Cyber Threat Actor: Tsar Team
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
1 incident |
|---|
Profile
Tsar Team, also known as Tsar Team Hackers, is a cybercriminal group that has been linked to a 2017 breach of a Lithuanian plastic surgery clinic and is believed to operate from Russia. The actors used the aliases Tsar Team and Tsar Team Hackers in their communications with the victim and media outlets. Their activity demonstrates a focus on the healthcare sector, specifically targeting clinics that store sensitive personal and medical information. The group's actions in this incident were driven by financial gain, as they attempted to extort the clinic for a ransom of 300 bitcoins and later offered the stolen data for sale on the dark web. No evidence in the provided material connects the group to espionage, disruption, or state sponsorship.
In the reported operation, Tsar Team gained unauthorized access to the clinic's data system, exfiltrating records and nude photographs of approximately 25,000 patients, including celebrities. After the clinic initially downplayed the breach, the attackers released verified patient data to prove the authenticity of the leak and subsequently blackmailed high‑profile individuals via untraceable messages. They advertised the complete dataset for roughly €344,000, with individual records priced between €50 and €2,000, citing the clinic’s refusal to pay and its inadequate cybersecurity as justification for the public sale. The group framed their ransom demand as a “small penalty fee” for the clinic’s use of vulnerable IT systems. This campaign remains the only publicly documented activity attributed to Tsar Team in the supplied sources.
