Menu
Browse

Cyber Threat Actor: Saint Bear

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
0 incidents
Profile

The threat actor known by the aliases Saint Bear and Saint is believed to operate from Russia and has been observed using the online handle USDoD in cybercriminal activities. This actor came to public attention in December 2022 when they offered for sale the user database of the U.S. Federal Bureau of Investigation’s InfraGard program on the English‑language cybercrime forum Breached. The InfraGard program links private‑sector critical‑infrastructure owners with the FBI for threat‑information sharing, making its membership list a valuable target for those seeking detailed contact information on individuals in sectors such as finance, energy, telecommunications, healthcare and manufacturing.

The actor’s initial access to InfraGard was achieved by submitting a fraudulent membership application that incorporated the genuine name, Social Security Number, date of birth and contact details of a chief executive officer at a major U.S. financial corporation. By controlling an email address associated with the fabricated application while retaining the CEO’s real mobile phone number, the actor satisfied the program’s multi‑factor‑authentication option that allowed a one‑time code to be delivered via email. Once the false account was approved, the actor exploited an internal application programming interface (API) that facilitates member communication, enlisting a friend to write a Python script that queried the API and extracted all available user data, including names and any available email addresses. The harvested information was then advertised for sale at a price of approximately $50,000, with the actor noting that the asking price was intentionally set high to leave room for negotiation.

Beyond data theft, the actor sought to leverage the trusted InfraGard account for further interaction, attempting to send direct messages through the portal while posing as the CEO in order to engage other executives. The transaction was facilitated through the Breached forum, with the forum’s administrator Pompompurin acting as a guarantor via an escrow service intended to assure both buyer and seller. No explicit linkage to a state sponsor has been publicly established, and the actor’s activities appear financially motivated, centered on monetizing stolen data and abusing a compromised trusted account for additional social‑engineering outreach. The InfraGard breach remains the most notable operation attributed to this actor, illustrating a pattern of identity deception, API abuse and utilization of cybercrime‑forum infrastructure to conduct and monetize attacks against high‑value targets in the United States.

Incidents
Attributed incidents available to members
0 incidents
Sources
Sources available to members
1 source