Cyber Incident Victim: Grozio Chirurgija
Date:
Apr 2017
Location:
Lithuania
Summary
Cybercriminals breached a Lithuanian plastic surgery clinic, stealing sensitive patient records and nude photos—including those of celebrities—and attempted to extort the clinic by demanding a ransom in bitcoin to delete the data. After the clinic initially downplayed the breach’s severity, the attackers publicly released verified patient data and photos, confirming the authenticity of the stolen materials, while also individually blackmailing high-profile victims via untraceable messages. The perpetrators offered the entire dataset for sale on the dark web, pricing individual records between €50 and €2,000 or the complete package at approximately €344,000, citing the clinic’s refusal to pay and its inadequate cybersecurity as justification for the public sale.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late April 2017, cybercriminals breached the data systems of Lithuanian plastic surgery clinic Grožio Chirurgija, stealing personal records and photos of approximately 25,000 patients, including national and foreign celebrities. The attackers contacted OCCRP's Lithuanian partner 15min via email on an unspecified date prior to April 28, providing nude patient photos and claiming responsibility for the April 25 theft. They subsequently listed the stolen data for sale on a Dark Web marketplace, pricing individual records between €50 and €2,000 while offering the entire dataset for €344,000. Journalists at 15min verified the authenticity of multiple celebrity records by cross-referencing exposed phone numbers, birth dates, and medical details with real-world information. One patient confirmed the accuracy of leaked breast surgery records matching her procedure date. Initially, clinic representatives downplayed the severity, with lead surgeon Vygintas Kaikaris asserting that while names, addresses, and surnames were compromised, the photographs were fabricated by hackers.
Following the clinic's denial, the attackers escalated by releasing targeted data bundles containing verifiable patient information. Multiple clients contacted by 15min acknowledged the authenticity of photos taken at the clinic. The cybercriminals simultaneously pursued dual extortion tactics: demanding 300 bitcoins (approximately €344,000) from the clinic to delete the data—framed as a "small penalty fee" for inadequate cybersecurity—while individually blackmailing celebrity victims through untraceable text messages containing links to their exposed records. At least two celebrities confirmed receiving such messages. The perpetrators publicly justified their actions on the Dark Web, criticizing the clinic's refusal to pay as evidence of "huge egos" and subsequently increasing the full dataset's price. Lithuanian authorities initiated an investigation into the breach, though no containment measures or technical details regarding the attack vector were disclosed in available reports. The incident exposed sensitive medical imagery, enabled financial extortion attempts, and damaged institutional credibility through verified data disclosures.