{ "id": "e92a72f4-c8a0-47da-99d6-d980afebe167", "created_at": "2026-04-06T00:19:54.872581Z", "updated_at": "2026-04-10T03:28:46.822311Z", "deleted_at": null, "sha1_hash": "47ca4723238b63741093fa0ac10b325fc324e488", "title": "Dark Web Cyber Group Spotlight: SiegedSec", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 108094, "plain_text": "Dark Web Cyber Group Spotlight: SiegedSec\r\nBy DarkOwl Analyst Team\r\nPublished: 2022-06-15 · Archived: 2026-04-05 16:26:39 UTC\r\nThe new criminal gang specializes in leaked data and digital defacement\r\nJune 27, 2022\r\nRead the latest on SiegedSec’s activity relating to the Roe v. Wade overturn in our developing blog, “Darknet\r\nEconomy Surges Around Abortion Rights.”\r\nJune 15, 2022\r\nDarkOwl analysts regularly follow “darknet threat actors” that openly discuss cyberattacks and disseminate\r\nstolen critical corporate and personal data. Such analysis helps DarkOwl’s collection team direct crawlers and\r\ntechnical resources to potentially actionable and high-value content for the Vision platform and its clients.\r\nSiegedSec: A New Cyber Threat Actor Group\r\nSince Russia’s invasion of Ukraine and the subsequent, first-ever global cyberwar, several new offensive cyber\r\ncells have surfaced. Many of the groups have a strictly hacktivist mission – knocking commercial and government\r\norganizations across Russia offline – while other groups piggyback on the collective energy of widespread\r\noffensive cyber operations to successfully fulfill more sinister cybercriminal or purely selfish objectives for\r\npersonal gain.\r\nOne new cyber cell, appearing coincidently days before the invasion, has named its operation under the SiegedSec\r\nand adopted variations of the tagline, “sieging their victim’s security.”  The group, led by a renowned hacktivist\r\nusing the moniker YourAnonWolf, has quickly progressed in lethality by increasing the group’s volume of victims\r\nannounced in recent months.\r\nDefaced and Leaked Data\r\nQuick takeaways:\r\nSince their formation in late February 2022, DarkOwl analysts have observed SiegedSec provide proof of\r\nthe defacement and/or compromise of at least 11 websites with rather juvenile and crude language and\r\ngraphics included in the defacements.\r\nIn April, the group claimed they had successfully defaced over 100+ domains offering proof of a hosting\r\nchat dialogue indicating the account passwords had been changed and the defacements corrected, but the\r\ngroup hinted they still had access to the domains.\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 1 of 6\n\nDarkOwl analysts also discovered several thousand compromised LinkedIn profiles with references to\r\nSiegedSec. \r\nThere is evidence that the group has gained access to sensitive information and leaked emails or leaked databases\r\nfrom at least 30 different companies since their start in February. However, hardly any of the companies\r\nannounced have released public noticed of cybersecurity incidents since many are smaller businesses or located in\r\nnon-English speaking parts of the world. The group shows no preference for the industries nor locations of its\r\nvictims. They have successfully targeted companies across numerous diverse industry sectors around the globe\r\nincluding healthcare, information technology, insurance, legal, and finance. We’ve witnessed victims announced\r\nfrom India, Pakistan, Indonesia, South Africa, USA, Philippines, Costa Rica, Mexico, and others.\r\nIn early April, the group’s spokesperson, YourAnonWolf, appeared on the popular discussion forum, Breached\r\nForums leaking databases, documents, emails containing 17 different organizations’ data including usernames,\r\nemail addresses, and hashed passwords.\r\nThe extent of damage caused by cyberattacks conducted by SiegedSec is unknown and many of them have not\r\nbeen mentioned by public news media sources. However, the leaked data shared on their Telegram channel and on\r\ndeep web forums like Breached could easily be employed by other threat actors to gain access to companies,\r\nindividuals, and networks by leveraging the private corporate and personal information posted.\r\nIntentions, Motivations, and Shenanigans\r\nAs we mentioned earlier, the defacements observed by the group appear to include vulgar language with\r\nreferences to “d*cks and c*mdogs.” The group’s Telegram channel and social media accounts include posts from\r\nthe members that self-identify as “gay furries” with downright comical slogans like “TEH LULZ CONTINUES!”,\r\n“uwu gay furries pwn you”, and “HACK THE PLANET.” Their avatar includes the letters “$ UWU” – imitating a\r\nLinux terminal prompt; the “uwu” letters denotes “overwhelmed with cuteness” and is common in the online furry\r\nsubculture, which anthropomorphize animals with human personalities.\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 2 of 6\n\nThe group has leaked a significant volume of stolen data from compromised networks, but there is no indication\r\nthe group uses ransomware nor has attempted to sell the stolen data. According to the themes of their social media\r\nposts, and the “furry-centric” brand they’ve embodied, the group appears to be motivated by the sheer fun of the\r\nexperience, the potential clout gained by publicly mocking organizations with insufficient information security\r\ncontrols.\r\nIn late May, the group announced they had successfully targeted an India-based online news distribution outlet,\r\ncalled NewsVoir. Shortly after the attack they leaked an archive containing 27GB of documents exfiltrated from\r\nthe organization’s servers, and another archive of hundreds of gigabytes in size consisting of source code and API\r\ndata on the servers. Last week, the group claimed on their Telegram channel the media outlet’s website provider,\r\nWebGuruz contacted them directly and the group leaked a screenshot reportedly from their chat directly with a\r\nWebGuruz representative. In the chat transcript, “Wolf” (YourAnonWolf) intimates their efforts are not all simply\r\nfun, games, and ‘lulz’, but they are possibly interested in financial compensation for their campaigns.\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 3 of 6\n\nSiegedSec Members \u0026 Connections with Other “Hacker” Groups\r\nSiegedSec’s Telegram group has limited membership and activity. We discovered a Keybase “team account” that\r\nclaims the group has 7 active members.\r\nYourAnonWolf – a self-declared “corn god and furry” – is the most prominent and vocal member of the group with\r\nthe longest darknet history of its public members. Another possible member of SiegedSec is cialulz who describes\r\nthemselves as a “15-year-old, Security Researcher \u0026 Privacy Advocate. Just an anthropomorphic frog with a thing\r\nfor computers” and openly uses the #SiegedSec hashtag in their social media profiles. Cialulz is also named as\r\naffiliated with other cyber cells in historical deep web documents in Vision, including the “OSAMA SEC\r\nMEMBERS LIST” from 2021 and mentioned in official rosters for GoonSquad (a.k.a. #WeAreTheGoons) which\r\napparently was quite active carrying out campaigns in 2017. (Source: DarkOwl Vision)\r\nAnother moniker mentioned in coordination with SiegedSec is “Sryakarad“, often shortened to “Sry” in darknet\r\nchatter. Sryakarad was mentioned specifically as a key contributor to SiegedSec when the group leaked data from\r\nanother online media firm they compromised in Pakistan, e-paper.pakistan.\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 4 of 6\n\nIn addition to YourAnonWolf, cialuluz, and Sry, other SiegedSec members possibly include echowo (EchoNull7),\r\nmkht1, Trav (trav0x90), and webvuln (r00tsauce), although there are preliminary indications that some of these\r\naliases might be alternative accounts for YourAnonWolf or cialulz.\r\nThe group also appears to have close associations with GhostSec, a prominent hacking group with an extensive\r\ndarknet history who has become increasingly popular for their attacks against Russia in the cyberwar. Social\r\nmedia accounts affiliated with SiegedSec and its members often re-share announcements of attacks conducted by\r\nGhostSec. DarkOwl also noted overlap in the membership of the groups’ Telegram channels.\r\nOn Breached Forums, YourAnonWolf publicly declared that they are a member of both GhostSec and SiegedSec.\r\nYourAnonWolf has been historically active conducting campaigns with Anonymous and GhostSec targeting unjust\r\ngovernments and countries known for human rights abuses. They also claim to have been previously affiliated\r\nwith other groups including: HackersGhost25, AxoSec and BreachSec. The status of these other cyber cells is\r\nunclear.\r\nA document shared on Pastebin in early June confirmed the aliases of the possible members identified above, but\r\nalso criticizes the technical prowess of the group, claiming most of their attacks are basic SQL injection and cross-site scripting (XSS) attacks. The paste compared SiegedSec to Lulzsec, a high-profiled cyber threat group in the\r\nearly 2010s who similarly initially claimed to have conducted their attacks simply for the “lulz” or laughs, and\r\noften mocked their victims for the security flaws they uncovered.  The Lulzsec group was comprised of four-young British hackers who infamously successfully targeted the CIA, PBS, Westboro Baptist Church, and Sony\r\ngaining significant digital notoriety and infamy.\r\nThe group’s members, ranging in age between 18 and 26 years old, were all sentenced in 2013 between 20 and 32\r\nmonths for violation of the UK’s computer misuse act in conjunction with the cyber campaigns they conducted.\r\nSome of its members were banned from the Internet for upwards of two years and spent time in the Young\r\nOffender’s Institute to be reformed.\r\nAn anonymous response to the paste was uploaded to Pastebin a few days later addressing each of the statements\r\ndirectly, especially those which minimized the skills of the group’s members. In response to criticism for using\r\nautomated scanners, the author stated automated tools have a purpose and not only “skids” use them, even though\r\nthe original post did not publicly call SiedgedSec “skids.” The response paste was signed –Unknown (Source:\r\nDarkOwl Vision)\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 5 of 6\n\nFinal Thought From Our Analysts\r\nAlthough they are presently a fairly small-scale operation flying under the radar with little to no reporting by the\r\ngreater global information security community, the data discovered during our analysis and contained in the leaks\r\nfrom their victims indicate that there are advanced cyber hacktivists involved in the group’s operations.\r\nThe similarities between Lulzsec, LAPSUS$, and the new group, SiegedSec are noteworthy – as SiegedSec’s\r\nleader, YourAnonWolf uses similar popular hacking culture phrases that LulzSec’s member, Topiary used. History,\r\nregardless of real life or virtual events, tends to repeat itself.\r\nDarkOwl assesses that SiegedSec has the potential to evolve into a high-consequential cyber threat, especially if\r\nthe group starts demanding extortion payments in conjunction with their attacks.\r\nCurious about something you read? Interested in learning more? Contact us to find out how darknet data\r\ncan shine a light on leaked data.\r\nSource: https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nhttps://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/" ], "report_names": [ "darkowl-threat-actor-spotlight-siegedsec-and-leaked-data" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93b7776d-9b37-496d-94a5-30bc36fd8800", "created_at": "2023-11-07T02:00:07.10019Z", "updated_at": "2026-04-10T02:00:03.407781Z", "deleted_at": null, "main_name": "GhostSec", "aliases": [ "Ghost Security" ], "source_name": "MISPGALAXY:GhostSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c29ed071-678d-4023-a954-7138fb534056", "created_at": "2023-11-05T02:00:08.079228Z", "updated_at": "2026-04-10T02:00:03.39948Z", "deleted_at": null, "main_name": "SiegedSec", "aliases": [], "source_name": "MISPGALAXY:SiegedSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434794, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/47ca4723238b63741093fa0ac10b325fc324e488.pdf", "text": "https://archive.orkl.eu/47ca4723238b63741093fa0ac10b325fc324e488.txt", "img": "https://archive.orkl.eu/47ca4723238b63741093fa0ac10b325fc324e488.jpg" } }