Cyber Threat Actor: KelvinSecTeam
| Actor Type | Location | Known Incidents |
Sensationalist
|
China
|
7 incidents |
|---|
Profile
KelvinSecTeam is a threat actor known by that alias, with open‑source reporting indicating a base of operations in China. The actor first appeared in public disclosures in 2015 and has since been linked to a series of website compromises and data leaks. Public references consistently use the KelvinSecTeam moniker when attributing the incidents, and no alternative names have been documented in the sources reviewed. The actor’s activity is characterized by the acquisition and public release of user credentials and operational data from a variety of online targets.
The observed targets span government, sports, entertainment and logistics sectors across multiple regions. Incidents include compromises of Venezuelan military aviation, education and tax authority websites, a Colombian football star’s personal site, a Spanish‑language community forum, and an airline logistics company based in the United Arab Emirates. The resulting data affected users in Africa, Asia and Europe, as noted in the Airlink International case. These patterns show the actor focuses on publicly accessible web applications and does not appear to limit itself to a single industry or geographic area.
In terms of tactics, the actor repeatedly exploited misconfigured or inadequately protected web servers to gain initial access, as exemplified by the Airlink International breach where a misconfigured server exposed hundreds of thousands of files. After gaining access, KelvinSecTeam typically extracted databases containing usernames and passwords, sometimes in clear text and sometimes hashed, and then published the dumps on public forums or dark web sites. The 2015 attacks on Venezuelan government domains and the James Rodriguez website followed a similar pattern of credential dumping without evidence of malware deployment or persistence mechanisms. Representative operations include the 2020 Airlink International data leak, the 2015 Venezuelan government site compromises, and the 2015 amigosmadrid.es breach, each illustrating the actor’s reliance on web‑application weaknesses and credential harvesting for public disclosure.
