Menu
Browse

Cyber Threat Actor: Carbonic

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Activist
United States of America
1 incident
Profile

The threat actor known as Carbonic operates under the alias @TeamCarbonic and has been identified as originating from the United States of America. Public references also associate the individual behind the activity with the handle @MarxistAttorney, who has communicated directly with journalists and security blogs. The actor first came to attention in early 2015 after claiming responsibility for a breach at the University of Chicago. These details are drawn from publicly available reporting and the actor’s own statements.

Carbonic’s targeting has focused on educational institutions, specifically universities and colleges located primarily in the United States, with additional claims involving a United Kingdom institution. The actor has described the motivation behind the intrusions as a combination of seeking amusement, referred to as 'lulz', and protesting high tuition fees that burden students. In statements to media outlets, the actor said the goal was to undermine the perceived incompetence of university IT teams by exposing internal data. No indication of financial gain or state‑sponsored espionage appears in the available sources.

The consistent technique reported in the actor’s operations is the exploitation of SQL injection vulnerabilities to gain initial access to target databases. After obtaining entry, the actor extracts data such as payroll information, employee identifiers, email addresses, and internal system details, which are then posted on public paste sites and the actor’s own web presence. No specific malware families or custom tooling are mentioned in the sources; the activity relies on manual SQLi queries and the use of publicly available data dump platforms. The actor has noted that vulnerabilities were often patched after notification, but the data had already been copied.

Attribution to a specific government sponsor or criminal consortium has not been established in the public record; the actor appears to act independently or with a small loosely affiliated group. Representative operations cited in the reporting include the University of Chicago breach that exposed payroll and employee data, the University of Hawaii incident where network device information was collected, and the Cornell University intrusion that yielded employee contact details and utilities account information. These examples illustrate the actor’s pattern of targeting university networks via SQLi and publishing the resulting data to highlight perceived security shortcomings.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
3 sources