Cyber Threat Actor: Cashaa Hackers
| Actor Type | Location | Known Incidents |
Criminal
|
India
|
1 incident |
|---|
Profile
The threat actor is known by the alias Cashaa Hackers. Public reporting associates the group with operations originating from east Delhi, India. The alias emerged in connection with a specific cryptocurrency theft incident in 2020. No other aliases have been documented in open sources. The actor’s activity to date has been limited to this reported event.
The actor’s targeting has been observed against a cryptocurrency exchange based in the United Kingdom. The incident involved the deployment of malware that triggered unauthorized transfers when an employee accessed the exchange’s system. Additionally, the actors used a compromised Blockchain.com wallet to execute two separate Bitcoin withdrawals. The initial access vector appears to involve compromise of an employee workstation, though the exact method is not disclosed. Their tooling consists of unspecified malware and the misuse of wallet credentials.
Attribution in open sources points to individuals located in east Delhi, India, as the suspected operators. No public evidence links the actor to a state sponsor or a larger criminal consortium. The most notable campaign occurred on July 10, 2020, when over 336 Bitcoin were stolen from the exchange. Following the theft, the exchange halted all withdrawals and filed a cybercrime report with Indian authorities. To impede further movement of the funds, the exchange shared the associated Bitcoin address and coordinated with platforms such as WazirX and Binance to monitor and restrict suspicious transactions. This event remains the sole publicly documented operation attributed to the Cashaa Hackers alias.
