Cyber Threat Actor: Sanadodeh Nesheiwat

Sanadodeh Nesheiwat, also known by the alias associated with the Xbox Underground hacking ring, is an individual linked to a cybercriminal group that operated primarily from the United States, specifically residing in Washington, New Jersey. The actor is part of a collective that included Nathan Leroux, David Pokora, and Austin Alcala, all of whom were charged in a federal indictment unsealed in April 2014 for activities spanning from January 2011 to March 2014. The group’s activities were publicly attributed to the Xbox Underground moniker, a label used by prosecutors to describe the coordinated intrusions carried out by the defendants. No state sponsorship or foreign government nexus has been identified in the available sources, and the affiliation is limited to the criminal consortium formed by the four individuals and an additional Australian suspect.

The collective’s targeting focused on technology and defense sectors, specifically infiltrating the networks of major gaming and software companies such as Microsoft, Epic Games, Valve, and Zombie Studios, as well as the United States Army. Their strategic objective, as evidenced by the stolen assets, was the exfiltration of unreleased software, source code, pre‑release video game titles, and military training systems, including Apache helicopter simulation tools, with the intellectual property valued between $100 million and $200 million. The primary initial access vectors described in the reports were SQL injection attacks and the use of compromised employee credentials, including usernames and passwords obtained from software development partners. No specific malware families or custom tooling are mentioned in the source material, indicating that the group relied on credential theft and web‑application exploits rather than sophisticated malware deployment.

Notable operations attributed to the group include the sustained intrusion into Microsoft’s networks and related partners, the extraction of pre‑release copies of games such as Call of Duty: Modern Warfare 3 and Gears of War 3, and the theft of military training technology used by the Army. These intrusions resulted in multiple charges, including conspiracy to commit computer fraud, copyright infringement, wire fraud, mail fraud, identity theft, and theft of trade secrets, with two members—David Pokora and Sanadodeh Nesheiwat—pleading guilty to conspiracy to commit computer fraud and copyright infringement and facing potential sentences of up to five years in prison. The case also led to charges against an Australian associate, underscoring the transnational reach of the conspiracy while the core actors remained based in the United States. The legal proceedings highlighted the financial and operational impact of the thefts, reinforcing the characterization of the activity as financially motivated intellectual property theft rather than espionage or disruption.