Cyber Threat Actor: Hunters
| Actor Type | Location | Known Incidents |
Criminal
|
Germany
|
2 incidents |
|---|
Profile
The Hunters threat actor, also known by the alias Hunters, is linked to Germany based on publicly available information. The group has been observed targeting organizations in both France and Germany, with incidents affecting a major French sporting goods retailer and a German youth hostel association. Their activities show a focus on financial gain through the theft and sale of personal data as well as ransomware operations that seek payment to prevent data disclosure and restore services. In addition to monetary motives, the Hunters have caused operational disruption by encrypting systems and disabling critical functions such as booking platforms, communication tools, and physical access controls.
Initial access in the observed campaigns has involved compromising an FTP server to retrieve configuration files containing system passwords, which facilitated further intrusion. The group employs ransomware to encrypt data and exfiltrates tens of gigabytes of personal, financial, and operational information, later threatening to publish the stolen material unless a cryptocurrency payment is made. Stolen datasets have appeared for sale on underground forums such as BreachForums, indicating a secondary monetization route. No public attribution to a state sponsor or a known criminal consortium has been established, and the actor’s affiliations remain unspecified beyond the geographic hint of Germany. The Hunters are therefore recognized for two representative operations: the 2025 Intersport data breach that exposed millions of French customers’ records and the 2024 ransomware attack on the Deutsches Jugendherbergswerk that disrupted services across its facilities. These incidents illustrate the actor’s reliance on credential theft via FTP, ransomware deployment, data exfiltration, and darknet communication to achieve financial and disruptive objectives.
