Menu
Browse

Cyber Threat Actor: Phishers

Actor Type Location Known Incidents
 Icon
Criminal
Saudi Arabia
3 incidents
Profile

Thethreat actor known as Phishers has been linked to operations originating from Saudi Arabia, as indicated in open‑source reporting. The actor uses the alias Phishers in publicly attributed incidents. Targeting has been observed across the NFT investment sector, Saudi government agencies, and payroll services providers. The actor’s demonstrated objective is financial gain, as each reported incident involved monetary theft or the harvesting of data for resale on underground markets.

Initial access is achieved primarily through phishing emails that mimic trusted entities, such as a company CEO or a government portal. Supporting techniques include the creation of fraudulent login pages via typosquatting, subdomain spoofing, and punycode to deceive victims into entering credentials. No specific malware families or custom tooling are referenced in the available sources, with the actor relying on social engineering and web‑based deception.

In January 2023 the actor conducted a phishing attack against the British NFT firm NFT Investments, resulting in a loss of approximately $250,000 in digital assets. A November 2016 campaign targeted Saudi government agencies by impersonating the Absher e‑Service portal, harvesting personally identifiable information for potential resale or identity fraud. Earlier in March 2016 a payroll services provider suffered a breach after an employee clicked a CEO‑impersonation phishing email, exposing W‑2 data for tax fraud and identity theft; the organization responded with employee termination, law‑enforcement notification, and mandatory security training.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
0 sources