{
	"id": "154d480f-9150-4767-9eaf-f65221633eda",
	"created_at": "2026-04-06T03:36:24.772862Z",
	"updated_at": "2026-04-10T13:12:32.118518Z",
	"deleted_at": null,
	"sha1_hash": "6c7bdaf8dc46ddb6a1e5bdcb512dfef9abf1d730",
	"title": "Migration policy org confirms cyberattack after extortion group touts theft",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 79167,
	"plain_text": "Migration policy org confirms cyberattack after extortion group\r\ntouts theft\r\nBy Jonathan Greig\r\nPublished: 2023-01-11 · Archived: 2026-04-06 03:11:16 UTC\r\nThe International Centre for Migration Policy Development (ICMPD) confirmed on Wednesday it suffered a\r\ncyberattack that led to a data breach. \r\nICMPD operates in 90 countries conducting research, projects and activities centered around migration. It\r\ncurrently has 19 member states — most of which are European — and has observer status at the United Nations. It\r\nworks with several UN and European agencies as well as states across Africa, Asia and South America.\r\nBernhard Schragl, communication coordinator for ICMPD, did not say when the attack took place but told The\r\nRecord that the attackers managed to gain “limited access” to individual servers that held data.\r\nICMPD set up a task force of internal and external IT experts who are currently investigating the incident. \r\n“Professional preparation as well as quick and decisive actions have prevented the attackers from inflicting\r\nadditional harm. In less than 45 minutes after detection, an emergency response team was established, all external\r\nnetwork connections were disconnected and all websites taken down to prevent the attack from spreading further,”\r\nSchragl said. \r\nThe organization is in the process of investigating what information was compromised, according to Schragl, who\r\nadded that they have reported the incident to law enforcement agencies. \r\nSchragl said ICMPD has either already informed or plans to inform any who had data that was affected by the\r\nattack about measures that need to be taken to protect themselves. \r\nThe attack on ICMPD was launched by the Karakurt extortion group, which boasted on Telegram of stealing\r\nfinancial documents, banking data and personal information. \r\nOn its leak site, the hacking group further explained that it stole 375 GB of data that included “correspondence on\r\ncontracts, scans of contracts, project budgets, financial and insurance documents, invoices, passports, mailboxes\r\nof key members of the organization and much more.”\r\nIn June, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Treasury Department released\r\nan alert about Karakurt, warning that the group was holding victim data for ransoms of $25,000 to $13 million in\r\nBitcoin. \r\n“Karakurt actors have typically provided screenshots or copies of stolen file directories as proof of stolen data.\r\nKarakurt actors have contacted victims’ employees, business partners, and clients with harassing emails and phone\r\ncalls to pressure the victims to cooperate,” the alert explained. \r\nhttps://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/\r\nPage 1 of 4\n\n“As of May 2022, the website contained several terabytes of data purported to belong to victims across North\r\nAmerica and Europe, along with several ‘press releases’ naming victims who had not paid or cooperated, and\r\ninstructions for participating in victim data ‘auctions,’” CISA added. \r\nThe agencies noted that Karakurt does not target specific industries or companies, often choosing victims based on\r\nease of access. \r\nThe group typically gains access to systems by either purchasing stolen login credentials or purchasing access to\r\nvictims who have been compromised by other cybercriminals. \r\nWith our partners @FBI, @USTreasury and FinCEN, @CISAgov issued a joint cybersecurity advisory\r\non #Karakurt data extortion group. Known ransom demands ranged from $25K to $13M in Bitcoin.\r\nMitigate your risk: https://t.co/gNiDbLsNJQ pic.twitter.com/0ft8mPediO\r\n— Jen Easterly (@CISAJen) June 1, 2022\r\nEmsisoft threat analyst Brett Callow previously told The Record that the group has been active since the middle of\r\n2021 and is believed to be a spin-off of the Conti ransomware group. \r\nSeveral other security companies — including Infinitum IT and Advanced Intelligence — have released reports\r\nthis year showing concrete ties between the infrastructure used by Conti and Karakurt. \r\nFollowing the release of troves of documents and chats related to Conti, security companies found numerous links\r\nbetween the two groups. \r\nAdvanced Intelligence said Karakurt is a side business of the group behind Conti, allowing them to monetize the\r\ndata stolen during attacks where organizations are able to block the ransomware encryption process. \r\nBlockchain analysis firm Chainalysis has also previously identified several cryptocurrency wallets controlled by\r\nKarakurt which sent funds to Conti. \r\nThe U.S. agencies confirmed much of what was reported by these security companies, highlighting that Karakurt\r\nhas attacked victims in the midst of ransomware incidents.\r\nIn several cases seen by CISA and the FBI, victims have gotten ransom notes from multiple ransomware variants\r\nsimultaneously, “suggesting Karakurt actors purchased access to a compromised system that was also sold to\r\nanother ransomware actor.”\r\nThe attack on ICMPD comes just a few months after hackers targeted the Red Cross. In January, the international\r\naid organization said it had been hacked in November by a group that stole data from a program called Restoring\r\nFamily Links, a web-based system used by Red Cross volunteers to reunite family members separated by conflict,\r\ndisaster, or migration.\r\nThe attack was so alarming to governments around the world that the U.S. State Department released a statement\r\ncalling the attack a “dangerous development” that had “real consequences.\r\nhttps://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/\r\nPage 2 of 4\n\n“This cyber incident has harmed the global humanitarian network’s ability to locate missing people and reconnect\r\nfamilies,” officials said.  \r\n“This is why it is so vital that humanitarian data be respected and only used for intended purposes.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nJonathan Greig\r\nhttps://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/\r\nPage 3 of 4\n\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/\r\nhttps://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft/"
	],
	"report_names": [
		"migration-policy-org-confirms-cyberattack-after-extortion-group-touts-theft"
	],
	"threat_actors": [
		{
			"id": "6ad410c7-e291-4327-a54b-281c23f0d4fa",
			"created_at": "2022-10-25T16:07:24.501468Z",
			"updated_at": "2026-04-10T02:00:05.013427Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Mushy Scorpius"
			],
			"source_name": "ETDA:Karakurt",
			"tools": [
				"7-Zip",
				"Agentemis",
				"AnyDesk",
				"Cobalt Strike",
				"CobaltStrike",
				"FileZilla",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mimikatz",
				"WinZip",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24",
			"created_at": "2022-10-25T16:47:55.853415Z",
			"updated_at": "2026-04-10T02:00:03.856263Z",
			"deleted_at": null,
			"main_name": "GOLD TOMAHAWK",
			"aliases": [
				"Karakurt",
				"Karakurt Lair",
				"Karakurt Team"
			],
			"source_name": "Secureworks:GOLD TOMAHAWK",
			"tools": [
				"7-Zip",
				"AnyDesk",
				"Mega",
				"QuickPacket",
				"Rclone",
				"SendGB"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "079e3d6e-24ef-42b0-b555-75c288f9efd8",
			"created_at": "2023-03-04T02:01:54.105946Z",
			"updated_at": "2026-04-10T02:00:03.359009Z",
			"deleted_at": null,
			"main_name": "Karakurt",
			"aliases": [
				"Karakurt Lair"
			],
			"source_name": "MISPGALAXY:Karakurt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446584,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c7bdaf8dc46ddb6a1e5bdcb512dfef9abf1d730.pdf",
		"text": "https://archive.orkl.eu/6c7bdaf8dc46ddb6a1e5bdcb512dfef9abf1d730.txt",
		"img": "https://archive.orkl.eu/6c7bdaf8dc46ddb6a1e5bdcb512dfef9abf1d730.jpg"
	}
}