Cyber Threat Actor: Turk Hack Team

The threat actor isknown by multiple aliases including Turkic Hackers Rulez, Turk Hack Team (THT), Turkish hackers, Turkish civilian hackers, and the specific handle aLem!; the group is based in Turkey. It has been active since at least 2007 and operates under various names while maintaining a consistent focus on politically motivated cyber operations. Public reporting links the actor to both independent hacktivist actions and collaborations with Azerbaijani hackers during regional conflicts.

The actor’s targeting spans government, banking, financial, and critical infrastructure sectors across Europe, the Middle East, North Africa, and the United States. Incidents have included defacements of French government employment and social cohesion websites, DDoS disruptions of Crédit Agricole’s online services, and outages of the Central Bank of Malta’s site. Strategic objectives cited in the sources involve protesting France’s classification of the Grey Wolves as terrorists, opposing French arms deliveries to Armenia, supporting Azerbaijan in the Nagorno‑Karabakh dispute, and reacting to incidents such as the Quran burning in Denmark. The actor has also conducted DNS hijacking campaigns aimed at stealing credentials from email services, cloud storage, and security networks of governmental and diplomatic entities in Europe and the Middle East.

Observed tactics, techniques, and procedures consist primarily of website defacement, distributed denial‑of‑service (DDoS) flooding, and DNS hijacking to redirect traffic to fraudulent sites for credential theft. The group uses social media platforms such as Twitter to claim responsibility and disseminate screenshots of affected services. Specific handles associated with the operation include @thtghostkiller (Ghost Killer) and the individual alias aLem!, which has been linked to defacements of Arizona state legislative sites. Tooling described in the reports emphasizes volumetric traffic generation for DDoS and manipulation of DNS records rather than custom malware deployment.

Attribution assessments by Western security officials have characterized the DNS hijacking activity as bearing the hallmarks of a state‑backed cyber espionage operation conducted to advance Turkish interests, although the actor also operates as a pro‑Erdogan hacktivist collective and has cooperated with Azerbaijani hackers against Armenian targets. Notable campaigns referenced in the open‑source record include the 2024 French government website defacement, the 2024 Crédit Agricole DDoS, the 2023 Central Bank of Malta outage, the 2018‑2019 DNS hijacking campaign affecting dozens of governmental and diplomatic entities, the 2017 Armenian website breaches conducted with Azerbaijani collaborators, the 2016 Arizona state website defacements by aLem!, and the 2016 DDoS operations against Iranian and Russian government sites. These activities demonstrate a pattern of politically driven disruption, espionage, and support for regional alliances.