{
	"id": "a8b3f6a2-e276-4465-91b8-80c9c65be183",
	"created_at": "2026-04-09T02:24:15.721148Z",
	"updated_at": "2026-04-10T03:29:39.722328Z",
	"deleted_at": null,
	"sha1_hash": "dcb1fb8a500b2bc4515e729a3696cd477b6e0c8d",
	"title": "AlphV responds to MGM incident and sloppy reporting - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55338,
	"plain_text": "AlphV responds to MGM incident and sloppy reporting -\r\nDataBreaches.Net\r\nPublished: 2023-09-15 · Archived: 2026-04-09 02:18:25 UTC\r\nAlphV has posted a statement about their attack on MGM Resorts. They also post some scathing criticisms of\r\njournalists and news outlets for reporting inaccurately and not verifying sources. Of note, their statement also\r\nasserts, “The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack\r\nbefore this point. Rumors were leaked from MGM Resorts International by unhappy employees or outside\r\ncybersecurity experts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to\r\nfalsely claim that we had claimed responsibility for the attack before we had.”\r\nSo no one from AlphV ever contacted vx-underground and talked about LinkedIn or social engineering on\r\nSeptember 12? vx-underground has not retracted his claim about that, although DataBreaches reported at the\r\ntime that there was no confirmation for his claims. DataBreaches has reached out to AlphV on Tox to ask them\r\nwhether the report that LinkedIn was used, etc. was accurate or not, especially since it later seemed that the\r\ncontact vx-underground heard from was someone AlphV says was pranking Reuters. Unfortunately, AlphV has not\r\nyet responded to this site’s request for clarification so reports of social engineering using LinkedIn remain\r\nunconfirmed and possibly refuted. \r\nHere is AlphV’s full statement:\r\nStatement of ALPHV  group on MGM Resorts International: Setting the record straight\r\n9/14/2023, 7:46:49 PM\r\nWe have made multiple attempts to reach out to MGM Resorts International, “MGM”. As reported, MGM\r\nshutdown computers inside their network as a response to us. We intend to set the record straight.\r\nNo ransomware was deployed prior to the initial take down of their infrastructure by their internal teams.\r\nMGM made the hasty decision to shut down each and every one of their Okta Sync servers after learning that we\r\nhad been lurking on their Okta Agent servers sniffing passwords of people whose passwords couldn’t be cracked\r\nfrom their domain controller hash dumps. Resulting in their Okta being completely locked out. Meanwhile we\r\ncontinued having super administrator privileges to their Okta, along with Global Administrator privileges to their\r\nAzure tenant. They made an attempt to evict us after discovering that we had access to their Okta environment,\r\nbut things did not go according to plan.\r\nOn Sunday night, MGM implemented conditional restrictions that barred all access to their Okta\r\n(MGMResorts.okta.com) environment due to inadequate administrative capabilities and weak incident response\r\nplaybooks. Their network has been infiltrated since Friday. Due to their network engineers’ lack of understanding\r\nof how the network functions, network access was problematic on Saturday. They then made the decision to “take\r\noffline” seemingly important components of their infrastructure on Sunday.\r\nhttps://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/\r\nPage 1 of 4\n\nAfter waiting a day, we successfully launched ransomware attacks against more than 100 ESXi hypervisors in\r\ntheir environment on September 11th after trying to get in touch but failing. This was after they brought in\r\nexternal firms for assistance in containing the incident.\r\nIn our MGM victim chat, a user suddenly surfaced a few hours after the ransomware was deployed. As they were\r\nnot responding to our emails with the special link provided (In order to prevent other IT Personnel from reading\r\nthe chats) we could not actively identify if the user in the victim chat was authorized by MGM Leadership to be\r\npresent.\r\nWe posted a link to download any and all exfiltrated materials up until September 12th, on September 13th in the\r\nsame discussion. Since the individual in the conversation did not originate from the email but rather from the\r\nhypervisor note, as was already indicated, we were unable to confirm whether they had permission to be there.\r\nTo guard against any unneeded data leaking, we added a password to the data link we provided them. Two\r\npasswords belonging to senior executives were combined to create the password. Which was clearly hinted to\r\nthem with asterisks on the bulk of the password characters so that the authorized individuals would be able to\r\nview the files. The employee ids were also provided for the two users for identification purposes.\r\nThe user has consistently been coming into the chat room every several hours, remaining for a few hours, and then\r\nleaving. About seven hours ago, we informed the chat user that if they do not respond by 11:59 PM Eastern\r\nStandard Time, we will post a statement. Even after the deadline passed, they continued to visit without\r\nresponding. We are unsure if this activity is automated but would likely assume it is a human checking it.\r\nWe are unable to reveal if PII information has been exfiltrated at this time. If we are unable to reach an agreement\r\nwith MGM and we are able to establish that there is PII information contained in the exfiltrated data, we will take\r\nthe first steps of notifying Troy Hunt from HaveIBeenPwned.com. He is free to disclose it in a responsible manner\r\nif he so chooses.\r\nWe believe MGM will not agree to a deal with us. Simply observe their insider trading behavior. You believe that\r\nthis company is concerned for your privacy and well-being while visiting one of their resorts?\r\nWe are not sure about anyone else, but it is evident from this that no insiders have purchased any stock in the past\r\n12 months, while 7 insiders have sold shares for a combined 33 MILLION dollars.\r\n(https://www.marketbeat.com/stocks/NYSE/MGM/insider-trades/). This corporation is riddled with greed,\r\nincompetence, and corruption.\r\nWe recognize that MGM is mistreating the hotel’s customers and really regret that it has taken them five years to\r\nget their act together. Other lodging options, including casinos, are undoubtedly open and happy to assist you.\r\nAt this point, we have no choice but to criticize outlets such as The Financial Times for falsely reporting events\r\nthat never happened. We did not attempt to tamper with MGM’s slot machines to spit out money because doing so\r\nwould not be to our benefit and would decrease the chances of any sort of deal.\r\nThe rumors about teenagers from the US and UK breaking into this organization are still just that—rumors. We\r\nare waiting for these ostensibly respected cybersecurity firms who continue to make this claim to start providing\r\nsolid evidence to support it. Starting to the actors’ identities as they are so well-versed in them.\r\nhttps://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/\r\nPage 2 of 4\n\nThe truth is that these specialists find it difficult to delineate between the actions of various threat groupings,\r\ntherefore they have grouped them together. Two wrongs do not make a right, thus they chose to make false\r\nattribution claims and then leak them to the press when they are still unable to confirm attribution with high\r\ndegrees of certainty after doing this. The Tactics, Techniques, and Procedures (TTPs) used by the people they\r\nblame for the attacks are known to the public and are relatively easy for anyone to imitate.\r\nThe ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before\r\nthis point. Rumors were leaked from MGM Resorts International by unhappy employees or outside cybersecurity\r\nexperts prior to this disclosure. Based on unverified disclosures, news outlets made the decision to falsely claim\r\nthat we had claimed responsibility for the attack before we had.\r\nWe still continue to have access to some of MGM’s infrastructure. If a deal is not reached, we shall carry out\r\nadditional attacks. We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated\r\nthat they know where to contact us.\r\n————————————————-\r\nUpdates:\r\nTech Crunch \u0026 others: neither you nor anybody else was contacted by the hacker who took control of MGM. Next\r\ntime, verify your sources more thoroughly, or at the very least, give some hint that you do.\r\nAdditional Edits:\r\nPreviously incorrect attribution for slot machine report has been changed to correctly identify The Financial Times\r\nas the source of the utterly false information.\r\nhttps://www.ft.com/content/a25d2897-b0ce-4ba7-92ed-ff5df09d1b47\r\nMore Updates on Fake News:\r\nZeba Siddiqui (Reuters) fails to confirm the credibility of sources before publishing items on Reuters that contain\r\nfake news, funnily enough naive individuals like this are the direct targets of social engineering schemes because\r\nthey are so gullible. Find a new profession.\r\nYou were actually made fun of by a random Telegram user. You idiot. But hey, anything for a story, right?\r\nhttps://www.reuters.com/business/casino-giant-caesars-confirms-data-breach-2023-09-14/\r\n———————————————\r\nAs of September 15, 2023, we have not spoken with any journalists, news organizations, Twitter/X users, or\r\nanyone else. Any official updates are only available on this blog. You would think that after the tweet below,\r\npeople would know better than to believe anything unreliable they would hear about this incident. If we talk to a\r\nreporter, we will share it here. We did not and most likely won’t.\r\nhttps://twitter.com/VitalVegas/status/1702017681963237410/photo/1\r\nhttps://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/\r\nPage 3 of 4\n\nSource: https://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/\r\nhttps://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.databreaches.net/alphv-responds-to-mgm-incident-and-sloppy-reporting/"
	],
	"report_names": [
		"alphv-responds-to-mgm-incident-and-sloppy-reporting"
	],
	"threat_actors": [
		{
			"id": "86ab9be8-ce67-4866-9f66-1df471e9d251",
			"created_at": "2024-05-29T02:00:03.942487Z",
			"updated_at": "2026-04-10T02:00:03.641939Z",
			"deleted_at": null,
			"main_name": "Alpha Spider",
			"aliases": [
				"ALPHV Ransomware Group"
			],
			"source_name": "MISPGALAXY:Alpha Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701455,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dcb1fb8a500b2bc4515e729a3696cd477b6e0c8d.pdf",
		"text": "https://archive.orkl.eu/dcb1fb8a500b2bc4515e729a3696cd477b6e0c8d.txt",
		"img": "https://archive.orkl.eu/dcb1fb8a500b2bc4515e729a3696cd477b6e0c8d.jpg"
	}
}