Security researchers at Outpost24 have released a report detailing a financially motivated cybercriminal group tracked as “Lionishackers” known for exfiltrating and selling corporate databases, and persistent activity in underground forums.
While it appears that Lionishackers is largely opportunistic in its targeting, the group repeatedly leaked data from organizations in countries like Thailand, Syria, and India, indicating a focus on Asian countries. The group’s operations span across industries, with breaches reported in government, telecommunications, education, retail, and even gambling sectors, the latter being their stated favorite.
The threat actor has been active in Telegram-based cybercrime communities and appears to have collaboration ties with “Hunt3r Kill3rs,” a politically motivated threat actor, active since at least April 2024. The group has been involved in hacktivist activities, particularly against Ukrainian and Israeli entities. Lionishackers has been observed participating in the ideological campaigns, suggesting religious motivations may occasionally influence their actions.
“In November 2024, Lionishackers were identified by another user as one of the admins of the Hunt3r Kill3rs Telegram channel,” the report notes.
Lionishackers is known to use SQL injection techniques, often automated with tools like SQL Map, to breach targets. Once compromised, databases are marketed through various aliases on underground forums and Telegram, where the group handles all negotiations. Unlike many other cybercrime groups, Lionishackers does not appear to extort victims or operate a dedicated Data Leak Site.
While some users on Telegram have accused the group of scams, Lionishackers usually backs its claims with evidence, such as screenshots or data samples.
Although the group has created accounts on various forums, Telegram remains their primary communication channel. Lionishackers is an active participant in well-known underground Telegram groups such as AKULA and B F R e p o V 3 C h a t, where the threat actors appear to be recognized members.
In addition to participating in public groups, the group operated their own Telegram accounts and channels to advertise database sales and related services. These accounts were typically tied to their two main aliases: Lion and CaptainFen.