Cyber Threat Actor: hd2416
| Actor Type | Location | Known Incidents |
Hacker
|
Viet Nam
|
1 incident |
|---|
Profile
The threat actorknown by the alias hd2416 is associated with Vietnam, as indicated by the email address and Vietnamese‑language social media profiles linked to the individual. The actor came to public attention in February 2018 when three core domain names belonging to Newtek Business Services Corp. were hijacked, disrupting email services and stranding thousands of customer websites. During the hijack the attacker replaced the legitimate login portal webcontrolcenter[dot]com with a live chat interface, which could be used to intercept sensitive communications and credentials from users seeking assistance. This activity demonstrates a focus on credential harvesting through domain manipulation rather than the deployment of traditional malware.
The actor’s targeting appears to be directed at web‑hosting and managed technology service providers, as evidenced by the selection of Newtek—a firm that hosts over 100,000 business websites and provides IT, lending, HR and insurance solutions. The strategic objective observable from the incident is the interception of sensitive data such as email passwords and web credentials, achieved by presenting a fraudulent chat service in place of a genuine login page. The reported tactics include exploiting a previously disclosed vulnerability in the victim’s online operations, using a legitimate customer account to gain initial access, and subsequently transferring the hijacked domains to a Vietnamese registrar (inet.vn) to maintain control. No specific malware families or exploit kits are mentioned in the available sources; the primary tooling consists of domain registration manipulation and a live‑chat capture mechanism.
Attribution to the actor is based on the alias hd2416, the email [email protected], and the association with Vietnamese social networking profiles, which together point to an individual operating from Vietnam. No public sources link the actor to a state sponsor, criminal consortium, or larger hacking group. The Newtek domain hijacking remains the most notable and publicly reported operation attributed to hd2416, illustrating how a reported bug that went unanswered can be leveraged to seize critical infrastructure and harvest user credentials. The incident underscores the importance of timely vulnerability response and clear communication during domain disputes.
