{
	"id": "ffab337c-ab98-44fb-ac1e-7729e04cbaf0",
	"created_at": "2026-04-06T00:19:15.913394Z",
	"updated_at": "2026-04-10T03:28:09.054823Z",
	"deleted_at": null,
	"sha1_hash": "4092950577adae7f3f59a3f860cc3b9d9a432c41",
	"title": "Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48358,
	"plain_text": "Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s\r\nThreat Actor List\r\nBy Counter Adversary Operations\r\nArchived: 2026-04-05 12:48:09 UTC\r\nThe threat intel data noted in this report is available to tens of thousands of customers, partners and prospects\r\n– and hundreds of thousands of users. Adversaries exploit current events for attention and gain. We remain\r\ncommitted to sharing data with the community.\r\nOn July 24, 2024, hacktivist entity USDoD claimed on English-language cybercrime forum BreachForums to have\r\nleaked CrowdStrike’s “entire threat actor list.”1 The actor also alleged that they had obtained CrowdStrike’s\r\n“entire IOC [indicators of compromise] list” and would release it “soon.” In the announcement, USDoD provided\r\na link to download the alleged threat actor list and provided a sample of data fields, likely in an effort to\r\nsubstantiate their claims.\r\nSample data acquired from the threat actor included a CSV file that contained fields for adversary aliases,\r\nadversary status, last active dates for each adversary, region/country of adversary origin, number of targeted\r\nindustries, number of targeted countries, actor type and motivation. In one example, the adversary alias field\r\ncontained the same aliases as the Falcon platform but listed in a different order.\r\nThe sample data contained data with “LastActive” dates until no later than June 2024; however, the Falcon\r\nportal’s last active dates for some of the referenced actors are as recent as July 2024, suggesting when the actor\r\npotentially obtained the information.\r\nUSDoD also claimed in their post to have “two big dbs from a oil company and a pharmacy industry (not from\r\nUSA)”. It was unclear whether the post was linking the claims to have breached an oil company and\r\npharmaceutical industry company with their alleged acquisition of CrowdStrike data.\r\nUSDoD Background\r\nUSDoD has previously exaggerated claims, likely in an attempt to enhance their reputation within both hacktivist\r\nand eCrime communities. For example, the actor has previously claimed to have conducted a hack-and-leak\r\noperation targeting a professional-networking platform, but industry sources refuted USDoD’s claims and asserted\r\nthe alleged leak was conducted via web scraping rather than via a targeted intrusion.2\r\nSince at least 2020, USDoD has conducted both hacktivism and financially motivated breaches, primarily using\r\nsocial-engineering tactics to access sensitive data. Over the last two years, the actor has focused on high-profile\r\ntargeted intrusion campaigns. Additionally, since January 2024, the threat actor has sought to diversify and expand\r\ntheir cyber activities from solely conducting cyber operations into administering eCrime forums. \r\n1\r\n BreachForums ST Post ID: 781235\r\nhttps://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/\r\nPage 1 of 2\n\n2\r\n https[:]//www.hackread[.]com/hacker-leaks-scraped-linkedin-user-records/\r\nSource: https://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/\r\nhttps://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/"
	],
	"report_names": [
		"hacktivist-usdod-claims-to-have-leaked-threat-actor-list"
	],
	"threat_actors": [
		{
			"id": "80edca9f-dcd6-491e-92f3-87ad1f575631",
			"created_at": "2023-10-14T02:03:14.694988Z",
			"updated_at": "2026-04-10T02:00:05.021046Z",
			"deleted_at": null,
			"main_name": "NetSec",
			"aliases": [
				"NetSec",
				"Operation Data Breach",
				"ScarFace_TheOne",
				"USDoD"
			],
			"source_name": "ETDA:NetSec",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "82a51997-1402-41c3-86df-6f9e522b2ba8",
			"created_at": "2024-04-27T02:00:03.554045Z",
			"updated_at": "2026-04-10T02:00:03.63698Z",
			"deleted_at": null,
			"main_name": "USDoD",
			"aliases": [],
			"source_name": "MISPGALAXY:USDoD",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775791689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4092950577adae7f3f59a3f860cc3b9d9a432c41.pdf",
		"text": "https://archive.orkl.eu/4092950577adae7f3f59a3f860cc3b9d9a432c41.txt",
		"img": "https://archive.orkl.eu/4092950577adae7f3f59a3f860cc3b9d9a432c41.jpg"
	}
}