Full Report
Jessica Lyons reports: Cybercrime crews have become almost mystical entities, with security vendors assigning them names like Wizard Spider and Velvet Tempest. They hide out in hidden corners of the dark web (often accompanied by a clearnet leak site), leading some infosec folks to talk about these miscreants as if they are invincible. But not... Source
Analysis Summary
# Threat Actor: Wizard Spider / Velvet Tempest (and associated Cybercrime Crews)
## Attribution & Identity
* **Primary Names:** Wizard Spider, Velvet Tempest.
* **Proposed Humorous Aliases:** "Scrawny Nuisance," "Evil Ferret."
* **Key Individuals:** "UNKN" (identified by German authorities as the head of associated Russian ransomware operations).
* **Known Associations:** Linked to major ransomware operations including REvil and GandCrab.
## Activity Summary
The article describes a shift in how these groups are being analyzed and reported on by the infosec community. Rather than treating them as "invincible" or "mystical" entities, firms like Trellix are adopting a "Dark Web Roast" approach. This is a psychological operation (psyop) intended to strip these actors of their "superpower" status and refocus on their identity as common criminals driven by financial gain. Recent law enforcement activity mentioned includes the doxing of "UNKN" by German authorities.
## Tactics, Techniques & Procedures
* **Data Theft and Extortion:** Primarily motivated by stealing data and demanding payment (financial gain).
* **Dark Web Operations:** Utilizing hidden forums and marketplaces to coordinate activities.
* **Double Extortion:** Maintaining "clearnet" leak sites to host stolen data and pressure victims into paying ransoms.
* **Social Engineering/Psychological Operations:** Utilizing the "mythical" status assigned by researchers to intimidate victims (a tactic now being countered by industry "roasting").
## Targeting
* **Sectors:** Education (specifically New York schools), Legal (immigration law firms), Healthcare (Gritman/Moscow clinic and Hong Kong Hospital Authority), Military (personnel data via Strava).
* **Geography:** Global, with specific mentions of the United States (New York, Idaho, Long Island), Germany, and Hong Kong.
* **Victims:**
* New York State school districts (44 incidents reported on Long Island).
* Gritman Medical Center (Moscow, Idaho).
* Hong Kong Hospital Authority (56,000 patients).
* Global military personnel (via fitness tracking leaks).
## Tools & Infrastructure
* **Malware Families:**
* REvil
* GandCrab
* Infostealer malware (distributed via GitHub/Claude Code leaks)
* **Infrastructure:**
* Dark web forums and marketplaces.
* Clearnet leak sites (e.g., hxxps[://]databreaches[.]net).
* RSS feeds for data leak announcements (hxxps[://]databreaches[.]net/feed/).
## Implications
There is a growing strategic assessment that "glamorizing" threat actors with dramatic names contributes to their effectiveness by making them appear peerless or unstoppable. By "roasting" these actors and revealing their mundane motivations and human errors, the industry aims to diminish their leverage during negotiations and reduce the psychological impact of their campaigns on potential victims.
## Mitigations
* **De-mythologization:** Adopt reporting standards that treat threat actors as common criminals rather than elite entities to reduce their psychological leverage.
* **Data Governance:** Given the 72% rise in school-related data incidents, institutions must prioritize the protection of PII and student records.
* **Supply Chain Security:** Monitor platforms like GitHub for leaks of proprietary code (e.g., Claude Code) that are being repurposed to distribute infostealers.
* **Device Privacy:** Implement strict policies regarding fitness trackers and mobile apps for sensitive personnel (military/government) to prevent location and identity leaks.