Menu
Browse

Cyber Threat Actor: MrNervous

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
12 incidents
Profile

The threat actor known as MrNervous, also using the alias WhiteHatMrNervous, has been linked to a data breach involving Flight Centre Travel Group in February 2014. The actor is reported to be based in Russia. The incident began with the exploitation of a SQL injection vulnerability in the Parallels Plesk software used by the victim. This initial access allowed the actor to obtain complete system database access and extract multiple data sets. The compromised information included staff accounts with login credentials, travel club member details, wedding registration records, and shop staff accounts that contained plaintext passwords. After gaining access, the actor attempted to extort the company by demanding a payment of five thousand United States dollars for disclosure of the vulnerability. When no response was received within one day, the actor published the stolen databases on various file hosting services, a blog, and pastebin sites. The leaked data remained publicly accessible for several weeks before being widely reported. The actor’s use of SQL injection as the primary entry point represents a consistent technical pattern observed in this operation. No malware families or additional tooling are described in the available sources.

The actor publicly stated that the breach was motivated by retaliation against Flight Centre Travel Group for issuing DMCA takedown notices on earlier vulnerability disclosures. According to the actor’s own statements, the goal was to pressure the organization to address its security shortcomings and to discourage legal actions against individuals who test systems for weaknesses. In addition to the extortion demand, the actor leaked the data to shame the company and warned customers that their personal information could be exposed online. The actor further claimed that the leak would cause customers to reconsider using the company’s services and suggested they might pursue lawsuits if their data appeared in the release. These statements indicate a mixed objective that combines financial gain through extortion with a desire to deter perceived abusive legal practices. No connections to state sponsors, criminal syndicates, or broader hacking groups are mentioned in the referenced material. The actor’s self‑description as a “whitehat” hacker contrasts with the extortion and public data release tactics employed. The Flight Centre Travel Group incident remains the only publicly documented operation attributed to MrNervous or WhiteHatMrNervous in the supplied sources. Consequently, the profile is limited to the observed SQL injection vector, the extortion attempt, and the articulated motivations tied to DMCA notices and vulnerability testing. No further details about subsequent activities, tooling evolution, or geographic scope are available from the provided information.

Incidents
Attributed incidents available to members
12 incidents
Sources
Sources available to members
9 sources