Cyber Incident Victim: DarkSly
Date:
Nov 2019
Location:
Saudi Arabia
Summary
A self-proclaimed greyhat hacker using the alias "DarkSly" compromised automotive companies Hyundai and Jaguar/LandRover, exfiltrating sensitive customer data. The attacker claimed unauthorized access to Hyundai's systems, extracting approximately 550,000 records containing personal details such as full names, email addresses, bank information, monthly salaries, and phone numbers primarily from Saudi Arabian and Iraqi customers, though no passwords or credit card data were reportedly exposed. After attempting to negotiate a 1 BTC bug bounty in exchange for vulnerability disclosure and data deletion, Hyundai allegedly blocked further communication. Subsequently, DarkSly targeted Jaguar/LandRover, gaining database credentials and root certificate access across multiple regional branches, though specific data volumes were not detailed. The hacker threatened to release attack videos or sell the stolen data, maintaining persistent access to both companies' systems at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-November 2019, an individual using the alias "DarkSly" compromised Hyundai's Saudi Arabian branch systems. On November 13, DarkSly tweeted screenshots indicating unauthorized access to Hyundai's customer databases after the company blocked his communications. The following day (November 14), he publicly disclosed details of approximately 460,000 customer records from Saudi Arabia and Iraq, expanding his claim to 550,000 records during subsequent communications with DataBreaches.net. The exposed data included full names, email addresses, cities, bank information, monthly salaries, and cellphone numbers, though no passwords or credit card details were present in the databases. DarkSly stated he initially sought a 1 Bitcoin bug bounty from Hyundai to disclose vulnerabilities, fix the security flaws, and delete the stolen data, but alleged the company ceased communications after initial contact. Forensic evidence suggested persistent access to Hyundai's systems weeks after initial compromise, with DarkSly claiming possession of source code that could enable future breaches due to weak development practices.
On December 8, 2019, DarkSly announced via Twitter that he had compromised Jaguar and LandRover systems across 11 countries including Saudi Arabia, Kuwait, UAE, Egypt, and Mexico, completing the intrusion within three hours. Screenshots posted showed database credentials and root certificates, though the tweet was later removed. The hacker stated he had not contacted either automaker prior to public disclosure and maintained ongoing access to their systems at the time of reporting. DataBreaches.net confirmed outreach to Jaguar/LandRover for verification but received no response. DarkSly characterized both incidents as opportunistic attacks on automotive targets, denying affiliation with the APT32/Ocean Lotus group that had been previously implicated in separate automotive sector breaches. No evidence emerged of data monetization or public release beyond the initial screenshots, though DarkSly threatened to sell information or publish attack videos.