Menu
Browse

Cyber Threat Actor: Bozkurtlar

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Activist
Turkey
9 incidents
Profile

The threat actor known by multiple aliases including Bozkurt, Bozkurtlar, Loups gris, Grey Wolves, Jonturk75, Bozkurt Hackers, RootDevilz and Bozkurt97 has been observed operating from Turkey, as indicated in open‑source reporting. The group first gained attention in mid‑2015 when it defaced the UNICEF India website using the handles RootDevilz, Jonturk75 and Bozkurt97, posting a political message that criticized several nations and international bodies. Since then the actor has been linked to a series of data‑exfiltration incidents targeting financial institutions across Asia, the Middle East and Africa, with the bulk of the activity occurring in May 2016.

The actor’s targeting appears focused on two sectors: banking and humanitarian or non‑governmental organizations. In the banking sector the group compromised customer transaction records, credentials, contact information and internal files such as PHP scripts, financial reports and server backups, indicating a financially motivated objective of data theft for potential fraud or resale. In the UNICEF India incident the actor’s stated aim was to publicize grievances against specific governments and organizations, demonstrating a secondary objective of political disruption or propaganda. No explicit espionage motive is documented in the supplied material.

Technically, the group repeatedly exploited SQL injection vulnerabilities to gain initial access to bank databases, employing a tool referred to as Hajiv to automate the injection and exfiltration process. The defacement of the UNICEF India site involved altering web content, suggesting capability in web‑application manipulation beyond pure data theft. Attribution to a state sponsor is not asserted in any of the sources; the actor is described only as Turkey‑based with no confirmed links to governmental entities or larger criminal consortia. Representative campaigns include the May 2016 wave in which six banks — The City Bank, Trust Bank, Business Universal Development Bank, Sanima Bank, Dutch Bangla Bank and the Commercial Bank of Ceylon — were allegedly breached, with data leaks ranging from kilobytes to several gigabytes, and the August 2015 UNICEF India website defacement that was later restored. Additionally, the actor claimed responsibility for a December 2015 leak of InvestBank UAE data, although forensic analysis indicated the material was recycled from an earlier breach. These incidents collectively illustrate the actor’s pattern of using SQL injection for financial data theft and occasional web defacement for political messaging.

Incidents
Attributed incidents available to members
9 incidents
Sources
Sources available to members
6 sources