Full Report
Reza abasi notes that there is a new forum called the “Kurd Hacker Forum” that focuses on databreaches in Iran, Syria, and Turkey. The domain was registered January 28, 2026. The forum, which is on the clear net, looks like it has the same format as the classic BreachForums, with the same types of sections... Source
Analysis Summary
# Threat Actor: Kurd Hacker Forum (and associated contributors)
## Attribution & Identity
- **Actor Name:** Kurd Hacker Forum
- **Associated Individuals:** Reza Abasi (identified as the initial researcher/source who noted the forum's emergence).
- **Identity/Group Profile:** A newer underground community likely composed of Kurdish-speaking or Kurdish-aligned threat actors and "leakers." The forum mimics the structure and format of established cybercrime hubs like the classic BreachForums.
- **Language Preference:** Kurdish and English.
## Activity Summary
The "Kurd Hacker Forum" was established via domain registration on **January 28, 2026**. It serves as a centralized clearinghouse for leaked databases and SQL injections primarily targeting Middle Eastern government and infrastructure entities. Within its first month of operation, the forum reached 843 members, indicating rapid adoption within the regional hacking community.
## Tactics, Techniques & Procedures
- **Forum Structure:** Utilization of a clear-net platform with sections and subsections dedicated to specific breach categories (e.g., Leaks, Databases).
- **Data Exfiltration:** Focus on SQL database dumps and large-scale citizen record harvesting.
- **TTPs:**
- SQL Injection (implied by "SQL" database leaks)
- Database exploitation
- Information dissemination via RSS feeds for rapid data circulation.
## Targeting
- **Sectors:**
- **Government:** Ministry of Health, Federal Police, Prison Systems.
- **Infrastructure/Public Service:** Traffic management, Telecommunications.
- **Education:** Universities.
- **Healthcare:** Vaccination databases.
- **Geography:** Iran, Syria, Iraq, and Turkey.
- **Victims:**
- Turkey: Covid Vaccination Database, Turknet, Aydın Adnan Menderes University.
- Iraq: Traffic Database, Federal Police, Political Prisoners Database, Citizen Database, Al-Hashd al-Shaabi (الحشد الشعبي) data.
- Syria: Ministry of Health.
## Tools & Infrastructure
- **Domain:** Kurd Hacker Forum (Registered: 2026-01-28) [URL currently not provided, but noted as a clear-net domain].
- **Platform:** Clear-net forum software (format similar to BreachForums).
- **Syndication:** RSS feeds for leak notifications.
## Implications
The emergence of this forum signals a specialized regionalization of the data breach landscape. While global forums exist, the Kurd Hacker Forum’s specific focus on Iran, Syria, and Turkey suggests a motivation that may be tied to regional geopolitics or local activism (hacktivism). The rapid growth of the member base and the sensitivity of the leaked data (police, prisoners, and health records) pose a significant risk to national security and citizen privacy in the targeted nations.
## Mitigations
- **Network Defense:** Organizations in the targeted regions should prioritize securing SQL databases and auditing web applications for injection vulnerabilities.
- **Data Monitoring:** Implement "Dark Web" and clear-net monitoring services to detect if organizational domain names or proprietary databases appear on this specific forum.
- **Incident Response:** Government entities in Iraq, Syria, and Turkey should review access controls for citizen databases, specifically relating to Federal Police and Ministry of Health records, to prevent further unauthorized exfiltration.
- **Credential Hygiene:** Use multi-factor authentication (MFA) to mitigate the impact of leaked administrative credentials often used to access these databases.