Menu
Browse

Cyber Threat Actor: Shaltai Boltai

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
Russia
1 incident
Profile

Shaltai Boltai, also known by the alias Humpty Dumpty, is a hacker group that has been publicly linked to Russia. The group first gained attention in August 2014 when it claimed responsibility for compromising the Twitter account of Russian Prime Minister Dmitry Medvedev. In that incident the actors posted fabricated messages, including a false resignation announcement and a political statement contesting Russia’s claim to Crimea, and they shared photographs allegedly taken from Medvedev’s personal iPhone. Government officials confirmed the breach and described the unauthorized tweets as entirely false. The group has described itself as specializing in publishing leaks from Russian officials, indicating a focus on exposing internal government communications.

The targeting demonstrated by Shaltai Boltai appears to concentrate on high‑profile Russian governmental figures and their digital communications. By gaining access to Medvedev’s email and iPhone, the actors were able to extract personal photographs and disseminate them through the compromised Twitter account. The strategic objectives evident from the 2014 operation include spreading disinformation that challenges official state narratives, as shown by the tweet asserting that Crimea is not Russian territory, and embarrassing government officials through the release of private material. No financial gain or criminal profit motive is mentioned in the available sources, and the activity is framed as politically motivated rather than financially driven.

The tactics, techniques, and procedures referenced in the reporting involve compromising email accounts to obtain sensitive data, accessing personal mobile devices to retrieve images, and hijacking social media platforms to amplify the leaked content. The group did not deploy any named malware families or specific exploit tools in the described incident; instead, the emphasis was on credential theft or device intrusion followed by direct publication via Twitter. No public attribution to a state sponsor, criminal consortium, or broader alliance is provided in the sources, and the group’s affiliations remain unspecified beyond its self‑identified role as a leaker of Russian official information. The 2014 Twitter compromise of the Russian Prime Minister remains the most notable and publicly documented operation associated with Shaltai Boltai.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source