Menu
Browse

Cyber Threat Actor: DarkBit

Actor Type Location Known Incidents
 Icon
Criminal
China
2 incidents
Profile

DarkBit is a threat actor known by the alias DarkBit and has been associated with operations originating from China. The actor has targeted educational institutions in Israel, as seen in a ransomware incident against a prominent technology university, and has also conducted large‑scale ad fraud campaigns that primarily affected iOS users worldwide. In the university attack DarkBit demanded payment in bitcoin and threatened to increase the ransom if unpaid within a set timeframe, indicating a financially motivated objective, while simultaneously employing ideological rhetoric opposing Israel that suggested possible non‑financial motives; investigators noted that criminal goals could not be ruled out. The ad fraud operation, labeled Vastflux, generated revenue through fraudulent video ad bids, demonstrating a clear financial incentive derived from deceiving advertising networks and device owners.

DarkBit’s tactics include the use of ransomware that encrypts systems and demands cryptocurrency payment, accompanied by threats of escalating amounts if deadlines are missed, which caused operational disruptions such as postponed exams and forced institutions to adopt handwritten notes or disconnect devices to limit impact. In the Vastflux campaign the actor employed obfuscated JavaScript within malicious apps to communicate with command‑and‑control servers, utilized the fast flux technique to rapidly rotate IP addresses and DNS records, spoofed legitimate application and publisher identifiers to falsify ad revenue, stacked multiple hidden video ads to inflate view counts, deliberately omitted verification tags to evade detection by performance trackers, and continuously cycled infrastructure to maintain persistence. No specific malware families or initial access vectors are explicitly named in the provided material beyond these described techniques.

Public attribution links DarkBit to China based on location information, but no definitive state sponsorship or criminal consortium affiliation is stated in the sources. The actor’s notable operations consist of the February 2023 ransomware strike on the Israeli university and the Vastflux ad fraud scheme that peaked in mid‑2022 with over twelve billion bid requests per day affecting nearly eleven million devices before being disrupted through coordinated takedown efforts in late 2022. These incidents illustrate DarkBit’s capacity to conduct both financially driven cybercrime and ideologically tinged disruptive actions against targeted sectors.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source