Menu
Browse

Cyber Threat Actor: Ryan King

Actor Type Location Known Incidents
 Icon
Criminal
Malaysia
1 incident
Profile

Ryan King is an alias associated with the threat actor involved in the 2015 Webnic.cc registrar compromise. The actor is known to operate from Malaysia, as indicated in the available reporting. This identifier links the individual to the broader Lizard Squad collective that carried out the described intrusion. No additional aliases or personal details are provided in the source material.

The actor’s targeting appears focused on domain registration and DNS infrastructure, specifically exploiting a registrar to alter records for high‑profile domains. The observed objectives were disruptive, as the intrusion redirected visitors to attacker‑controlled pages displaying messages promoting the group and their services. There is no explicit mention of financial gain, espionage, or other motives in the reported incident. The activity demonstrates a desire to achieve visibility and publicity through service interruption.

Noted tactics include the exploitation of a command injection vulnerability in the Webnic.cc platform to gain initial access. Following access, the actor uploaded a rootkit to maintain persistence on the compromised systems. The actor then manipulated DNS records to hijack domains such as Google’s Vietnam domain and Lenovo.com, thereby controlling traffic flow. The rootkit was later removed, which mitigated further immediate hijacking risk via that method. No specific malware families or additional tooling are described beyond the generic rootkit usage.

Attribution publicly ties the actor to the Lizard Squad hacker group, which is referenced as the responsible entity in the Webnic.cc incident. No state sponsorship or formal criminal consortium affiliation is disclosed in the source material. The actor’s association with Lizard Squad suggests a loose affiliative relationship rather than a hierarchical structure. No further details about group membership or external direction are available.

The most significant publicly reported operation involving Ryan King is the February 24, 2015 compromise of Webnic.cc, which led to the DNS hijacking of prominent domains and the display of promotional messages. This incident is cited as an example of the actor’s capability to leverage registrar access for broad impact. While the registrar had experienced prior breaches involving similar threat actors, those events are not directly attributed to Ryan King in the provided information. The episode remains the primary documented activity for this actor in the open‑source record.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources