Cyber Threat Actor: TheUSERS007

The threat actor known by the alias TheUSERS007 has been publicly linked to the hack‑and‑leak group FulcrumSec, which claimed responsibility for a cyber intrusion against Novo Nordisk in early 2026. This association indicates that the actor operates under a collective brand that emphasizes data theft and extortion rather than purely disruptive or espionage‑focused motives. The Novo Nordisk incident shows the actor’s focus on the pharmaceutical and healthcare sector, where it sought to obtain valuable intellectual property and personal data. The stated strategic objective in this case was financial gain, initially expressed through a $25 million extortion demand and later pursued by offering the stolen data for sale on dark‑web markets. No public information ties the actor to a state sponsor or a larger criminal consortium beyond its self‑identified affiliation with FulcrumSec.

In terms of tactics, the actor’s reported initial access relied on dormant credentials and a compromised GitHub token, highlighting a reliance on credential‑based abuse rather than custom malware or zero‑day exploits. The operation involved copying source code, AI models, proprietary drug information, clinical trial datasets, and pseudonymized details of research subjects, employees, and healthcare professionals, indicating a broad data exfiltration capability. After the extortion demand was refused, the actor shifted to a monetization phase by advertising the stolen material on underground forums while withholding certain sensitive sets as part of a self‑described harm‑reduction strategy. This sequence of credential abuse, data theft, extortion, and subsequent resale represents the only publicly documented campaign attributable to TheUSERS007/FulcrumSec to date. The profile is therefore limited to the confirmed facts surrounding the Novo Nordisk incident, with no additional sectors, regions, or tooling details available from the supplied sources.