Cyber Threat Actor: Hacker Buba
| Actor Type | Location | Known Incidents |
Criminal
|
Indonesia
|
2 incidents |
|---|
Profile
Hacker Buba, also known simply as Buba, is a threat actor whose aliases have appeared in open‑source reporting related to cyber extortion against financial institutions in the United Arab Emirates. The actor’s location has been referenced as Indonesia in some sources, though no definitive geolocation is confirmed in the material provided. Publicly available information indicates that Hacker Buba primarily targets banks and other financial entities, focusing on the UAE market while also expressing interest in collaborating with institutions in Qatar and Saudi Arabia. The stated strategic objective in the documented incidents is financial gain through extortion, specifically the demand for ransom payments in Bitcoin to prevent the release of stolen customer data.
Observed tactics, techniques, and procedures include gaining unauthorized access to a bank’s internal systems to exfiltrate confidential client information such as account statements, passport scans, and identity documents. The actor subsequently used the social media platform Twitter to leak portions of the stolen data, posting attachments and sending direct messages to victims to amplify pressure. After having an account suspended, Hacker Buba created a new Twitter identity to continue the disclosures, demonstrating a pattern of rapidly regenerating online personas. Communication with victims involved warning text messages and emails claiming control over their accounts, followed by the threatened publication of personal financial details. The ransom was demanded in Bitcoin, a decentralized digital currency, and the actor offered a percentage of the proceeds to third parties for cooperation. Analysts noted the use of international digital obfuscation tactics to hinder attribution, including inconsistent location indicators (e.g., a Twitter profile pointing to Hungary) and language variations in posts (Indonesian language alongside SMS sent from a UK‑based number).
The most prominently reported operation occurred in November 2015, when Hacker Buba breached a Sharjah‑based bank, extracted sensitive data, and demanded a $3 million Bitcoin ransom, threatening continual leaks unless paid. A subsequent incident in December 2015 involved the re‑distribution of previously stolen data from a UAE financial institution, which the actor repackaged and shared online despite the organization asserting that no new intrusion had taken place. No explicit links to state sponsors, criminal consortia, or larger affiliate networks have been established in the sources examined, and the actor’s affiliations remain unspecified beyond the individual moniker. These episodes constitute the primary publicly documented campaigns associated with Hacker Buba.
