{
	"id": "f3f8a2d6-40d3-4c41-b1e6-4c3142e8aa97",
	"created_at": "2026-04-06T00:13:07.82023Z",
	"updated_at": "2026-04-10T13:11:18.331387Z",
	"deleted_at": null,
	"sha1_hash": "91d30e706962e15067ba790c32f943a671066442",
	"title": "The Five Families: Hacker Collaboration Redefining the Game",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66115,
	"plain_text": "The Five Families: Hacker Collaboration Redefining the Game\r\nPublished: 2023-11-03 · Archived: 2026-04-02 11:16:57 UTC\r\nAt the end of the Summer of 2023, five hacker groups, including ThreatSec, GhostSec, Stormous, Blackforums,\r\nand SiegedSec, have collectively formed an entity known as “The Five Families.” The name ‘Five Families’\r\npotentially draws its inspiration from the influential Italian-American families engaged in the New York mafia\r\nduring the 1950s and 1960s. However it may also draw inspiration from the renowned “Five Eyes” intelligence\r\nalliance, an international intelligence-sharing partnership between five English-speaking countries: the United\r\nStates, the United Kingdom, Canada, Australia, and New Zealand. This collaboration signified a pivotal shift in\r\ncybersecurity as these groups united to maximize their reach and impact. In our interconnected digital world, this\r\ncooperative initiative enables the seamless exchange of knowledge, resources, and skills among the collectives,\r\ncreating a potent force. As a result, The Five Families anticipate exerting a lasting influence on the digital sphere,\r\nshaping the direction of online activities in the times to come. \r\nThe Five Families\r\nOne instance illustrating this scenario is the participation of certain members from the Five Families in the cyber\r\nconflict between pro-Israelis and pro-Palestinians, which resulted in an expansion of hacktivists’ cyber arsenals\r\nand numbers. The introduction of GhostLocker Ransomware, previously covered in a distinct article and\r\ndeveloped by pro-Palestinian GhostSec, could potentially be a game-changer in digital warfare. By revealing that\r\nthe Stormous Ransomware group, a constituent of the Five Families hacker consortium, intends to incorporate\r\nGhostLocker into their operations, we have witnessed how these groups can mutually assist and exert influence on\r\neach other.\r\nFormation of The Five Families\r\nOn August 28, three hacker groups, a ransomware group, and a malware forum joined forces to create a unified\r\nhacker collective, naming themselves “The Five Families.” The alliance aimed to “forge stronger unity and\r\nconnections for all within the underground realm of the internet.”\r\nThe existing alliance boasts a robust and intricate leadership framework where every member is on equal footing\r\nand mutually answerable. The coalition is led by leaders from the five groups, potentially implying that each\r\nleader assumes responsibility for decision-making and other pivotal functions.\r\nThe Five Families’ first post on their Telegram channel\r\nOperations of The Five Families\r\nThe Collective announced its first operations a day later. Hacker groups that infiltrated the Presidential website\r\nof Cuba carried out their first major attack, claiming to have leaked many government data to the public and\r\ndeleted various data from government systems.\r\nhttps://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nPage 1 of 5\n\nThe Five Families’ first major attack OpCuba\r\nThe next day, they targeted an organization in Brazil, a target from a similar geography. The group, which claimed\r\nto have breached the company called Alfa Comercial, provided the company with a Session ID to extort 230 GB\r\nof data. They also provided an e-mail address for those who would like to receive the data in case a scenario\r\noccurs where the company does not contact them. They uploaded sample data to their channel as a Torrent file.\r\nSecond attack of The Five Families\r\nTheir third operation, a data leak, targeted a Taiwanese computer hardware company. The leaked data shared on\r\nTelegram channels was claimed to be customer data and company/employee’s personal data.\r\nThird attack of The Five Families\r\nThe collective, which remained inactive for about a month after its first three attacks, announced its fourth attack\r\nin late September 2023, targeting Ortambo District Municipality.\r\nThe fourth attack by The Five Families on September 29, 2023\r\nThe group, which shared a session ID, also shared a BTC address. However, for now, there were no transactions in\r\nthe wallet.\r\nA screenshot of the wallet from blockchain.com\r\nLastly, on October 15, while they shared 85 GB of data from a Chinese chip company called Unisoc with a\r\nTorrent file on their Telegram channel, they said that this data was only a small part and tried to extort it again\r\nwith a session ID.\r\nMembers of The Five Families\r\nThreatSec\r\nAccording to an interview of Cybertecwiz with ThreatSec, under the leadership of its founder known as Wiz, it\r\nidentifies itself as a group fighting for the rights and freedom of the oppressed. Wiz expressed their mission in the\r\ninterview: “We’re here to fight for everyone’s freedom and rights, and everyone should have their world to live\r\nin.” The group primarily targets corrupt governments, emphasizing that monetary gain is not their main motive.\r\nAllegedly, ThreatSec distinguishes itself as a unique breed of hacktivists. Unlike many groups focused on\r\nmonetary gain, they carefully select victims based on their potential to help local populations. Wiz stated that their\r\ngoal is to set an example for others to better themselves and be free individuals.\r\nThreatSec utilizes various attack methods like Cross-Site Scripting (XSS), XML External Entity (XXE), and SQL\r\nInjection (SQLi), and is open to employing tactics such as ransomware and social engineering. The group also\r\nappears to be one of the rare groups declaring their neutrality in the Israel-Hamas conflict scorching the cyber\r\nworld.\r\nGhostSec\r\nhttps://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nPage 2 of 5\n\nGhostSec, a prominent member of The Five Families, garnered considerable notice from both experts and the\r\ngeneral public, particularly in light of their recent action involving GhostLocker. Altimetrik claims that this\r\ngroup, purportedly affiliated with Anonymous and often self-identifying as vigilante hackers, has assumed the\r\nresponsibility of combating extremist content and activities on the internet.\r\nGhostSec first came to light in 2015, originating from the remnants of the renowned hacktivist collective\r\nAnonymous. While Anonymous was known for its diverse operations, GhostSec adopted a more specific mission\r\n– countering online terrorism and violent extremism. With a skilled team of hackers and cybersecurity enthusiasts,\r\nthey rapidly gained recognition for their unconventional approach to tackling extremist groups on the internet.\r\nGhostSec’s mission revolves around a somewhat ambiguous goal: disrupting the online presence and\r\ncommunication of terrorist organizations, such as ISIS (Islamic State of Iraq and Syria) and Al-Qaeda. However,\r\nalthough the group initially seemed to remain neutral in the ongoing Israel-Hamas war, it also decided “to support\r\nPalestine people against Israel’s war crimes,” according to its own claims.\r\nTheir approach involves identifying social media accounts, websites, and online platforms associated with these\r\nextremist groups and then launching precise cyberattacks to take them offline. Utilizing a range of hacking\r\ntechniques, from Distributed Denial of Service (DDoS) attacks to defacement and data breaches, GhostSec\r\nallegedly aims to disrupt the propaganda machinery of these organizations. However, while discussing such noble\r\ncauses, they did not refrain from developing modular ransomware that they would potentially sell to everyone.\r\nSiegedSec\r\nSiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under\r\nthe leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an\r\nincreasing number of victims after its inception.\r\nThe group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use\r\nof vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of\r\nmembers aged between 18 and 26.\r\nOn April 3, 2022, the group established its Telegram channel, marking its initial appearance. In addition to\r\ncarrying out cyber attacks, their chat channel is a hub for casual conversations and sexual humor.\r\nNotably, SiegedSec’s Twitter account has remained inactive for an extended period, likely due to frequent\r\nsuspensions. This is evident from their Telegram posts expressing frustration about these suspensions.\r\nThe group’s founder and administrator, “YourAnonWolf,” currently manages the group under the pseudonym\r\n“vio.” While there have been posts about vio leaving the group at various times, it remains unclear who took over\r\nwhen vio departed.\r\nStormous Ransomware\r\nThe Stormous Ransomware group has strategically capitalized on the escalating tensions between Russia and\r\nUkraine. SOCRadar analysts suggest they attempt to gain notoriety by aligning with agendas similar to Conti’s.\r\nhttps://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nPage 3 of 5\n\nThreat intelligence experts have yet to agree on whether Stormous pursues these actions for political motives or\r\nfuture financial gains. Still, the prevailing belief is that this is primarily an advertising campaign.\r\nStormous ransomware attacks are often labeled as “scavenger operations” in the realm of cybersecurity. These\r\noperations involve targeting companies whose data has already been compromised by previous threat actors.\r\nHowever, the general consensus on Stormous leans toward regarding it as a fraudulent enterprise.\r\nAs previously mentioned, it appears that the group is striving to establish a prominent identity and may intend to\r\nsolidify its reputation through actual attacks in the future. Consequently, SOCRadar analysts are closely\r\nmonitoring the group’s activities.\r\nThe group that has remained inactive for a long time recently made a resurgence with their previously inaccessible\r\ndata leak site, now featuring additional pages and information. These updates include a primary page listing their\r\nrecent victims, a “Shop” section offering data from specific companies for sale, and a “Job Application” page\r\nsoliciting individuals skilled in extortion and hacking.\r\nFurthermore, the group has forged a partnership with GhostSec, officially announced on July 13, 2023, via\r\nGhostSec’s Telegram channel. Together, they have declared their collaboration to target organizations in Cuba and\r\nhave identified three Cuban government ministries as their primary targets. GhostSec has also expressed interest\r\nin potential joint operations targeting other countries. This situation later evolved into The Five Families\r\nCollective.\r\nDespite presenting itself as a ransomware operation, it is uncertain whether Stormous employs ransomware in its\r\nattacks. Some of the data they claim to have stolen and shared has been debunked as fake, casting doubt on the\r\ncredibility of their claims and intrusions. One of their latest announcements was that they will use GhostSec’s\r\nmodular ransomware GhostLocker in their operations.\r\nBlackForums\r\nBlackForums, a prominent hacker forum and data marketplace, has gained notoriety within the cybercriminal\r\nunderworld. This covert platform has become a hub for various illicit activities, serving as a rendezvous point for\r\nindividuals and groups seeking to exchange sensitive data and malware. The group behind BlackForums actively\r\npromotes their services, inviting interested parties to engage with them on the platform. This level of openness and\r\nactivity has attracted numerous cyber criminals, and the forum has established a reputation as a go-to destination\r\nfor various cyber misdeeds.\r\nOne significant aspect of BlackForums is its connection to ransomware data and malware distribution.\r\nCybercriminals often utilize this platform to trade stolen information, offer malware for sale, and collaborate on\r\nvarious cyber exploits. Remarkably, BlackForums operates openly on the clear web, making it more accessible to\r\na broader audience. Its presence on the clear web is a testament to its operators’ audacity and confidence in the\r\nforum’s longevity.\r\nThe prominence of BlackForums came to the forefront when a high-profile attack on BreachForums exposed a\r\nstolen database. The threat actors behind this breach shared the compromised data on BlackForums.\r\nhttps://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nPage 4 of 5\n\nConclusion\r\nIn conclusion, as The Five Families bring together their diverse interests and capabilities, they find a temporary\r\ncommon ground, although their long-term cohesion remains uncertain. These groups, comprising ransomware\r\noperators, hacking forums, and hacktivist factions, have the potential to reinforce each other in various ways. The\r\neffectiveness of their collaboration, without specific objectives and rules, remains a question mark, but their\r\ncollective potential is undeniably significant.\r\nSOCRadar Dark Web Monitoring\r\nIn a world where even hackers are collaborating, it becomes imperative for the cybersecurity community to unite\r\nand adapt. Monitoring and understanding the actions of such groups is vital, and taking a proactive stance is\r\ncrucial. SOCRadar’s comprehensive Dark \u0026 Deep Web Monitoring solution equips organizations to detect and\r\naddress threats across the surface, deep, and dark web, including platforms like Telegram. With our unparalleled\r\nreconnaissance capabilities and threat analysis, we provide actionable insights to empower you in safeguarding\r\nyour organization proactively. Integrating automated external cyber intelligence with a dedicated team of analysts\r\nallows SOC teams to extend their reach beyond their immediate perimeters. It’s a new cybersecurity era that\r\ndemands collective awareness and action.\r\nSource: https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nhttps://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/"
	],
	"report_names": [
		"the-five-families-hacker-collaboration-redefining-the-game"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "93b7776d-9b37-496d-94a5-30bc36fd8800",
			"created_at": "2023-11-07T02:00:07.10019Z",
			"updated_at": "2026-04-10T02:00:03.407781Z",
			"deleted_at": null,
			"main_name": "GhostSec",
			"aliases": [
				"Ghost Security"
			],
			"source_name": "MISPGALAXY:GhostSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c29ed071-678d-4023-a954-7138fb534056",
			"created_at": "2023-11-05T02:00:08.079228Z",
			"updated_at": "2026-04-10T02:00:03.39948Z",
			"deleted_at": null,
			"main_name": "SiegedSec",
			"aliases": [],
			"source_name": "MISPGALAXY:SiegedSec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e3eca3b8-5c00-4d5b-997f-61450ecd598a",
			"created_at": "2024-01-09T02:00:04.20862Z",
			"updated_at": "2026-04-10T02:00:03.513149Z",
			"deleted_at": null,
			"main_name": "Threatsec",
			"aliases": [],
			"source_name": "MISPGALAXY:Threatsec",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91d30e706962e15067ba790c32f943a671066442.pdf",
		"text": "https://archive.orkl.eu/91d30e706962e15067ba790c32f943a671066442.txt",
		"img": "https://archive.orkl.eu/91d30e706962e15067ba790c32f943a671066442.jpg"
	}
}