Menu
Browse

Cyber Threat Actor: TeaMp0isoN

Actor Type Location Known Incidents
 Icon
Sensationalist
Spain
5 incidents
Profile

TeaMp0isoN is a hacking group identified by that alias, with some open‑source references noting a possible location in Spain. The actors have become known for compromising web‑based forums, blogs and management portals, often leaving a defacement page after gaining access. Their activity has been reported from at least 2015 through 2016. They rely on weaknesses in web applications rather than deploying custom malware. Public statements from the group indicate they do not seek financial profit from the data they obtain.

Targets have included a managed security service provider, an agency of the United Nations, a gaming community forum and a legacy blog‑forum platform. In the Time Warner Cable Business Class breach the group explicitly stated they had no intention to sell or monetize the stolen database. When contacted about the UN World Tourism Organization incident a member remarked that they had previously owned UN systems in 2011 and felt it was right to target them again. The compromised Trillian blog and forum server contained only archival user data, and the actors noted that the information was several years old, reducing its immediate value. No public communications from the group have described a desire for monetary gain.

The group's recurring technique is the use of SQL injection to gain initial access to backend databases, as seen in the attacks on the Time Warner Cable portal, the UNWTO forum and the Minecraft Pocket Edition site. In the Trillian blog and forum breach they exploited a vulnerability in the vBulletin deployment to reach WordPress content and associated databases. After obtaining access, they routinely dumped the contents online and left a defacement page claiming responsibility. No references to specific malware families, ransomware or exploit kits appear in the reported incidents. Their tooling style therefore relies on web‑application exploits and simple data‑exposure tactics.

Representative operations include the February 2016 breach of Time Warner Cable Business Class, which exposed roughly 4,200 customer records containing usernames, email addresses and encrypted passwords. The February 2016 attack on the United Nations World Tourism Organization yielded a dump of 1,524 forum members’ usernames, email addresses and MD5‑hashed passwords, accompanied by a visible site defacement. In May 2015 the group compromised the Minecraft Pocket Edition forum, releasing more than 16,000 user records that included usernames, salted password hashes, email addresses and some birthdates. A July 2016 incident affected a retired Trillian blog and forum server, where outdated salted MD5 hashes and email addresses were taken from vBulletin‑based databases before the server was taken offline for forensic analysis.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
2 sources