Menu
Browse

Cyber Threat Actor: nclay

Actor Type Location Known Incidents
 Icon
Criminal
India
2 incidents
Profile

The threat actor known by the alias nclay has been linked to the sale of stolen user data on dark web marketplaces. Public records indicate the actor may be based in India, though no definitive location is confirmed. The alias appeared in two separate incidents in early 2017 involving large‑scale data thefts. In both cases the actor advertised the compromised databases for sale and provided samples to verify authenticity.

The actor’s observed targets include online food‑delivery services and educational technology platforms, suggesting a focus on consumer‑facing applications that hold large volumes of personal data. The primary motive evident from the postings is financial, as the stolen datasets were offered for prices exceeding one thousand US dollars. In the Zomato case the actor claimed to have accessed 17 million user records containing email addresses and hashed password values. For Edmodo the actor asserted possession of approximately 77 million account records, of which about half included email addresses.

Details about the actor’s tools or malware are not described in the available sources. The Zomato breach was characterized as an internal human security breach, specifically a compromised employee development account that allowed unauthorized data extraction. No information is provided about the initial access vector used against Edmodo, nor about any custom malware, exploit kits, or persistence mechanisms employed by the actor. Consequently, the only confirmed tactic is the abuse of legitimate credentials to exfiltrate data, followed by its advertisement on underground markets.

No public attribution ties nclay to a state‑sponsored group or a known criminal consortium, and the actor’s affiliations remain unspecified in the reporting. The two campaigns highlighted above are the only publicly reported operations associated with the alias, representing notable incidents in the food‑delivery and education sectors. These events illustrate the actor’s capability to acquire large datasets and monetize them through dark web channels.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
2 sources