Cyber Incident Victim: City of Moore, Oklahoma
Date:
Mar 2015
Location:
United States of America
Summary
A hacker identifying as Bitcoin Baron breached the City of Moore's systems, planting malware and exfiltrating sensitive personnel information while demanding a ransom of 100 bitcoins to prevent exposure. The attacker claimed the intrusion was retaliation for the municipality's defense of police officers involved in a local legal case, subsequently disrupting the city's website to amplify pressure. Bitcoin Baron later clarified that compromised data involved government employee records rather than resident information, though operational disruptions persisted during the extortion attempt.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 15, 2015, an individual using the alias "Bitcoin Baron" publicly claimed responsibility for a cyber intrusion targeting the City of Moore, Oklahoma's computer systems. The attacker asserted they had successfully hacked into municipal networks, planted malicious software, and exfiltrated sensitive files described as "quite interesting" and presumably unwanted by city officials. Bitcoin Baron issued a ransom demand of 100 bitcoins in exchange for protecting the compromised data, though the specific valuation at the time was not disclosed in available reports. The attacker explicitly linked the intrusion to the city government's defense of two police officers connected to the Warren Theatre case, indicating a retaliatory motive. Evidence of system compromise included Bitcoin Baron's social media post showing the city's official website (cityofmoore.com) in an offline state, with the attacker claiming responsibility for the disruption and threatening prolonged downtime. DataBreaches.net attempted to verify the claims but could not reach city representatives due to the website outage, which persisted during initial reporting.
Bitcoin Baron communicated directly with DataBreaches.net to elaborate on the attack's scope, clarifying that exfiltrated data involved municipal personnel information rather than citizen records. The attacker reinforced their threats through a YouTube upload, though the video's specific content remains undocumented in available sources. No verifiable details emerged regarding the intrusion methodology, duration of network access, or precise categories of compromised personnel data. Municipal systems remained partially inaccessible during initial reporting, as evidenced by the sustained website outage noted ten hours after Bitcoin Baron's initial claim. Publicly available information did not document official city responses, remediation efforts, or confirmation of data compromise at the time of reporting. The incident marked an early example of ransomware tactics combining financial extortion with ideological grievances against municipal entities.