Menu
Browse

Cyber Threat Actor: l1kw1d

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Sensationalist
China
2 incidents
Profile

The threat actor is known by the aliases l1kw1d and C0d3c1t4d3l. Open‑source reporting associates the actor with China, although no further geographic detail has been made public. The actor first came to attention through a series of credential‑dumping incidents that were disclosed in 2015. These incidents show a pattern of compromising web‑based services and extracting user account information that was stored in plain text. The actor’s activity is limited to the publicly reported events; no additional campaigns or operational infrastructure have been attributed to them in the available sources. The aliases appear to be used interchangeably across the different incidents, suggesting a single individual or a tightly coordinated group operating under multiple handles. No public statements or legal actions have linked the actor to a specific state sponsor, criminal syndicate, or ideological motive. The available information does not describe any malware families, exploit kits, or specific tools employed in the breaches. Consequently, the profile is confined to the confirmed identifiers, location hint, and the two disclosed data‑theft events.

On August 6, 2015, the alias l1kw1d was linked to a breach of itembay.ca, a website described as an online game virtual currency provider. The attacker obtained 4,330 usernames accompanied by their clear‑text passwords and subsequently released the data. On December 16, 2015, the alias C0d3c1t4d3l was associated with a compromise of keepyourlinks.com, resulting in the exposure of 4,586 usernames and their corresponding plain‑text passwords. Both incidents involved the theft of credential sets that were not encrypted, allowing immediate reuse of the compromised accounts. The disclosed summaries do not detail the initial access vector, any persistence mechanisms, or post‑exploitation activity beyond the data dump. No further technical details such as malware signatures, command‑and‑control infrastructure, or exploitation techniques have been published in relation to these events. The actor’s known activity is therefore limited to these two credential‑harvesting operations, with no additional publicly reported attacks or associated tooling attributed to l1kw1d or C0d3c1t4d3l beyond what is outlined here.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
0 sources