Cyber Threat Actor: BlackShadow
| Actor Type | Location | Known Incidents |
Nation State
|
Iran
|
5 incidents |
|---|
Profile
BlackShadow is an alias used by an Iranianstate‑sponsored hacking group that has been publicly linked to the Pay2Key ransomware strain employed against Israeli targets. The group’s operational base is understood to be in Iran, and it has been described by Israeli cybersecurity officials as acting on behalf of state interests rather than purely criminal motives. The actors focus their efforts on Israeli entities across a range of sectors, including web hosting providers, insurance firms, car financing companies, public transportation services, broadcasters, travel agencies, and cultural institutions such as museums. While they have issued extortion demands payable in cryptocurrency, analysts assess that their primary strategic objective is retaliation and disruption of Israeli interests rather than financial gain, framing the activity as part of the broader Iran‑Israel cyber conflict. BlackShadow’s typical tactics involve announcing intrusions and leaking stolen data through Telegram channels, where they also post ransom notes and threaten to release additional information every 24 hours if payments are not made. The group exfiltrates diverse data types such as customer databases, email archives, scanned documents, passport images, audio recordings, and sensitive personal information from platforms serving LGBT communities. Their operations have been tied to the deployment of the Pay2Key ransomware family, indicating a tooling style that blends data theft with extortion‑oriented malware.
Notable publicly reported campaigns include the November 2020 breach of the Shirbit insurance company, during which the group demanded approximately 50 bitcoins and leaked documents, email PST files, scanned files, passport images, and audio recordings; the October 2021 attack on the Israeli hosting provider Cyberserve, which disrupted services for radio stations, museums, educational institutions, a public transportation firm, a broadcaster, a travel agency, and a children’s museum while exposing an LGBT platform’s user data; and the March 2021 intrusion into K.L.S. Capital Ltd, an Israeli car financing firm, where the group announced the compromise via Telegram and leaked dozens of personal customer documents. These incidents illustrate the group’s pattern of targeting Israeli organizations, leveraging Telegram for communication, and combining data leakage with cryptocurrency extortion to achieve disruptive, retaliatory aims.
