Cyber Threat Actor: DoubleFlag

DoubleFlag is the alias used by athreat actor whose known location is China. The actor has been observed advertising and selling large collections of personal data on dark web marketplaces, receiving payment in Bitcoin. Targets have included telecommunications providers in the United States and a range of Chinese internet companies that operate email, search, gaming, social media and web portal services. The data offered for sale has consisted of user names, addresses, phone numbers and account credentials. No public reporting links DoubleFlag to a specific state sponsor or organized criminal consortium, and the actor’s activities have been described solely in terms of data theft and resale.

In January 2017 DoubleFlag posted a database allegedly containing 126 million U.S. Cellular customer records for $500 in Bitcoin, a claim that the carrier denied after an internal review. Beginning in October 2015 the actor promoted a series of breaches collectively labeled “The Big Asian Leak,” offering for approximately $800 in Bitcoin datasets that reportedly included 23.4 million Sohu accounts, over a billion NetEase credentials, 129.7 million Tencent QQ accounts, 31 million Sina accounts and 8.26 million Tom.com user records, among others. The advertisements described the stolen material as current and previously undisclosed, and the actor offered the combined collections alongside unrelated email service dumps. No technical details such as malware families, exploit tools or initial access vectors were disclosed in the sources, and no public attribution to a government or criminal group has been made. The actor’s known operations therefore consist of large‑scale data exfiltration followed by direct sale on underground markets.