Menu
Browse

Cyber Threat Actor: Fresh

Actor Type Location Known Incidents
 Icon
Activist
1 incident
Profile

Fresh operates as a Turkish threat actor linked to the WKPF collective, publicly collaborating with aliases including Whiteweasel, Krypton, and the pahtron during coordinated operations. This group gained visibility through disruptive website defacements targeting Russian entities amid heightened geopolitical tensions between Turkey and Russia. Their sole publicly documented operation occurred in January 2016 against Ekonombank, a Russian financial institution, where they replaced the bank's homepage with protest messages before forcing the site offline. The attack explicitly referenced Turkey's downed SU-24 jet near Syria, framing the cyber intrusion as retaliation for Russia's military actions.

The actor demonstrates a clear focus on Russian financial sector targets, with Ekonombank's public-facing website serving as both a symbolic and functional disruption vector. Strategic objectives center on public shaming and service denial rather than financial theft or espionage, leveraging high-visibility defacements to amplify geopolitical grievances. While technical specifics of their intrusion methods remain undisclosed in public reporting, the operation relied on compromising web infrastructure to replace content and disrupt access. The bank redirected users to an online banking portal with a maintenance notice, indicating either defensive measures taken post-compromise or additional access limitations imposed by the attackers. Affiliation with pro-Turkish nationalist elements is evident through both the attack's timing and the explicit condemnation of Russian foreign policy in defacement messages.

The Ekonombank incident represents Fresh's most significant publicly reported campaign, illustrating their role within broader Turkish hacktivist retaliation cycles following the SU-24 incident. This operation caused tangible disruption by forcing prolonged website downtime while attracting media attention to the underlying political dispute. No subsequent operations or expanded targeting patterns have been verifiably attributed to Fresh in open-source reporting since 2016, leaving the Ekonombank defacement as their defining activity within cybersecurity records. The group's public alignment with Turkish geopolitical interests remains its most consistent identifying characteristic across available data.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources