Cyber Threat Actor: devil
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
10 incidents |
|---|
Profile
The threat actor operates under the aliases VSOP, devil and Cursed Patriarch and has been linked to activities traced to Russia. Public reporting associates these names with a series of financially motivated incidents that include data leaks, ransomware encryption and distributed denial of service extortion. The actor’s known infrastructure and communication patterns have been observed across multiple campaigns that span government, social media and private email service sectors.
Targeting has focused on entities that either hold sensitive personal data or provide niche online services, with the apparent goal of extracting monetary gain. In October 2021 the actor, identifying as Cursed Patriarch, launched a coordinated DDoS extortion campaign against eight privacy‑focused email providers such as RiseUp, Posteo, Runbox and Fastmail, demanding 0.06 Bitcoin to halt attacks that peaked at 256 Gbps. Earlier, under the VSOP moniker, the actor leaked internal files from the Guatemalan Ministry of Foreign Affairs, including consular assistance and protection documents, after compromising the ministry’s network and encrypting its systems. Separately, using the devil alias, the actor exploited a vulnerability in Twitter’s Android client to harvest phone numbers and email addresses linked to 5.4 million accounts, then offered the compiled database for sale on a hacker forum for $30,000.
Observed tactics involve high‑volume DDoS floods likely generated by botnet infrastructure, ransomware that encrypts and corrupts files rendering larger files unrecoverable even after payment, and the abuse of authentication flaws to scrape private contact information from social media platforms. The actor has used leak sites to publish stolen governmental data and has followed attacks with extortion emails that specify Bitcoin ransom amounts and threaten continued disruption if demands are not met. While the actor’s location is noted as Russia, no public source has established a direct state affiliation or membership in a named criminal consortium, so any such connection remains undocumented. The combination of DDoS extortion, data theft for sale and ransomware deployment represents the actor’s publicly reported operational repertoire.
