Cyber Threat Actor: Rescator
| Actor Type | Location | Known Incidents |
Criminal
|
Ukraine
|
1 incident |
|---|
Profile
Rescator is the alias used by a Ukrainian hacker who gained notoriety for operating an underground marketplace that specialized in the sale of stolen credit card data. The individual behind the alias is publicly suspected to be Andrey Hodirevski, although his direct involvement in the hacking activities has not been confirmed. Rescator’s operation was based in Ukraine and functioned as a platform where compromised payment card information could be bought and sold, primarily using Bitcoin for transactions without escrow protections. The marketplace allowed purchasers to search for stolen cards by geographic criteria, facilitating targeted fraud against victims in specific regions.
The actor’s primary focus was the retail sector, as evidenced by the linkage of the marketplace to major breaches affecting Target, Home Depot, and Sally Beauty. By offering stolen card data from these incidents, Rescator’s strategic objective was financial gain through the resale of compromised payment information. The tactics observed included maintaining a carding forum where millions of card details were uploaded, enabling users to filter and purchase cards based on location, and processing payments directly in Bitcoin to avoid traditional financial oversight. No specific malware families or initial access vectors are described in the available sources, so the profile is limited to the marketplace‑centric TTPs that are explicitly referenced.
Attribution to a state sponsor or a larger criminal consortium is not established in the public record; the only connection noted is the unverified suspicion linking the alias to Andrey Hodirevski. The most significant publicly reported operation associated with Rescator is the operation of the underground marketplace that monetized the stolen credit card data from the Target, Home Depot, and Sally Beauty breaches, which served as a representative example of the actor’s impact on the retail payment card ecosystem. This activity illustrates how the actor leveraged a specialized trading platform to convert large‑scale data theft into illicit profit, without any indication of espionage or disruptive intent beyond financial fraud.
