Menu
Browse

Cyber Threat Actor: CryTox

Actor Type Location Known Incidents
 Icon
Criminal
Germany
1 incident
Profile

The threat actor operates under the alias CryTox.
The actor’s location is reported as Germany.
No additional aliases or alternative names have been publicly associated with CryTox.
The actor first came to public attention through a ransomware incident involving its eponymous malware in June 2023.

In that incident, CryTox targeted SoftProject GmbH, a German provider of Software as a Service solutions.
The victim’s platform supports BiPRO services that facilitate data exchange between insurance brokers and insurers.
This indicates the actor’s focus on a service provider operating within the insurance‑technology sector in Germany.
The attack disrupted the victim’s SaaS offering, affecting the BiPRO services relied upon by its brokers and insurer clients.

CryTox deployed its eponymous CryTox malware to encrypt part of the victim’s application landscape.
The encryption resulted in a ransomware event that rendered systems unavailable.
Public details do not disclose the initial access vector used by the actor in this compromise.
Following the encryption, the victim took affected systems offline and engaged a crisis management team to restore operations and improve security controls.

No public attribution links CryTox to a specific state sponsor, criminal consortium, or larger cybercrime group.
The actor has not been associated with any known malware families beyond the CryTox ransomware itself.
Consequently, CryTox is presently described as an independent or loosely affiliated ransomware operator based on available information.

The June 26, 2023 ransomware attack on SoftProject GmbH represents the only publicly documented operation attributed to CryTox to date.
The incident was reported to relevant authorities and prompted the victim to seek external crisis management assistance.
No further campaigns or additional victims have been linked to CryTox in open sources.
As a result, the actor’s activity remains limited to this single reported case in the threat landscape.
Continued monitoring is required to determine whether CryTox will emerge in future incidents.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources