Menu
Browse

Cyber Threat Actor: The White Team

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
United States of America
2 incidents
Profile

Thethreat actor known as The White Team, also referred to as The White Company, operates from the United States of America. It has been linked to intrusions targeting healthcare providers and social media memory applications. In a 2023 incident against a healthcare organization, the actor gained unauthorized access to patient records containing names, Social Security numbers, dates of birth, contact information, demographic data, insurance details and employer records. Following the breach, the actor sent extortion emails to affected individuals demanding payment to prevent the sale of the stolen data and directed recipients to a dark web portal. This extortion activity indicates a financially motivated objective. The actor’s approach in that case involved accessing sensitive data and then leveraging it for monetary gain through threats of public disclosure.

A separate campaign attributed to the same actor occurred in 2018 against a social media memory app, where attackers used compromised administrator credentials to infiltrate the company’s cloud environment. After gaining entry, they conducted reconnaissance over several months before exfiltrating personal data—including names, email addresses and phone numbers—during a holiday period. The intrusion also exposed authentication keys for social media integrations, prompting the provider to deactivate related services and require users to reauthenticate. No malware families or specific tooling were described in the public reports; the highlighted techniques focus on credential abuse and prolonged reconnaissance. Public attribution to a state sponsor or criminal consortium has not been established for either incident. The healthcare extortion case and the Timehop‑style data theft represent the actor’s publicly reported operations, illustrating a pattern of targeting organizations that store large volumes of personal information and employing credential‑based access followed by data theft or extortion.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources