Cyber Threat Actor: John Wick
| Actor Type | Location | Known Incidents |
Criminal
|
South Korea
|
4 incidents |
|---|
Profile
The threat actor known publicly as John Wick also operates under the aliases Korean Hackers and Team Johnwick, with a reported base of operations in South Korea. Their activity has been observed targeting media organizations, streaming platforms, technology‑focused startups, and software supply chains, primarily affecting entities in India and broader Asian markets. Observed objectives include extracting financial compensation through demands for Ethereum donations, direct monetary contributions, and cryptocurrency ransoms, as well as attempting to refute allegations of involvement in unrelated cyber incidents by compromising communication channels and spreading counter‑claims.
Typical tactics involve compromising trusted software distribution channels to insert trojanized components, as seen in the 2023 supply chain attack on 3CX where stolen employee credentials were used to breach build environments and distribute backdoored Windows and macOS clients that deployed remote access tools. In other operations the actor has gained unauthorized access to corporate code repositories and internal systems, exfiltrated source code, user databases containing emails, mobile numbers, encrypted passwords, and transaction records, and threatened to leak or sell the stolen data unless payment was received. They have also leveraged compromised social media accounts, such as the Indian Prime Minister’s Twitter account, to broadcast messages and have used platforms like PasteBin and Bitbucket to share proof of intrusion and host leaked material. Tooling observed includes remote access trojans, custom backdoors for persistent access, and the use of legitimate services for data staging and communication.
Attribution assessments remain limited; while the 3CX incident was publicly linked to suspected North Korean actors, the actor’s self‑identification as Korean Hackers and the stated location in South Korea do not constitute a confirmed state nexus. No explicit ties to criminal consortia or other threat groups have been documented in the available sources. The actor’s known campaigns include the 3CX supply chain compromise, the alleged breach of the ZEE5 streaming service involving approximately 150 GB of subscriber data and source code, the intrusion into an Asian technology‑focused media company that resulted in the theft of user information and source code, and the series of actions targeting Indian news outlets and governmental social media accounts to dispute attribution of separate cyber events. These incidents demonstrate a pattern of financially motivated intrusions combined with reputation‑management efforts through unauthorized communications.
