{
	"id": "7f7ca6e9-cc15-435d-bfad-9027f97bd795",
	"created_at": "2026-04-11T02:23:51.126171Z",
	"updated_at": "2026-04-11T02:24:15.508326Z",
	"deleted_at": null,
	"sha1_hash": "90a661fbe59daf925385c643b13e33b8c48bcc25",
	"title": "Today's insider threat: Ardyss edition - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 323167,
	"plain_text": "Today's insider threat: Ardyss edition - DataBreaches.Net\r\nPublished: 2024-12-24 · Archived: 2026-04-11 02:13:43 UTC\r\nHere’s today’s reminder of the insider threat. And also the external threat. Consider it a pre-holiday twofer.\r\nDataBreaches was contacted yesterday by “0mid16B,” the same individual who was responsible for previously\r\nhacking The1 Card, Thailand’s most popular loyalty program. In their latest contact, they claim to have\r\nsuccessfully attacked Ardyss[.]com and ArdyssLife[.]com, telling DataBreaches, “In December 2024, we breached\r\nand stole 596 GB of data from United States ArdyssLife[.]com and Ardyss[.]com server network. Ardyss\r\nInternational is a United States MLM company with annual revenue of \u003e $958M.”\r\nAs proof of claims, 0mid16B provided DataBreaches with screenshots alleged to be from negotiation chats and a\r\n.csv file with basic information on 10,000 customers such as customer’s first and last name, the name of their\r\nfirm, postal address, and phone number. Because fields were not labeled in this sample, it was not clear what some\r\nof the data referred to, but a Google search of a few customer records was quickly able to verify that customer\r\nnames and firms that appeared in the .csv file could be found at the addresses listed in the .csv file.\r\nIn follow-up communications with DataBreaches, 0mid16B statedthat although they would not reveal exactly how\r\nthey gained access to Ardyss, they used two vulnerabilities on their server. The firm’s IT staff reportedly detected\r\nthe intrusion approximately one month after initial access was gained. “They managed to remove persistent access\r\ntwice,” 0mid16B stated. “I waited 2 to 3 days each time to regain access during the time window when they were\r\nlikely to be asleep.”\r\n0mid16B tells DataBreaches that they did not encrypt any files but deleted all files and databases — including the\r\nfirm’s backup server. “But due to permissions issues, I was not able to remove their shadow copies, and they\r\nrecovered their files and data.”\r\nThe company’s owners and executives reportedly never responded to 0mid16B’s demands or attempts to\r\nnegotiate. As a consequence, their  data has been offered for sale, with 0mid16B claiming to have 1,172,220\r\ncustomer records.\r\nhttps://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/\r\nPage 1 of 4\n\nForum listing describes stolen data and provides sample. Image: DataBreaches.net\r\nWhile 0mid16B was the external threat actor, Ardyss may have a serious insider threat problem too. According to\r\nthe chat log screenshots provided to DataBreaches, an employee who logged in to the chat as “Gerardo V”  was\r\nnot an executive or negotiator for Ardyss. By his own statements to 0mid16B, he was an employee in Mexico who\r\nhad seen 0mid16B’s email to the company executives and wanted to learn what was going on. When asked\r\nwhether the company knew he was in the chat and whether he was representing them, he stated that the executives\r\ndid not know he was there, and the family owners of the business were taking advice from their own advisors\r\nwhile IT was  busy just setting up another server to replace the one compromised by 0mid16B.\r\nUnderstandably confused, 0mid16B asked how this chat could possibly help the family owners at all if they had\r\nno idea what the hacker’s demands were and they weren’t being informed by Gerardo.\r\nThat’s when the chat seems to have taken an unexpected turn. Gerardo declared that he was not trying to help the\r\nthe family owners at all and that, having googled 0mid16B,  he just wanted to know the hacker’s objectives. When\r\n0mid16B stated that the objective was purely financial and that if the owners didn’t respond, they would release\r\nthe data, notify U.S. regulators, and notify customers, Gerardo declared that they were on the same page, changed\r\nhis display name in the chat to “GOD OF SALES,”  and asked how he and his supervisor (who was reportedly\r\nsitting next to him reading the chat) could get in on the payout.\r\nhttps://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/\r\nPage 2 of 4\n\n“How can we get in the payout?” employee Gerardo V.  aka “GOD OF SALES” asks. Image:\r\nProvided.\r\nOm1d16B responded by asking what the self-proclaimed sales representative could do to influence the decision-makers, at which point, “GOD OF SALES” said they could get 0mid16B the impact they needed, but first the\r\nhackers would have to pay him $15k USD. For that, he said, he could give the hackers really sensitive information\r\non the company as well as other companies in Mexico.\r\nBy now, Gerardo V had changed his display name again, this time to provide a username@matrix.org.\r\nNo deal was made between the hacker and GOD OF SALES, with 0mid16B eventually telling him, “mate, pack\r\nyour stuff and run,” because the owners had allegedly responded and wanted to know who in the company was\r\ntrying to blackmail them. “So should I pay you 15k or should i tell them and maybe start a negotiation? let me\r\nknow,” 0mid16B wrote.\r\nhttps://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/\r\nPage 3 of 4\n\nThe employee asks the hackers for $15K USD, for which he will provide sensitive info on the\r\ncompany. Image: Provided. \r\n0mid16B tells DataBreaches that he never heard from Gerardo V or his supervisor again.\r\nThere are at least two possible explanations, assuming (for now) that the screenshots are real: the employee was\r\ntrying to cut himself into a deal to extort his employer or he was trying to scam the hackers and had no intention\r\nof really helping them or helping the employer.\r\nEither way, this employee appears to be a potentially serious threat to the security of the company and its\r\ncustomers.\r\nThe Company’s Response\r\nDataBreaches emailed three executives of the firm yesterday to ask about both the breach and the alleged conduct\r\nof the employee.\r\nThere have been no replies, so there has been no confirmation of the breach by the firm. Neither has there been\r\nany confirmation or dispute that an employee engaged in behavior that appears problematic, at best.\r\nThis post will be updated if the company responds.\r\nSource: https://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/\r\nhttps://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/"
	],
	"report_names": [
		"todays-insider-threat-ardyss-edition"
	],
	"threat_actors": [],
	"ts_created_at": 1775874231,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90a661fbe59daf925385c643b13e33b8c48bcc25.pdf",
		"text": "https://archive.orkl.eu/90a661fbe59daf925385c643b13e33b8c48bcc25.txt",
		"img": "https://archive.orkl.eu/90a661fbe59daf925385c643b13e33b8c48bcc25.jpg"
	}
}