Cyber Threat Actor: 1x0123
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
18 incidents |
|---|
Profile
The threat actor known by the aliases 1x0123 and Revolver is identified in open sources as an individual operating from Russia, though no explicit state sponsorship is attributed to this persona in the available material. The actor’s activity has been observed primarily against online services and technology firms, with reported targets including adult‑oriented platforms such as Adult FriendFinder and Pornhub, as well as a financial technology provider, FIS Global. Public statements and communications associated with the actor indicate a motivation rooted in financial gain, describing the pursuit of money either directly from compromised organizations or through the sale of vulnerabilities and access to third parties.
Technical details shared by the actor reveal a reliance on web‑application flaws as the primary means of intrusion. In the case of FIS Global, the actor claimed to have exploited a login‑portal vulnerability that allowed password resets without knowledge of the original password, enabling unauthorized access to client contacts and invoices. For Pornhub, the actor described uploading a shell through a vulnerability in the user‑profile script that processes images, which would permit command injection once the malicious file was accessed. Additionally, the actor referenced an SQL‑injection vulnerability on a server used by Mossack Fonseca, the law firm linked to the Panama Papers, suggesting a capability to manipulate database queries. The actor’s tooling style appears to consist of custom scripts or manual exploitation of these vulnerabilities rather than the deployment of known malware families, and the actor has used platforms such as Twitter and XMPP to communicate offers and updates.
Notable operations attributed to 1x0123/Revolver include a claimed breach of Adult FriendFinder in October 2016, during which the actor posted screenshots purporting to show internal access and reportedly attempted to negotiate the sale of data. In June 2016, the actor offered command‑execution capabilities and shell access on a Pornhub subdomain for $1,000, later stating that access had been sold to three individuals before Pornhub dismissed the incident as a hoax. Also in June 2016, the actor asserted that they had compromised FIS Global’s client portal, providing redacted screenshots of client contacts and invoices linked to Guaranty Bank and Trust Company and indicating that the vulnerability had been secured after the disclosure. These episodes illustrate a pattern of exploiting publicly exposed web flaws, leveraging the obtained access for financial negotiation, and using public channels to advertise or validate the claimed intrusions. No clear affiliation with a larger criminal consortium or state‑backed group is evident from the cited sources.
