Cyber Threat Actor: Omnichorus
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
Omnichorus is a threat actor known by that alias and has been associated with Russia based on the limited location information available in open sources. The actor is described in threat intelligence reporting as a well‑known individual on underground hacking forums who has built a reputation for sharing and selling hacked or stolen data, a role often referred to as a data trader. This characterization comes from a ZDNet article that details how Omnichorus offered for sale a database containing millions of business contact records taken from an exposed Elasticsearch server belonging to the US‑based data broker LimeLeads. The actor’s activity has been observed primarily in the context of monetizing compromised data through forum posts and direct sales.
The data that Omnichorus attempted to sell included full names, titles, email addresses, employer names, company addresses, phone numbers, website URLs, revenue figures and employee counts, all of which were taken from LimeLeads’ internal database after it was left publicly accessible without authentication. By offering this information for sale, the actor provided potential buyers with a resource that could be used to conduct targeted phishing or social engineering campaigns against the businesses and individuals represented in the records. No specific malware families, exploit tools or initial access vectors are mentioned in the available reporting, and the actor’s methods appear limited to acquiring and redistributing already exposed data rather than developing custom intrusion capabilities. Attribution to a state sponsor or affiliation with a larger criminal consortium is not established in the public sources consulted; the only geographic clue is the possible Russian location noted in the actor’s profile.
The LimeLeads incident represents the most significant and publicly documented operation linked to Omnichorus, highlighting the actor’s focus on data trading as a means of generating revenue. While the actor has not been tied to any other distinct campaigns or to the deployment of specific malware families in the reporting, the sale of the LimeLeads dataset underscores a pattern of exploiting poorly secured cloud or server configurations to obtain valuable personal and corporate information. Because the source material does not provide further details on the actor’s broader tooling, typical victim sectors beyond this case, or any strategic objectives beyond financial gain from data sales, the profile remains confined to these confirmed facts. No additional speculative statements about the actor’s size, sophistication, or future intentions are included.
