Menu
Browse

Cyber Threat Actor: Berkut

Actor Type Location Known Incidents
 Icon
Criminal
Russia
2 incidents
Profile

Theactor uses the handles Berkut, Berkut Group and Berkut Hacker in underground communications. Open source reporting indicates the individual or group is based in Russia. These identifiers have appeared in listings on the Tochka dark web marketplace where stolen data is offered for sale.

Berkut has been linked to two publicly reported breaches involving online forums. The first incident, dated January 2015, targeted a law‑enforcement focused site called PoliceOne, resulting in the alleged theft of approximately 715,000 user accounts containing usernames, email addresses, MD5‑hashed passwords with salts and join dates. The second incident, reported in February 2017, affected the Coachella Valley Music and Arts Festival’s website and its associated message board, exposing roughly 950,000 accounts with email addresses, usernames and hashed passwords. In both cases the actor advertised the stolen databases for sale, asking $400 for the PoliceOne data and $300 for the Coachella data. The actor claimed to have gained access by exploiting a known vulnerability in outdated vBulletin forum software, a technique that is publicly documented for versions such as 4.2.3. No malware families or custom tooling are mentioned in the available sources; the described activity relies on leveraging existing web application flaws. Motherboard verified subsets of the leaked data by attempting to register accounts with the supplied email addresses, confirming that many corresponded to existing profiles. The actor did not include payment card information in either dump, focusing solely on authentication details.

Attribution to a specific state sponsor or criminal consortium has not been established in the public record; the only geographic clue is the stated Russian location. The actor’s activity is limited to the sale of compromised credential sets, with no evidence of ransomware, espionage‑oriented malware or disruptive operations. These incidents represent the most notable campaigns attributed to Berkut, illustrating a pattern of targeting weakly secured forums to harvest and sell user data. Thus the profile of Berkut is defined by its use of credential‑theft via web‑application exploits and its participation in dark‑web data markets.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources