Menu
Browse

Cyber Threat Actor: [The 25-year-old suspect]

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
China
1 incident
Profile

The threat actor is known publicly as the 25‑year‑old suspect, an alias that appears in law‑enforcement reporting related to a 2018 data breach. The individual is associated with China, as indicated by the location of the arrest and the jurisdictional context of the incident. No additional aliases or organizational affiliations have been disclosed in the available sources.

In June 2018 the suspect was linked to a breach that affected nearly five million passengers of China Railway’s online booking system. The compromise occurred through unauthorized third‑party ticketing platforms that were connected to the official service, rather than through a direct vulnerability in China Railway’s own infrastructure. After obtaining stolen credentials from dark web markets, the actor used those credentials to gain access to additional accounts, resulting in the exposure of personal details such as names, identification numbers and passwords. Authorities subsequently arrested an individual connected to the theft, confirming the suspect’s involvement in the incident.

The observed tactics involve acquiring illicit credentials from underground markets and exploiting weaknesses in third‑party services that interface with the ticketing platform. This approach allowed the actor to bypass the primary system’s defenses while still accessing the underlying passenger data. No specific malware families, custom tooling, or persistent infrastructure have been described in the public reporting related to this case.

Beyond the 2018 China Railway ticketing breach, no further campaigns or operations have been publicly attributed to the 25‑year‑old suspect. The available information does not establish a state nexus, criminal consortium, or broader strategic objectives for the actor. Consequently, the profile is limited to the confirmed facts of the alias, location, the specific breach incident, and the associated tactics of credential theft and third‑party service exploitation.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources