Menu
Browse

Cyber Threat Actor: Turk Hack Team

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Activist
Turkey
25 incidents
Profile

The threat actor known as Turkic Hackers Rulez, Turk Hack Team, or THT operates from Turkey and has been active since at least 2007. The group uses multiple aliases in public statements and on social media platforms to claim responsibility for its operations. It presents itself as a hacktivist collective that aligns with Turkish nationalist interests and has expressed support for Azerbaijani positions in regional conflicts. Public reporting links the actor to a series of cyber activities that span website defacements, distributed denial‑of‑service campaigns, and DNS hijacking efforts aimed at governmental and financial targets.

The actor’s observed targeting includes government portals in France, Malta, Armenia, and the United States, as well as banking institutions such as Crédit Agricole, the Central Bank of Malta, the National Bank of Armenia, and the Russian Central Bank. Reported objectives have been explicitly stated in the group’s own messages, ranging from protesting France’s classification of the Grey Wolves as terrorists, opposing French arms deliveries to Armenia, supporting Azerbaijan during the Nagorno‑Karabakh escalation, reacting to perceived insults against religious symbols, and delivering geopolitical messages related to airspace violations. The actor’s tactical repertoire consists of DDoS attacks that overwhelm online services, website defacements that replace content with political slogans or logos, DNS hijacking that redirects traffic to fraudulent sites for credential harvesting, and the occasional leakage of personal data via Pastebin. The group also uses Twitter to announce operations and has been seen incorporating imagery from Turkish football clubs into defaced pages.

Attribution assessments by Western security officials have characterized some of the actor’s infrastructure reuse and victim selection as indicative of a state‑backed cyber espionage operation advancing Turkish interests, although the group itself claims independent hacktivist motives. The actor has demonstrated collaboration with Azerbaijani hackers in campaigns against Armenian digital infrastructure and has described itself as pro‑Erdogan in several public statements. These affiliations are reflected in the timing and thematic overlap of operations with Azerbaijani interests, particularly during periods of heightened tension over Nagorno‑Karabakh.

Representative operations include the April 2024 defacement of a French government employment site featuring Grey Wolves imagery, the February 2024 DDoS disruption of Crédit Agricole’s online banking services, the June 2023 claim of responsibility for a DDoS outage against the Central Bank of Malta, the January 2018‑early 2019 DNS hijacking campaign that affected ministries and embassies across Europe and the Middle East, the August 2017 defacement of Armenian tourism and government websites conducted alongside Azerbaijani counterparts, the July 2016 defacement of Arizona state legislative sites by an actor using the alias aLem!, and the April 2016 DDoS assault on the National Bank of Armenia amid the Nagorno‑Karabakh conflict. Each of these incidents illustrates the actor’s reliance on disruption, defacement, and credential‑theft techniques to convey political messages. The actor continues to be referenced in open‑source reporting as a persistent source of politically motivated cyber activity linked to Turkish strategic objectives.

Incidents
Attributed incidents available to members
25 incidents
Sources
Sources available to members
7 sources