Cyber Threat Actor: Uawrongteam
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
Uawrongteam operates as a cybercriminal group primarily engaged in large-scale data theft for illicit financial gain. The collective’s activities center on breaching cloud infrastructure to extract sensitive customer and organizational data, which is subsequently monetized through underground forums. Their operations demonstrate a pattern of simultaneously targeting multiple organizations across geographically dispersed regions, as evidenced by their December 2021 campaign affecting entities in the United States and Australia. The group maintains operational consistency through its consistent use of the Uawrongteam alias in breach disclosures and forum postings, though no other known monikers have been publicly associated with their activities.
The threat actor focuses on commercial entities storing substantial volumes of personally identifiable information (PII) and authentication credentials, with confirmed victims spanning appointment scheduling services, media organizations, and software providers. Their compromise of a U.S.-based scheduling platform’s AWS cloud storage illustrates their technical capability to exploit misconfigured or vulnerable cloud environments, though specific initial access vectors beyond cloud breaches remain undocumented in available sources. The group strategically emphasizes the theft of driver’s license photographs and password hashes with salts in their data leaks, suggesting deliberate targeting of authentication materials that enable identity fraud and credential-stuffing attacks. While no explicit financial demands or ransomware deployment have been observed in their campaigns, the rapid appearance of stolen datasets on hacker forums aligns with conventional data brokerage models within the cybercriminal ecosystem.
Uawrongteam’s most significant confirmed operation occurred on December 23, 2021, when they breached three distinct organizations: a U.S. appointment scheduling service handling over 3.7 million accounts, an Australian racing media outlet, and a case management software provider. The attackers exfiltrated names, email addresses, phone numbers, partial credit card information, and driver’s license images while notably failing to access complete payment card details. This multi-national campaign demonstrated their capacity to execute parallel intrusions across diverse sectors, with all three breaches disclosed simultaneously through hacker forums containing similar data types. The group’s operational signature includes emphasizing the practical utility of stolen documentation for identity fraud, as seen in their forum communications highlighting the availability of government-issued identification materials alongside compromised credentials.
