Cyber Threat Actor: UNC1756

UNC1756, operating under the alias 'Ryushi,' is a financially motivated threat actor known for large-scale data theft and extortion schemes targeting globally recognized platforms. This actor gained prominence in December 2022 by advertising the sale of private data belonging to 400 million Twitter users on the Breached hacking forum. The dataset—scraped in 2021 via a since-patched API vulnerability—included email addresses, phone numbers, public profile details, and associated metadata. Ryushi attempted to extort Twitter and Elon Musk by threatening GDPR-related regulatory penalties unless they purchased the data exclusively for $200,000, alternatively offering copies to multiple buyers at $60,000 per transaction.

The actor’s operations demonstrate a focus on exploiting API vulnerabilities to harvest private user information at scale. Technical analysis confirmed UNC1756 utilized the same flaw linked to an earlier 5.4 million-user Twitter breach, submitting bulk phone numbers and emails to a Twitter API to retrieve user IDs, then cross-referencing these with public profile data. This method enabled the compilation of composite records blending private and public details. Leaked samples targeted high-profile individuals across politics, media, and business, with confirmed victims including U.S. politicians and celebrities. UNC1756 explicitly outlined how such data could fuel phishing, BEC scams, and cryptocurrency fraud, indicating an understanding of downstream criminal utility.

No state affiliation or collaborative ties were referenced in reporting, with tactics aligning more closely with opportunistic cybercriminal activity than espionage objectives. The actor communicated directly with journalists to amplify pressure on Twitter, suggesting comfort with public engagement. While the 400 million-user claim remains unverified, third-party analysts like Hudson Rock validated sample authenticity. This incident coincided with regulatory scrutiny of Twitter’s data protections, highlighting UNC1756’s awareness of legal and reputational leverage points in extortion attempts. The breach represents one of the largest known unauthorized data-scraping operations against social media platforms, underscoring persistent risks from API abuse even after vulnerability remediation.