Menu
Browse

Cyber Threat Actor: bRpsd

Actor Type Location Known Incidents
 Icon
Activist
Albania
3 incidents
Profile

The threat actor tracked underthe alias bRpsd has been active since at least 2015, with open‑source reports suggesting a possible connection to Albania. Public attributions link the name to a series of intrusions against online platforms that advertise illegal services such as hit‑for‑hire arrangements and drug‑planting offers, as well as against a more mainstream website, autolet.it. The actor’s pattern involves extracting data from compromised systems and then publishing that information publicly while accompanying the releases with messages that ridicule the victims’ security claims and question the legitimacy of their operations.

In each observed case the actor gained initial entry by exploiting SQL injection vulnerabilities in the target’s web application. After obtaining database access, bRpsd exfiltrated usernames, passwords that were frequently stored in clear text, internal chat logs, and, for the illicit service sites, details about purported fees, customer requests for drug‑planting jobs, and discussions of cryptocurrency wallet balances. The stolen material was then uploaded to file‑sharing services such as Files.fm and Siph0n, made freely downloadable, and accompanied by taunting notes that highlighted the failure of advertised protections like encrypted storage or self‑destruct mechanisms, provided working login credentials to demonstrate the breach, and in one instance included a file alleging that the hitman site was a scam rather than a genuine criminal enterprise.

Representative operations include the April 2016 breach of the Besa dark web portal, where the actor leaked operational data of the Albanian organized crime group known as Besa, exposing its hitman‑for‑hire service after first posting the dump to Files.fm and later seeing it propagate to Siph0n. A follow‑up incident in June 2016 saw bRpsd conduct another SQL injection against the BesaMafia hitman site, reproducing the same credential disclosure and public mockery; the leaked messages revealed admin claims of encrypted data and a self‑destruct system, discussions of service fees priced at $3,000, requests for cocaine‑planting jobs, and disputes over missing Bitcoin, while the actor supplied a file insisting the site was fraudulent. Earlier, in December 2015, the actor compromised autolet.it and dumped 2,716 records consisting of usernames and plain‑text passwords. These actions have repeatedly underscored weaknesses in the targeted sites’ defenses, contributed to public doubt about whether the underlying services are legitimate criminal ventures, elaborate scams, or possible law‑enforcement honeypots, and demonstrated how simple web‑application flaws can lead to the exposure of sensitive illicit‑market data.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
2 sources