, the threat actors would also explain that they also spoofed the employee’s phone number when they later\r\nsent out messages to family and colleagues.\r\nPart of an employee roster exfiltrated by the threat actors included employee names, last four digits\r\nof SSN, their email address at work, their alternate (personal) email address, their employee\r\nnumber, hire date, and termination date. Image redaction: DataBreaches.net\r\nPerhaps one of the most disturbing aspects of this incident is the ugly actions involving one employee whom they\r\nallege told them to “go fuck yourself.”  In response to that, and to the alleged message on the server calling them\r\n“digital terrorists” who would never be paid, the threat actors went personal and started contacting the employee’s\r\nfamily members, including their child, with sensitive content.\r\nBut did an employee really interact with them? An individual close to the matter denied that the messages posted\r\non the dark web by the threat actor came from an Advarra employee. The employee whose phone number was\r\ncompromised has not communicated with the threat actor responsible for this incident, they told DataBreaches.\r\nThey also denied that Advarra referred to the threat actor as digital terrorists.\r\nhttps://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nPage 3 of 5\n\nWhen told of the denials, the threat actors repeated their claim that the employee did communicate with them and\r\nreiterated their claim that Advarra’s data will be leaked in 48 hours if they are not paid.\r\nUpdated November 2:  A copy of Advarra’s notice to clients appears below.  DataBreaches notes that they assert\r\nthe employee’s phone was compromised by sim-swapping, which is a different explanation than the threat actors\r\nclaimed to DataBreaches.\r\nDiablo Clinical Practice declined to provide any statement for this report. They are reportedly “not concerned”\r\nafter speaking with Advarra, whatever that means.\r\nhttps://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nPage 4 of 5\n\nSource: https://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nhttps://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.databreaches.net/exclusive-advarra-hacked-threat-actors-threatening-to-leak-data/" ], "report_names": [ "exclusive-advarra-hacked-threat-actors-threatening-to-leak-data" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701364, "ts_updated_at": 1775791779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/226f6210c953e5fab3c0918ba2c7cd175fb124d1.pdf", "text": "https://archive.orkl.eu/226f6210c953e5fab3c0918ba2c7cd175fb124d1.txt", "img": "https://archive.orkl.eu/226f6210c953e5fab3c0918ba2c7cd175fb124d1.jpg" } }