Menu
Browse

Cyber Threat Actor: Jeffrey

Actor Type Location Known Incidents
 Icon
Criminal
United States of America
2 incidents
Profile

Jeffrey isthe alias used by an individual who, in September 2014, gained control of the email account associated with the pseudonymous creator of Bitcoin, Satoshi Nakamoto. The actor is believed to be based in the United States of America, although no further personal details have been publicly confirmed. The primary target of the activity was a single high‑profile figure within the cryptocurrency community, indicating a focus on individuals rather than broad sectors or geographic regions. The stated objective was financial extortion, as Jeffrey demanded 25 bitcoins—approximately twelve thousand dollars at the time—in exchange for purportedly undisclosed emails and identity‑revealing information. A secondary objective appeared to be disruption, demonstrated by the use of the compromised account to post unsolicited messages on the P2P Foundation website and to deface a Bitcoin developer page hosted on Sourceforge.

The observed tactics, techniques, and procedures were limited to credential compromise and the subsequent misuse of that access. Jeffrey reportedly took over the [email protected] address, either through re‑registration after a period of inactivity or by direct hacking, though the exact method remains unspecified. Once in control, the actor leveraged the email account to send messages to external platforms, including a forum administrator who received an excerpt of a prior correspondence. The same credentials were then used to publish a warning message on the P2P Foundation site and to alter content on the Sourceforge page, actions that constitute website defacement. No malware families, custom tools, or specific exploit kits were referenced in the reporting, and the actor did not describe any advanced persistence mechanisms or command‑and‑control infrastructure.

Attribution to any state sponsor, criminal consortium, or larger threat group has not been established in open sources. The incident is treated as an isolated extortion attempt, with a forum administrator characterizing the behavior as likely trolling rather than a sophisticated operation. The September 2014 episode targeting Satoshi Nakamoto’s email remains the sole publicly reported campaign linked to the alias Jeffrey, representing a brief but notable intersection of cryptocurrency‑themed extortion and web‑based disruption. No additional operations or recurring patterns have been documented for this actor in the available material.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source