Cyber Threat Actor: Rey
| Actor Type | Location | Known Incidents |
Criminal
|
Romania
|
3 incidents |
|---|
Profile
Rey is the alias used by a hacker who has been publicly associated with operations originating from Romania. The actor has claimed affiliation with the HellCat ransomware group, although the sources note that the intrusion was not presented as an official HellCat operation. No other aliases or personal details have been disclosed in the available reporting. The actor’s location is consistently identified as Romanian based on the targeting of a Romanian telecommunications provider.
The actor’s known activity is limited to the telecommunications sector, specifically targeting Orange România, a major service provider in Romania. The attacks resulted in the exposure of employee, partner, contractor, and customer data, including email addresses and partial payment‑card information. By leaving a ransom note on the compromised systems, the actor demonstrated a financially motivated extortion objective, seeking payment in exchange for non‑disclosure of the stolen material. The claimed link to HellCat suggests an alignment with ransomware‑oriented criminal groups rather than state‑sponsored espionage.
Typical tactics observed in the reported incidents involve gaining initial access through compromised credentials and exploiting vulnerabilities in the Jira issue‑tracking platform. After establishing a foothold, the actor maintained undetected presence within the network for more than a month before conducting a focused data exfiltration effort lasting approximately three hours. The actor employed a ransom note as part of the extortion process and subsequently published the stolen data on a hacker forum when no response was received from the victim. No specific malware families or custom tooling are mentioned in the sources, with the emphasis placed on credential abuse and web‑application vulnerability exploitation.
The most representative operation attributed to Rey is the breach of Orange România, during which approximately 380 000 unique email addresses were exfiltrated alongside internal documents, source code, invoices, contracts, and partial payment‑card details, some of which had already expired. The incident also involved data from the Yoxo subscription service, affecting both current and former affiliates of the company. Despite the ransom note, Orange România did not engage in negotiation, leading to the public release of the information. This case illustrates the actor’s reliance on credential theft, web‑application flaws, and extortion‑driven data leaks as a core methodology.
