Cyber Threat Actor: DumpForums

CH01, operating under aliases DumpForums and 4B1D, is a pro-Ukraine hacker group primarily targeting Russian entities across government, media, healthcare, and commercial sectors. Publicly attributed operations indicate a focus on disruption, data theft, and politically motivated messaging, with activities concentrated between 2022 and 2025. The group employs multiple aliases across campaigns: DumpForums for ransomware-driven defacements, CH01 for symbolic website takeovers, and 4B1D for destructive healthcare attacks, suggesting possible operational segmentation or rebranding efforts aligned with tactical objectives.

The group’s targeting consistently prioritizes Russian infrastructure, with government websites compromised for defacement and extortion (DumpForums’ 2022 attack on the Ministry of Construction), broadcast systems hijacked to spread false emergency alerts (2023 radio station hacks), and healthcare providers crippled through data destruction (4B1D’s 2025 hospital attack). Strategic objectives blend immediate operational disruption—such as DDoS attacks against state television during key government addresses—with psychological impact through symbolic imagery (e.g., CH01’s defacements depicting the Kremlin burning) and financial pressure via cryptocurrency ransom demands. Healthcare sector operations demonstrate escalated aggression, combining data exfiltration, encryption, backup deletion, and dark web data sales to maximize institutional damage.

Techniques vary by alias but consistently exploit perimeter vulnerabilities: DumpForums leveraged compromised content management systems for defacement and data theft, CH01 exploited shared services or libraries for mass website takeovers, and 4B1D used credential theft (hospital director’s account) to deploy destructive payloads. The group maintains auxiliary communication channels through Telegram and Twitter to claim operations and disseminate protest content, as seen in CH01’s QR code-linked propaganda. While Russian authorities attribute multiple disruptive incidents to these aliases—particularly the broadcast hacks causing public safety concerns—no explicit state sponsorship or criminal consortium ties are publicly documented. Operations align temporally with geopolitical tensions, though direct links to kinetic events like drone strikes remain unverified.