Cyber Threat Actor: Gnosticplayers
| Actor Type | Location | Known Incidents |
Criminal
|
Pakistan
|
3 incidents |
|---|
Profile
Gnosticplayers, also referenced as GnosticPlayers, is a threat actor whose online alias has been associated with a series of large‑scale data breaches reported in 2019. The actor has been identified in open sources as operating from Pakistan, although no further personal details such as true name or organizational affiliation have been publicly disclosed. The moniker first appeared in underground forums where the individual claimed responsibility for compromising multiple online services and offering the harvested data for sale. This pattern of self‑attribution through public statements and data samples distinguishes the actor from more covert groups that avoid direct communication with journalists or security researchers.
The actor’s observed targets span several industries and geographic regions, indicating a broad, opportunistic approach rather than a narrow sector focus. Incidents have included a mobile gaming company (Zynga), a global hospitality chain (MGM), and an online graphic‑design platform (Canva), demonstrating interest in services that store extensive user profiles. The stolen information consistently comprises personal identifiers such as names, email addresses, phone numbers, birth dates, and, in some cases, credential material like password hashes or authentication tokens. While the breaches did not expose financial data in the cited cases, the actor repeatedly placed the acquired datasets on dark‑web marketplaces, suggesting a primary objective of monetary gain through the resale of personal information. No public statements link the activity to espionage, sabotage, or state‑sponsored motives.
Technical details disclosed in the breach reports reveal that the actor obtained data via unauthorized access to production databases and then extracted fields including SHA‑1 salted hashes, bcrypt‑protected password hashes, Facebook identifiers, and Google OAuth tokens. No specific malware families, exploit kits, or custom tools were mentioned in the available sources, so the actor’s tooling style remains undefined beyond the ability to exfiltrate structured user data. Attribution to a particular nation‑state or criminal consortium has not been established; the only concrete geographic clue is the actor’s self‑described base in Pakistan. Representative operations that illustrate the actor’s methodology include the September 2019 Zynga Words With Friends incident affecting over 218 million accounts, the mid‑2019 MGM hospitality breach exposing roughly ten million guest records, and the May 2019 Canva compromise impacting approximately 139 million users. These cases collectively illustrate a pattern of acquiring large volumes of personal data and attempting to profit from its sale on illicit markets.
