Cyber Threat Actor: The Dark Overlord
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
29 incidents |
|---|
Profile
The threat actor known as TheDarkOverlord, also abbreviated as TDO, operates primarily from the United States of America and has been active since at least 2016. The group uses the aliases TheDarkOverlord and TDO in its communications and has claimed responsibility for a series of intrusions that involve data theft followed by extortion attempts. Public reporting consistently describes the actor as a criminal collective focused on monetary gain rather than state‑sponsored espionage, with multiple sources noting that the actors demand payment in Bitcoin to prevent the release or sale of stolen information.
The actor’s targeting pattern, as evidenced by the provided incidents, spans several sectors and geographic regions. Healthcare organizations appear frequently, including plastic surgery clinics in Arizona and London, eye‑care associates, rehabilitation specialists, and cancer services. Educational institutions such as school districts in Montana and Connecticut have also been victimized. The group has struck law firms handling high‑profile litigation, notably those involved in September 11‑related insurance claims, as well as professional employer organizations, maritime staffing firms, and entertainment studios in Hollywood. While the actor’s base is noted as the United States, victims have included entities in the United Kingdom and the Caribbean, indicating a transnational reach.
Observed tactics, techniques and procedures include the exploitation of weak or default credentials—such as administrative passwords like “12345” or “CiP@12345”—to gain initial footholds within victim networks. After gaining access, the actors exfiltrate sensitive data, which they then threaten to release unless a ransom is paid. In several cases they have followed through on threats by publishing sample data on dark web forums, providing decryption keys incrementally, or outright deleting and overwriting data with pseudo‑random patterns to impede recovery. Communication tactics involve the use of Pastebin to share proof‑of‑concept files, Twitter accounts to issue threats and taunt victims, and direct email or chat messages to negotiate payment. The actors have also claimed to offer stolen data for sale on illicit marketplaces and have attempted to extort individuals named within the stolen documents for additional payments.
Representative campaigns highlighted in the source material include the 2018 breach of a law firm handling September 11 litigation, where the group threatened to release approximately 18,000 files tied to insurers such as Lloyd’s of London and Silverstein Properties; the 2018 ransom attempt against an Arizona plastic surgery center that resulted in the leak of patient photos and medical dictations after the victim refused to pay; the 2018 compromise of a California‑based professional employer organization that led to the exfiltration of thousands of employee files and the wiping of server data; and the 2018 intrusion into Caribbean Island Properties, where the actors deleted the victim’s data after the firm attempted to disrupt the exfiltration. Additional notable incidents involve the theft of a Hollywood studio’s client database, the leak of unreleased television episodes after a failed extortion demand against Netflix, and the targeting of maritime staffing firms and school districts. Collectively, these examples illustrate a pattern of financially motivated data theft and extortion that relies on credential abuse, data leakage threats, and public pressure tactics.
