Menu
Browse

Cyber Threat Actor: @SQLiNairb

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Russia
3 incidents
Profile

Thethreat actor known by the aliases nairb and @SQLiNairb has been observed operating from Russia, according to publicly available location information. The actor first came to attention in early 2014 when they claimed responsibility for compromising a website associated with an extremist organization. Their online handles are used consistently across the leak announcements and related communications. No additional aliases or alternative identifiers have been documented in the open sources reviewed. The actor’s presence is limited to the single reported incident set, with no further activity reported in subsequent years.

The actor’s method of intrusion relied on a basic MySQL injection that exploited a GET parameter on the target site, a technique described in the source material as very simple. No custom malware, exploit kits, or advanced tooling was referenced in the reports; the attack relied solely on standard SQL syntax to extract database contents. After gaining access, the actor exfiltrated multiple databases, including user tables and internal WordPress installations, and then distributed the data via public paste sites. A partial dump was first posted to Pastebin accompanied by a short ideological statement, while the complete dataset was later uploaded to MirrorCreator. The leak process therefore combined a straightforward initial vector with the use of widely available file‑sharing services for dissemination. The targeting was explicitly directed at the National‑Socialist Party of Canada, a neo‑Nazi group, because of its extremist ideology, as stated by the actor in the leaked messages. The actor framed the operation as a retaliatory act against hate‑based entities, indicating an ideological rather than financial or espionage motive. No evidence links the actor to any state sponsor, criminal consortium, or larger hacking collective; the activity appears to be an independent action. The sole publicly reported operation remains the February 2014 breach, which resulted in the exposure of over 1,300 user accounts containing email addresses, usernames, and passwords. This incident represents the entirety of the actor’s known operational footprint in the open source record.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
1 source