Menu
Browse

Cyber Threat Actor: Zyklon

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Sensationalist
China
6 incidents
Profile

Zyklon, also known as Hell, is a threat actor that has been publicly linked to the WonkaSec collective and is reported to operate from China. The actor uses the aliases Zyklon and Hell in communications and on social media platforms such as Twitter. Public attributions note a connection to WonkaSec through shared branding and referenced temporary hosting sites. No state sponsorship or broader criminal consortium ties are explicitly stated in the available sources.

The actor’s observed activity includes compromising websites across several sectors. Targets have comprised an educational subdomain at Macalester College devoted to Russian history resources, an inflatable boat retailer aquamarineboat.com, a forum operated by Big Blue Interactive, a gaming‑related site differencegames.com, an Asian‑focused domain en.asiadcp.com, and an Israeli site hemda.org.il. These incidents show a pattern of hitting diverse online services rather than a single industry focus. The geographic spread of victims spans North America, Europe, and the Middle East as indicated by the respective domain names.

Zyklon’s tactics, as described in the reporting, involve gaining access to user databases and exfiltrating credentials such as usernames, email addresses, postal addresses and plaintext passwords. The actor then publishes the stolen data on Pastebin and on temporary web hosting pages, often accompanied by announcements that link to a WonkaSec‑branded homepage. No specific malware families, exploit kits or initial access vectors are detailed in the sources; the emphasis is on the acquisition and leakage of credential sets rather than on sophisticated payload delivery.

Representative operations attributed to Zyklon include the January 2015 breach of the Macalester College subdomain that exposed over 3,600 user records with references to a larger database of 90,000+ accounts, the aquamarineboat.com incident that leaked approximately 2,060 customer records including names and plaintext passwords, and the hemda.org.il compromise that dumped 1,324 usernames and passwords in clear text. These events were publicized via Pastebin announcements and temporary hosting links, forming part of a broader campaign that targeted multiple websites in early 2015. The actor’s activity ceased to be prominently reported after that period, with no further detailed incidents documented in the provided material.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
1 source