Menu
Browse

Cyber Threat Actor: L0RDBR

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Brazil
2 incidents
Profile

The threat actor is known by the aliases L0RDBR and JustBR and has been associated with Brazil. In January 2021 Brazilian Federal Police arrested Marcos Roberto Correia da Silva, who operated under the alias Vanda the God, as part of Operation Deepwater. The arrest was linked to the alleged orchestration of Brazil's largest data breach, which exposed CPF and CNPJ numbers, full names and addresses of roughly 223 million individuals. A second individual using the alias JustBR reportedly placed the stolen data up for sale on the RaidForums marketplace. Authorities executed additional warrants in connection with the widespread dissemination of the compromised records.

The actor’s activities have affected multiple sectors, including personal data repositories, public administration, healthcare and maritime shipping. Geographic scope of the observed incidents spans Brazil, Spain, France and China. In Spain the public employment service SEPE experienced a ransomware event where files were encrypted and suspicious files bore the name Ryuk. A French hospital, Centre Hospitalier Général d’Oloron, suffered a ransomware attack that demanded a $50,000 Bitcoin payment and encrypted patient workstations. The actor’s alleged involvement with China’s Cosco Shipping was described as an unconfirmed hacking claim that remained under investigation at the time of reporting.

Observed tactics include the deployment of Ryuk ransomware against SEPE and the French hospital, and an alleged intrusion into China’s Cosco Shipping that remained unconfirmed and under investigation. No public technical details about initial access vectors or specific tooling have been disclosed in the referenced sources. Attribution to any state sponsor or formal criminal consortium has not been established in the available reporting. The Operation Deepwater data breach, the SEPE ransomware incident, the French hospital ransomware event and the alleged Cosco Shipping compromise represent the actor’s most notable publicly reported operations. These incidents collectively illustrate a pattern of ransomware use and large‑scale data exposure across different industries and regions.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source