Cyber Threat Actor: Eg-R1z Crew

Eg-R1z is a threat actor known by the alias ./Eg-R1z Cr3w and has been publicly identified as operating from Egypt. The actor first appeared in open‑source reporting in August 2014 when a defacement was placed on the HackForums website. The associated crew name ./Eg-R1z Cr3w was included in the defacement message alongside other handles such as i‑Hmx, H3ll C0D3 and Egyptian.H4x0rZ. No further aliases or affiliations have been documented in publicly available sources. The actor’s location is limited to the statement that the greets were sent from Egypt.

On the night of August 27 2014 the HackForums site displayed a defacement page that read “[403 Forbidden Error] - You might be blocked by your IP, Country, or ISP.” followed by the line “Just sending greets from Egypt i‑Hmx , H3ll C0D3 , Egyptian.H4x0rZ ./Eg-R1z Cr3w”. The report notes that the actor exploited an unspecified flaw to gain access to the server, uploaded an image to the compromised host and served it as the defaced page. As a result the forum was unavailable for a few hours and, although restored, continued to experience performance issues. The article states that the motive behind the defacement remains unclear, though the message could be interpreted as a warning to the site administrators about security weaknesses. No malware families, toolkits or specific payloads are mentioned in the coverage of this incident. The defacement was mirrored on Zone‑h as proof of the compromise.

The same article notes that HackForums has been defaced previously by other actors using handles such as imLulzPirate, b0x, SYRIAN-HACKER and KT N, indicating that the site is a recurring target for various groups. No additional campaigns, operations or tools linked to Eg-R1z have been reported in open‑source sources after the 2014 event. Consequently, there is no publicly verified information about the actor’s typical targets beyond the single website defacement, nor any established connections to state sponsors or criminal consortia. The profile therefore remains confined to the confirmed details of the 2014 HackForums defacement and the associated aliases. Any further assessment of the actor’s capabilities or intentions would require additional evidence not present in the current reporting.