Cyber Incident Victim: Wildberries
Date:
Mar 2022
Location:
Russia
Summary
A major disruption impacted Wildberries' operations, causing widespread service failures including login issues, order tracking malfunctions, and disappearance of purchase histories for users, while sellers faced dashboard inaccessibility, inventory system outages, and shipment processing halts. Initial speculation pointed to a cyberattack by foreign group OldGremlin using ransomware or insider involvement, though the company attributed the incident to technical faults before later acknowledging a medium-scale cyber intrusion that partially disabled systems without compromising user financial data. Service restoration progressed unevenly, with core functionality largely returning for Russian users while residual errors persisted in order visibility and partner interfaces, alongside operational delays at pickup points. The marketplace extended storage deadlines and waived seller penalties during recovery efforts amid conflicting external reports about potential data leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 14, 2022, Wildberries experienced a major operational disruption affecting its e-commerce platform. Users reported inability to access mobile applications, view order histories, track deliveries, or display QR codes for package collection. Multiple Forbes correspondents confirmed disappearance of purchase records and inability to place new orders. Sellers encountered failures in vendor dashboard connectivity, preventing inventory management and warehouse shipments. Pickup points (PВЗ) suspended item distribution due to technical failures, with Downdetector recording 12,000 error reports that day. On March 15, logistics partner SDEK circulated an internal security alert citing third-party data about a cyberattack on Wildberries and referencing 100,000 compromised Russian payment cards in darknet markets, though SDEK later retracted any direct link between Wildberries and the card leak. SecurityLab.ru editor Alexander Antipov attributed the incident to OldGremlin hackers who allegedly implanted ransomware in Wildberries' systems, while Telegram channel author Samat Galimov claimed Russian hackers destroyed backend infrastructure and backups, potentially with insider collaboration. Wildberries initiated an internal investigation on March 16, acknowledging a medium-intensity cyberattack that partially disabled services without compromising user data. SearchInform security head Andrey Drozd characterized the event as one of Russia's largest IT disruptions, noting potential insider involvement through infrastructure data leaks or supply-chain attacks.
The incident impacted Wildberries' 113 million monthly users, with residual system instability persisting through March 18 when Downdetector still reported 120 errors—primarily order tracking issues (67%), app malfunctions (23%), and website problems (10%). Sellers faced ongoing disruptions including missing sales reports, payment delays, inventory visibility gaps, and unauthorized rating downgrades related to delivery failures. Wildberries restored core functionality by March 14 and reduced errors 100-fold within four days through IT remediation. The company implemented compensatory measures: extending pickup point storage periods, permitting identity-based package collection without QR codes, waiving all seller storage fees, accelerating vendor payments, and canceling delivery-related penalties. However, technical limitations persisted at pickup locations, where staff reported intermittent scanning failures and return processing delays. Seller-facing systems like the WB Partners portal remained partially inaccessible, hampering shipment operations. Wildberries maintained that financial data and payment card information remained secure throughout the incident, attributing residual service inconsistencies to ongoing recovery efforts across geographically distributed systems.