Cyber Threat Actor: KelvinSecurity

KelvinSecurity, operating under that primary alias, is a cybercriminal group reportedly based in Russia and active since at least 2020. The group specializes in infiltrating corporate networks to exfiltrate sensitive data, which it monetizes through sales on underground cybercrime forums such as Breach Forums and Raid Forums, as well as via Telegram channels. Their operations consistently follow a pattern of publicly claiming responsibility for breaches, advertising stolen data samples, and providing contact details for prospective buyers. The group has been described variably as grey hat or black hat hackers in public reports, reflecting their dual role as data thieves and illicit access brokers.

KelvinSecurity predominantly targets Italian organizations across multiple critical sectors, including energy, telecommunications, pharmaceuticals, and financial services, though they have also compromised international entities like German automotive manufacturer BMW and U.S.-based consulting firm Frost & Sullivan. Their strategic objective is financially motivated, centered on selling stolen databases, system accesses, proof-of-concept (PoC) exploits, and corporate documents. The group leverages prominent cybercrime platforms to monetize their intrusions, with Breach Forums serving as a primary marketplace following the takedown of Raid Forums. Initial access vectors are rarely detailed in public reporting, though one incident involved exploiting an unsecured backup folder exposed online. Notable campaigns include the 2022 breach of Italian energy advisor tel.ene (11.5 GB of PDFs), pharmaceutical firm Norigine (3.15 GB of internal documents), and financial services provider Genial Money (68 GB of files). Earlier operations include the 2020 theft of 384,000 customer records from BMW and the compromise of Frost & Sullivan’s employee and client databases. While the group’s Russian base is cited, no explicit state affiliations or criminal consortium ties are publicly established.