Suspected Iran-linked hackers’ Telegram account blocked after ransom demand

The Black Shadow hacking group, which in recent days has been leaking personal information from Israeli websites, had its Telegram messaging app channels removed on Sunday.

The suspected Iran-linked group’s main Telegram channel for communicating messages, as well as a separate channel for releasing data, were both unavailable on Sunday afternoon, just hours after it had demanded a new ransom payment of $1 million in digital currency to stop the leak.

There was no immediate comment from Telegram on the removal. Previously, controversial channels, such as one belonging to the Gaza-based Hamas terror group, were temporarily removed likely due to mass reporting on the group by the app’s users. However, the messaging service has previously denied that mass reports can remove channels.

The hacking group on Sunday morning said in a statement, released through the now-removed channel, that it was “looking for money” and would not leak further information if the ransom was paid within 48 hours.

The group said the database of the Atraf website, a geo-located dating service and nightlife index, whose app and website are popular in the Israeli LGBT community, contained information on some one million people.

“If we have $1 million in our [digital] wallet in the next 48 hours, we will not leak this information and also we will not sell it to anybody. This is the best thing we can do,” the hacking group said, noting that it was in possession of users’ chat content, as well as event ticket and purchasing information.

A person speaks on their phone during an annual Gay Pride Parade in Jerusalem, on June 3, 2021. (Olivier Fitoussi/ Flash90)

Later on Sunday, using a backup channel after its main accounts were removed, the hacking group threatened to release data on fifty “famous” Israelis who had been using the online dating service.

“Atraf’s team did not contact us for any deal’s yet so we collected 50 famous israeli that were surfing and we leak their video’s to access the private group,” the Black Shadow group published, demanding $500 for access to the data.

The hackers said that they had not been contacted by anybody in the Israeli government or Cyberserve, the Israeli internet hosting company they breached on Friday, taking down several of its sites, including Atraf.

The hackers said the lack of contact showed it was “obvious [the hack] is not an important problem for them.”

The names of some Atraf users and their locations have already been posted online, as well as the HIV status that some users had put on their profiles.

The Israel AIDS task force told the Walla news site in a statement that they were deeply concerned by the news.

“The thought that a person’s HIV positive status can be revealed not by their choice worries us very much,” the task force said.

“For many people, this is sensitive information, that, if exposed, could raise concerns and cause anxiety,” the organization said, calling on the public not to further disseminate any personal information revealed in the leak.

The data leak has also worried those who have not publicly disclosed their sexual orientation or gender identification.

One person, named only as “A,” told Walla that it would “destroy” them if intimate information and photos were to leak online.

“Ever since I heard about this hack, I can’t stop thinking about it. I have intimate pictures and sexual correspondence on there, and it would destroy me if they ever reached my family,” they said. “I surf the site and buy party tickets from there also, so as well as the disturbing part about being [outed], there is also the matter of my credit card and identity details. It’s just scary.”

The hackers said the information leaked online so far represented just 1 percent of the data acquired in the breach.

Illustrative. Hacking, hackers, ransomware, and a cybersecurity attack. (solarseven; iStock by Getty Images)

The cyberattack also hit websites, including of Israeli public transportation companies Dan and Kavim, a children’s museum and public radio online blog, with the sites still available to users by midday Sunday. The attack also targeted the tourism company Pegasus, and Doctor Ticket, a service that could have sensitive medical data, according to Hebrew media.

Black Shadow claimed responsibility for the attack and published what it said was client data, including the names, email addresses, and phone numbers of Kavim clients, on the Telegram messaging app.

Hours later, the group said it had not been contacted by authorities or Cyberserve, so it released another trove of information, including what it said was data pertaining to clients of the Dan transportation company and a travel agency.

Israeli media said Black Shadow is a group of Iran-linked hackers who use cyberattacks for criminal ends.

The group breached Israel’s Shirbit insurance firm in December last year, stealing data. It demanded a $1 million ransom and began leaking the information when the firm refused to pay.

The new attack comes after an unprecedented, unclaimed cyberattack wrought havoc on Iran’s gas distribution system this week, which Tehran officials have blamed on Israel and the United States.

Iran and Israel have been engaged in a so-called “shadow war,” including several reported attacks on Israeli and Iranian ships that the two have blamed on each other, as well as cyberattacks.

In 2010, the Stuxnet virus — believed to have been engineered by Israel and its ally the US — infected Iran’s nuclear program, causing a series of breakdowns in centrifuges used to enrich uranium.