Cyber Threat Actor: Rocky Paul
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
Rocky Paul is a threat actor linked to disruptive cyber operations targeting media organizations. Public reporting attributes this alias to an individual or group involved in retaliatory attacks against the Balkan Investigative Reporting Network (BIRN) in late 2023. The actor’s activities demonstrate a consistent focus on suppressing critical journalism through both coercive financial offers and technical attacks when such demands are rejected.
The threat actor primarily targets media entities, with documented activity against BIRN—an outlet operating in the Balkans region. Strategic objectives center on disruption rather than financial theft or data exfiltration, specifically aiming to silence reporting through operational interference. This pattern emerged after BIRN published articles exposing false copyright claims by a convicted Turkish fraudster, whose representative had previously attempted to bribe the network for content removal. The actor’s operational timing indicates responsiveness to media cycles, initiating attacks shortly after unfavorable coverage.
Rocky Paul’s sole publicly confirmed tactic involves distributed denial-of-service (DDoS) attacks, deployed to overwhelm target websites and render them inaccessible. The December 22, 2023, attack on BIRN disrupted normal traffic flows, causing significant service interruptions. No malware families, specialized tooling, or initial access vectors beyond DDoS mechanisms are explicitly documented in available sources. The campaign’s execution aligns with direct retaliation against media refusal to comply with censorship demands, though technical sophistication levels remain unspecified. Attribution details are limited, with no confirmed state affiliations or criminal consortium ties publicly identified; the actor’s association with the Turkish fraudster’s representatives suggests potential alignment with private interests seeking reputation management through coercive means. This incident represents the only operation conclusively linked to Rocky Paul in open-source reporting as of current knowledge.
