Cyber Threat Actor: Mad Liberator

Mad Liberator, also known by the alias Mad Liberator, is a threat actor whose known location, if any, is Italy. The actor first appeared in public reporting in July 2024 after claiming responsibility for a ransomware operation targeting the Italian Ministry of Culture. In its claim, the group posted a message on its own data leak site and released sample files from directories named ACCORDI, DOCUMENTAZIONE, and FOTOGRAFIE to illustrate alleged data exfiltration. The actor asserted that it had encrypted the victim’s systems using a combination of AES and RSA cryptographic algorithms. Alongside the encryption notice, the group warned that the compromised data could trigger GDPR‑related penalties for the ministry. The warning also highlighted possible downstream risks such as fraud, social engineering campaigns, or competitive misuse of the stolen information. Because the Ministry of Culture has not issued an official statement confirming the incident, the authenticity of the breach remains unverified. Earlier cyber‑security coverage notes that other ransomware operators, including LockBit, have previously struck the same governmental body, whereas Mad Liberator’s public claim record is comparatively limited. The details of the attack were first reported by RedHotCyber in an article published on July 17, 2024, which includes a direct link to the threat actor’s data leak site. The article notes that the group’s communication style mirrors that of other ransomware actors who use leak sites to pressure victims.

The observed tactics of Mad Liberator center on ransomware that employs AES and RSA encryption, the operation of a public leak site for extortion pressure, and the selective release of stolen data to substantiate claims. No further details regarding specific malware families, initial‑access vectors, command‑and‑control infrastructure, or post‑exploitation tooling have been made available in open sources. The public report does not disclose any indicators of compromise such as phishing emails, exploited vulnerabilities, or remote‑desktop exposure used to gain initial access. Additionally, the article does not attribute the activity to any known ransomware‑as‑a‑service program or affiliate network. Attribution efforts have not linked the actor to any state sponsor, criminal consortium, or affiliated threat‑group, and its activity to date is confined to the single reported campaign against the Ministry of Culture. Consequently, the threat‑actor profile is limited to the verified elements of the July 2024 incident described above.