Cyber Threat Actor: zerodark70

The threatactor known by the alias zerodark70 has been observed operating from Turkey. The actor first came to public attention in early 2017. No further personal details or real‑world identity have been disclosed in open sources.

In February 2017 zerodark70 offered for sale a database allegedly containing approximately 83,000 user accounts from the United Press International (UPI) news agency. The listing appeared on the AlphaBay dark‑web marketplace and was priced at about 100 USD (0.09 bitcoin). The data package included email addresses, real names and passwords that were hashed with the MD5 algorithm. According to the seller, some of the MD5 hashes had already been cracked, exposing plain‑text passwords. Zerodark70 declined to provide any specifics about how the breach occurred or the age of the compromised information. UPI responded by disabling login functions, notifying its email subscriber base and removing portions of its website. The compromised accounts reportedly covered subscribers, employees and journalists who have interacted with senior U.S. officials in defense and energy sectors.

Beyond this single advertised dataset, no additional campaigns, malware families, tooling or affiliations have been publicly linked to zerodark70. Consequently, the actor’s broader targeting patterns, strategic objectives or any state or criminal consortium connections remain undocumented in open sources. All known information about zerodark70 derives from the 2017 UPI account‑sale incident reported by CyberScoop.