Cyber Threat Actor: Arvin Club
| Actor Type | Location | Known Incidents |
Activist
|
Iran
|
2 incidents |
|---|
Profile
Arvin Club, also referred to as Arvin Club, is a threat actor that open‑source reports associate with Iran. The group’s known activity concentrates on the education sector in India, exemplified by the breach of a central government school chain that exposed students’ personally identifiable information. Rather than seeking financial gain through encryption ransomware, Arvin Club’s operations are directed toward exfiltrating data and publishing it publicly. The actor promotes a Persian‑language motto that translates to “Freedom to connect,” which appears in its Telegram posts and Onion site updates. This motto is presented as an ideological statement rather than a financial motive. Arvin Club maintains an official Telegram channel with roughly three thousand subscribers and additional chat groups where Persian is the dominant language. It also operates a Tor/Onion website whose first post dates to May 5 2021 and is used to share alleged breach details, memes, and updates. The group does not claim responsibility for the majority of incidents listed on its Onion site; analysts note that many of those entities were not actually compromised by Arvin Club. Its communications emphasize that it has never deployed ransomware encryption tools, and no ransomware samples or distinctive file‑locking extensions have been attributed to the group. Observers compare its modus operandi to that of the Bonaci group, which focuses on data theft and publication rather than file encryption. No specific malware families or proprietary tools have been publicly linked to Arvin Club’s arsenal.
In July 2021 some reports alleged a connection between Arvin Club and the Iranian government, but the group denied those allegations via a statement on its own website. Despite the denial, Arvin Club has publicly expressed support for the now‑disbanded REvil ransomware collective, for instance by posting a tongue‑in‑cheek meme after REvil members were arrested by the FBI. A concrete example of the group’s activity is the breach of the Kendriya Vidyalaya school network in India, occurring in May 2021 and again in September 2021, where student personally identifiable information was exfiltrated and leaked without any ransom demand. The leaked data was disseminated through the group’s Telegram channels and Onion site, illustrating its preference for public disclosure over monetization. These incidents collectively show that Arvin Club’s primary objective is to make breached information available rather than to profit from encryption‑based extortion.
