Cyber Threat Actor: Boris Bullet-Dodger
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
2 incidents |
|---|
Profile
Thethreat actor known publicly as Boris Bullet‑Dodger, also referred to simply as Boris, has been linked to two separate intrusions reported in 2019. The actor is located in Russia according to the available information. The alias appeared in direct communication with a technology news outlet when offering proof of a compromise. No additional aliases or affiliations have been disclosed in the sources examined.
In the first incident the actor targeted Perceptics, a United States‑based manufacturer of license‑plate readers used for border surveillance, exfiltrating roughly sixty‑five thousand files that included blueprints, financial records, human‑resources data and multimedia. The stolen material was subsequently posted on the dark web without any observable ransom demand, indicating an objective of public disclosure or disruption. In the second incident the actor compromised CityComp, a Germany‑based IT infrastructure provider serving large multinational corporations, and extracted more than five hundred gigabytes of financial and private client data. Here the actor explicitly cited inadequate security as motivation, demanded a five‑thousand‑dollar ransom and threatened to release the data through a dedicated website if payment was not made.
Across both intrusions the actor’s tactics centered on the large‑scale exfiltration of corporate files and their distribution via underground channels. The actor supplied journalists with a detailed inventory of the stolen files as verification of the breach. In the CityComp case a ransom note was delivered alongside the threat of public release, while the Perceptics breach featured only the release of the data without an accompanying extortion demand. The actor also claimed sole responsibility for the compromises and stated that they would not pursue the victim’s customers directly.
Public attribution remains limited to the alias and the possible Russian location; no state sponsorship or criminal‑consortium ties have been established in the reporting. The two campaigns described above constitute the actor’s most notable publicly reported operations to date. No further malware families, initial‑access vectors or tooling specifics are mentioned in the available sources. Consequently the profile is confined to the observed behaviors of data theft, dark‑web leakage and occasional ransom solicitation.
