Cyber Threat Actor: DragonForce

DragonForce, also known as DragonForce Malaysia, is a threat actor whose activities span several years and include disruptive denial-of-service attacks and data theft operations. The group's name appears in connection with incidents targeting diverse sectors across different regions, with a notable focus on Israeli entities. Publicly reported operations attribute to the group a pattern of claiming responsibility for breaches and leaks, often accompanied by political messaging aligned with pro-Palestinian and anti-Israel sentiments. The "Malaysia" moniker in one alias suggests a possible geographic connection or origin point for some participants, though the actor's full structure and base of operations remain unspecified in available information. Their activities are documented from at least 2021 through 2025, indicating a sustained operational period.

The actor's typical targeting includes financial institutions, educational platforms, and government-related data holdings, with a strategic emphasis on disruption and data exposure rather than stealthy financial theft. In multiple 2021 incidents, DragonForce launched distributed denial-of-service (DDoS) attacks against Israeli banking websites, aiming to overwhelm public-facing infrastructure and cause service interruptions. Concurrently, the group exfiltrated and published personal data, such as records of hundreds of thousands of Israeli students from the AcadeME recruitment platform and a separate file purportedly containing student information. A 2023 incident involved the theft and dark web publication of sensitive citizen data from the German city of Baden, including financial records and personal details, achieved by exploiting an older security vulnerability to access a database backup. More recently, a 2025 ransomware-style attack on Vercoe Insurance Brokers resulted in the claimed exfiltration of over 60 gigabytes of data, blending extortion rhetoric with data theft claims. Across these operations, the primary objectives appear to be causing public disruption, embarrassing targeted organizations or nations, and propagating a political narrative through data leaks, rather than direct financial gain from ransom payments or theft.

Notable tactics, techniques, and procedures (TTPs) referenced in reports include the use of high-volume DDoS attacks, with traffic peaks around 200 megabits per second, to target external websites and cause slowdowns. The actor frequently leverages the subsequent public release of stolen data on dark web forums or via Telegram announcements to maximize visibility and impact. Initial access vectors are occasionally specified, such as the exploitation of an older vulnerability to compromise a backup system in the Baden incident. The group's tooling style is not detailed in terms of custom malware families, but their operational approach combines network flooding with data exfiltration and publicity campaigns. There is no clear evidence in the provided material of a state sponsorship or integration into a larger criminal consortium; instead, the actor's self-presentation and target selection align with a politically motivated hacktivist ethos, though the consistent use of data theft for leverage also introduces a criminal extortion dimension, as seen in the Vercoe Insurance case. Significant campaigns include the coordinated June 2021 attacks on Israeli banks and student data platforms, which combined DDoS with data leaks, and the 2023 breach of Baden's administrative data, demonstrating an ability to compromise government-associated systems. These operations collectively illustrate a focus on high-profile, symbolic targets within Israel and, to a lesser extent, other Western entities, using accessible methods to achieve disruptive and propagandistic ends.