Cyber Threat Actor: hensi
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
The threat actor using the alias 'Hensi' has been publicly linked to a cyber extortion campaign targeting Scania, a Swedish automotive manufacturer, in May 2025. This operation involved the compromise of an external IT partner’s credentials through infostealer malware, which were then leveraged to infiltrate Scania’s Financial Services division. The breach resulted in the theft of insurance claim documents containing personal and potentially sensitive data. Following the exfiltration, Hensi engaged in direct extortion attempts by threatening employees via email to leak the stolen information unless unspecified demands were met. When the company did not comply, Hensi partially disclosed the data on hacking forums, applying public pressure to escalate the extortion.
Hensi’s activities in this incident demonstrate a focus on corporate extortion through data theft and leakage, with the automotive sector identified as at least one target. The actor relied on compromised third-party credentials as an initial access vector, highlighting opportunistic targeting of supply chain vulnerabilities. Infostealer malware facilitated credential harvesting, though no specific malware family was named in public reporting. The operational pattern—exfiltration followed by private threats and selective public leaks—aligns with common cybercriminal extortion playbooks. No verifiable attributions to state-sponsored groups or criminal consortiums have been publicly disclosed in connection with Hensi. The Scania breach remains the only operation conclusively tied to this alias in open-source reporting as of the incident’s disclosure timeline.
