Tracing the Digital Footprint of the Mabna Hackers | WhoisXML API

Threat Reports

Tracing the Digital Footprint of Iran’s Mabna Hackers

The Mabna hackers victimized hundreds of organizations worldwide and were known to sell stolen sensitive information. After nine of its members were indicted1 in the U.S., the elusive threat actors may have left breadcrumbs of their criminal activities in the form of DNS connections.

WhoisXML API investigated the digital properties related to the group, starting with eight personally identifiable email addresses known to have been involved in malicious campaigns, revealing that:

  • The email addresses were used to register 10,000+ domains, although a domain name investor may own most.
  • The connected domains resolved to 200+ IP addresses, 68 of which appear to be dedicated.
  • From the email and dedicated IP connections, we uncovered 1,400+ domains possibly involved in the group’s campaign, 89% of which had active IP resolutions.
  • One domain hosted or redirected to a page that suspiciously talked about Android hacking tools.

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.fbi.gov/wanted/cyber/iranian-mabna-hackers
Try our WhoisXML API for free
Get started