Cyber Threat Actor: Rex Mundi
| Actor Type | Location | Known Incidents |
Criminal
|
France
|
6 incidents |
|---|
Profile
Rex Mundi isa hacker group known by that alias and has been associated with operations originating from France. The actors describe themselves as financially motivated extortionists who target organizations they claim have mediocre IT security or poorly‑designed web applications. Their observed victims span several sectors, including financial institutions such as a Belgian loan company and a Geneva‑based bank, employment and recruitment services like a French temporary work agency, consumer‑facing businesses such as Domino’s Pizza outlets in Belgium and France, and IT‑hosting providers exemplified by the Belgian firm AlfaNet. Geographically, the group’s activity has been recorded in Belgium, France, and Switzerland, reflecting a focus on Western European targets where they have successfully exfiltrated personal data sets ranging from tens of thousands to over six hundred thousand records.
The group's tactics involve gaining unauthorized access to victim servers, often through exploitable web applications, and then extracting databases containing names, addresses, phone numbers, email addresses, and user‑generated passwords. Proof of compromise is typically demonstrated by posting a banner on the breached website and sharing partial data samples on social media platforms such as Twitter, where they operate under handles like @rexmundi15. After obtaining the data, Rex Mundi contacts the victim with a ransom demand—amounts observed have ranged from €15,000 to €30,000—threatening to release the full dataset publicly if payment is not made. They claim to delete the stolen information upon receipt of payment and state they do not confirm whether previous targets have paid. Communication includes announcements on Twitter, provision of download links to dark‑web sites for the leaked data, and follow‑up messages highlighting the victim’s delayed response. No specific malware families or custom tooling are mentioned in the available sources, with the emphasis placed on exploiting weak web defenses and conducting straightforward data exfiltration.
Public attribution does not link Rex Mundi to any state‑sponsored program or known criminal consortium; the group remains unattributed beyond its self‑identified alias and the locations inferred from its victims and statements. Notable campaigns that illustrate their pattern include the 2014 Domino’s Pizza breach affecting over 650,000 customer records across Belgium and France, the 2015 Belgian loan company incident involving 24,000 financial records, the 2015 French employment agency leak of roughly 24,000 applicant profiles with associated passwords, and the 2015 Geneva bank extortion attempt targeting 30,000 customer records. These examples demonstrate the group’s repeated use of data‑theft for monetary extortion across multiple industries and jurisdictions.
