Cyber Threat Actor: Foilo
| Actor Type | Location | Known Incidents |
Hacker
|
United States of America
|
1 incident |
|---|
Profile
Foilo is the known alias of a threat actor whose location has been identified as the United States of America. Analysis of code artifacts from the actor’s activities has suggested a possible German origin, though the actor’s stated location remains the United States. The actor is primarily recognized for exploiting vulnerabilities in network‑attached storage devices to conduct illicit cryptocurrency mining operations.
The actor’s targeting has focused on Synology NAS devices, which are used in both consumer and small‑business environments across multiple regions. The strategic objective demonstrated in the observed campaign was financial gain, as the actor deployed mining malware to generate Dogecoin for personal profit. No indications of espionage, disruption, or other motives have been documented in the available sources.
In the notable incident dated February 8 2014, Foilo leveraged known security flaws in the Linux‑based operating system of Synology NAS units to obtain administrative access. The actor then installed CPUMiner malware, configuring it to connect to a private mining pool and using the username “foilo.root3” in the configuration files. This operation yielded over 500 million Dogecoins, valued at approximately $620 000, with the majority of the mining occurring over a two‑month period. No public attribution to a state sponsor or criminal consortium has been established for this actor.
