Cyber Threat Actor: ElSurveillance
| Actor Type | Location | Known Incidents |
Activist
|
United States of America
|
15 incidents |
|---|
Profile
ElSurveillance is a hacktivist known by the alias @ElSurveillance and associated with the operation #EscortsOffline, with some sources describing the individual as a Moroccan hacker while the contextual note lists the location as the United States of America. The actor has consistently used the same moniker across multiple incidents involving the exposure of user data from online dating and escort‑related platforms. Public statements and defacement messages attribute the activity to a single individual who claims to monitor targets for extended periods before taking action. No additional aliases or affiliations are documented in the provided material.
The actor’s targeting focuses on websites that facilitate personal relationships, including mainstream dating services, niche Muslim dating platforms, and escort‑oriented sites. These targets span various geographic regions, as evidenced by compromises of domains such as freedateusa.com (United States), AdultSingleSites.com.au (Australia), Shadi.com and MuslimMatch.com (global Muslim audiences), AfrikaDating.com, PinkDate.co.uk (United Kingdom), and numerous escort domains. Strategic objectives expressed in defacements and communications include warning users about alleged data exploitation by Russian‑speaking cyber criminals, encouraging visitors to listen to the Qur’an and reject extremist propaganda, and exposing server logs containing visitor IP addresses and browser information to demonstrate inadequate security practices. The actor also claims to act in order to deter use of the services through public shaming and the threat of further data release.
Observed tactics, techniques, and procedures involve website defacement with ideological messages, the extraction and publication of user databases containing email addresses and plain‑text or weakly hashed passwords, and the disclosure of server access logs. The actor notes that many of the targeted sites share identical administrator usernames, only a few password variations, and are hosted on the same server, which facilitates credential reuse and monitoring. Initial access appears to rely on exploiting these shared administrative credentials rather than deploying custom malware, as no malware families are referenced in the sources. Proof of compromise is often mirrored on Zone‑h.org, data dumps are hosted on file‑sharing services such as Sendspace, and references to password‑cracking sites like crackstation.net are provided to illustrate the weakness of stored credentials.
Representative operations include the November 2016 breach of freedateusa.com and 24luv.com where over 220 000 records with plain‑text credentials were dumped, the July 2016 series of intrusions affecting Shadi.com, MuslimMatch.com, AfrikaDating.com and AdultSingleSites.com.au that exposed millions of user records and private messages, and the July 2015 wave of defacements and data leaks on escort‑related sites such as MeetMeInYourCity.com and Captain 69™ Worldwide Escort Reviews. Public attribution to a state sponsor or criminal consortium is absent; the actor remains described as an independent hacktivist motivated by ideological and moral messaging rather than financial gain. The actor’s activities have highlighted recurring security shortcomings in the dating and escort sectors, particularly the storage of credentials in reversible formats and the use of shared administrative infrastructure across multiple domains.
