Menu
Browse

Cyber Threat Actor: LizardCircle

Actor Type Location Known Incidents
 Icon
Activist
United States of America
1 incident
Profile

LizardCircleis a threat actor known by that alias and has been associated with activity originating from the United States of America. The actor came to public attention through a single, well‑documented incident in which they seized control of a major technology company’s domain registrar account. During that operation they displayed protest imagery that linked to critical social media content, indicating a desire to convey a message through the compromise. No further aliases or geographic details have been publicly confirmed beyond the U.S. location noted in available reporting.

In February 2015 LizardCircle compromised the domain registrar account of Lenovo, allowing them to hijack the company’s primary domain and redirect both web and email traffic to servers under their control. By altering MX records they intercepted employee communications and impersonated legitimate web pages, maintaining access until a third‑party security provider intervened to restore services. The takeover occurred amid widespread criticism of Lenovo’s preinstalled adware, which had been shown to undermine HTTPS protections, and the attackers used the opportunity to highlight their grievances through the protest imagery they posted. Law enforcement agencies were expected to become involved given the scale of the domain takeover and the potential exposure of sensitive data.

The observed tactics, techniques, and procedures of LizardCircle center on compromising domain registration credentials to manipulate DNS settings, thereby enabling traffic redirection, email interception, and site impersonation. No specific malware families or custom tooling have been linked to the actor in public sources, and no clear ties to state sponsors or criminal consortia have been established. The Lenovo incident remains the most prominent and representative operation attributed to LizardCircle, illustrating a capability to exploit trust in internet infrastructure for both disruptive and demonstrative purposes.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources