Cyber Threat Actor: JM511

Thethreat actor known by the aliases @JM511 and JM511 has been observed operating from the United States of America. Public reporting links this handle to a series of intrusions against educational institutions in the United States, a major American auto‑parts retailer, and a United Kingdom‑based recruitment organization. These incidents show a pattern of targeting organizations that rely on web‑facing applications, with victims located in both North America and Europe. The actor’s activity has been documented through multiple data breach notifications and public disclosures on social media and paste sites.

The actor’s typical tactics involve exploiting SQL injection and cross‑site scripting vulnerabilities in outdated web applications, often after issuing advance warnings to the target via email or social media. Once access is gained, the actor extracts database contents, publishes samples of the data on public paste services, and reveals technical details such as the versions of Apache, PHP, and MySQL running on the compromised servers. No specific malware families or custom tooling are mentioned in the available sources; the emphasis is on manual or scripted web‑application attacks and the use of publicly available exploitation techniques. The actor also shares information about the compromised infrastructure, including database user and name details, to demonstrate the depth of access.

Representative operations include the August 2015 compromises of several U.S. universities—including the University of California, Los Angeles, Western Governors University, the University of Minnesota, DePaul University, and Northern Illinois University—where the actor disclosed vulnerable URLs and, in the case of UCLA, dumped user IDs, usernames, hashed and plaintext passwords, email addresses, and full names. In the same time frame, the actor breached AutoZonePro.com, initially exposing approximately 50,000 customer records containing billing addresses, email addresses, hashed passwords, telephone numbers, dates of birth, and later claiming access to over 162,000 records with additional order‑related fields. Separately, a Saudi Arabian hacker using the same JM511 handle was reported to have struck the UK‑based TEAM recruitment network, dumping 1,296 records. These examples illustrate the actor’s repeated use of web‑application flaws to obtain and publicize sensitive data across different sectors and regions.