Cyber Threat Actor: LoliCorp
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
LoliCorp is the alias used to refer to a threat actor that has been publicly linked to a cyber incident occurring in February 2020. Open source reporting identifies the actor’s location as the United States of America. No other aliases or geographic details have been disclosed in the available material. The actor came to attention following a breach of a cybersecurity firm that provides authentication services to major financial institutions.
On February 24 2020 the attackers gained access to the victim’s file‑sharing system, which was used to distribute software components to clients. This intrusion allowed them to exfiltrate over a thousand email addresses, phone numbers and other sensitive pieces of information. The victim organization disputed claims that passwords were compromised in the incident. In addition to personal data, the attackers viewed internal communications and obtained technical assets such as binaries stored on the system. The firm promptly shut down the file‑sharing service to contain the breach and stated that no proprietary source code was leaked and that client application data remained unaffected.
The exposure of internal communications and binaries indicated that the actors were able to navigate beyond the initial file‑share repository and access broader internal resources. Despite the breadth of data taken, the victim emphasized that the core authentication infrastructure and client‑facing application data were not altered or stolen. The disruption caused by the shutdown of the file‑sharing system impacted the distribution of software updates to the firm’s customers. No further details about the actor’s tools, malware families, or specific techniques have been made public in the reporting associated with this event.
To date, the only publicly attributed operation linked to LoliCorp is the February 2020 breach described above. No additional campaigns, affiliations with state actors or criminal consortia, or broader targeting patterns have been verified through open sources. Consequently, the profile of this threat actor remains limited to the facts presented in the single reported incident.
