Cyber Threat Actor: Evilnum
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
0 incidents |
|---|
Profile
Evilnum operates as a financially motivated threat actor with documented activity targeting online auction platforms and related e-commerce sectors. The group gained visibility through the compromise of LiveAuctioneers' user database in June 2020, where attackers exfiltrated 3.4 million records containing personally identifiable information, hashed passwords, and social media profiles. This breach demonstrated Evilnum's focus on monetizing stolen credentials and personal data through underground forums, with decrypted passwords included in the sale to increase the dataset's black-market value. The intrusion vector involved exploitation of a third-party data processing partner, indicating the actor's reconnaissance of supply chain vulnerabilities within target ecosystems.
The LiveAuctioneers operation exemplifies Evilnum's consistent pattern of harvesting authentication credentials for resale and facilitating secondary attacks. CloudSEK's verification of U.S. and U.K. user data in the stolen records suggests deliberate targeting of English-speaking markets where auction platform users may have higher disposable income. While technical specifics of their intrusion methods remain undisclosed in public reporting, the forced password resets implemented by LiveAuctioneers imply that Evilnum compromised credential storage systems rather than solely exploiting application-layer vulnerabilities. The group's operational security practices appear sufficient to maintain persistent access for at least three weeks between initial compromise and breach disclosure.
No definitive attribution to state-sponsored entities or criminal alliances has been publicly established for Evilnum based on available reporting. Their activities align with specialized cybercriminal enterprises prioritizing financial gain over disruptive or destructive outcomes. The absence of ransomware deployment or destructive payloads in the LiveAuctioneers incident further distinguishes their approach from groups conducting double-extortion schemes. Security practitioners should monitor for credential-stuffing attacks and phishing campaigns leveraging the stolen LiveAuctioneers data, particularly against users with cryptocurrency or financial service affiliations given the actor's profit-driven objectives.
