Menu
Browse

Cyber Threat Actor: Seize

Actor Type Location Known Incidents
 Icon
Criminal
China
1 incident
Profile

Seize is a threat actor known by that alias and has been associated with operations originating from China. The actor came to public attention in February 2023 after leaking samples of internal data belonging to the Canadian telecommunications provider TELUS, including employee names and email addresses, and subsequently offering to sell the full set of stolen material. The offering comprised private source code repositories, payroll records, AWS keys, Google authentication keys, and a dedicated sim‑swap‑api that could be used to facilitate SIM swap attacks. The actor claimed possession of over 76 000 unique employee emails and asserted that the data had been scraped from Telus’ internal APIs.

The incident shows that Seize’s targeting is focused on the telecommunications sector, specifically a major Canadian operator, and that the actor’s immediate objective appears to be financial gain through the sale of the exfiltrated assets on underground forums. No public reporting links the activity to espionage, disruption, or any broader geopolitical campaign, and the victim’s own investigation found no evidence of customer data compromise, limiting the impact to internal source code and employee details. The actor’s communications emphasized the completeness of the breach and the utility of the stolen code for further attacks, indicating a profit‑driven motive rather than a strategic intelligence goal.

Regarding tactics, techniques, and procedures, the only observable behavior from the Seize operation is the theft and subsequent advertisement of source code, credential material, payroll information, and a specialized API for SIM swap facilitation; no malware families, exploit kits, or specific initial‑access vectors were described in the available reporting. Attribution to China is based on the location information provided in the threat‑actor context, but no definitive ties to a state‑sponsored program or a known criminal consortium have been established in open sources. The TELUS leak remains the sole publicly documented campaign attributed to Seize, representing a discrete incident of data theft and attempted monetization rather than a series of repeated operations.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source