SiegedSec
SiegedSec, also referred to as Sieged Security and self-described as the "Gay Furry Hackers," was a black-hat criminal hacktivist group formed in early 2022 and led by the alias "vio." Reported members included "vio," "Kry," and "mirrorless." The group announced it disbanded on July 10, 2024, citing mental health strain, stress from publicity, and concern about FBI attention.
Profile source: Mallory opens in a new tabSiegedSec
Family profile
SiegedSec, also referred to as Sieged Security and self-described as the "Gay Furry Hackers," was a black-hat criminal hacktivist group formed in early 2022 and led by the alias "vio." Reported members included "vio," "Kry," and "mirrorless." The group announced it disbanded on July 10, 2024, citing mental health strain, stress from publicity, and concern about FBI attention.
The group conducted high-profile intrusions, data theft, leaks, and claimed destructive actions against government, intergovernmental, research, telecom, media, religious, and politically opposed targets. Reported targets included NATO portals, Idaho National Laboratory, Atlassian, Real America’s Voice, River Valley Church, The Heritage Foundation, Bezeq, U.S. state and local government entities, and internet-exposed GNSS/satellite receivers in Colombia, the United States, and Romania. SiegedSec was described in the content as a hacktivist and crimeware group, and in other reporting as primarily black-hat and often acting "for the lulz," while also conducting politically motivated operations.
Its activity included use of stolen credentials, opportunistic exploitation of exposed credentials, compromise of internet-exposed systems, data exfiltration and public leaking, spoofed messaging, and claimed wiping of data in some incidents. In the July 2023 University of Connecticut incident, "vio" claimed the group used hardcoded credentials allegedly exposed in a public Bitbucket repository to access a LISTSERV account and send spoofed emails. In the February 2023 Atlassian incident, SiegedSec used stolen employee credentials and leaked approximately 13,000 employee records. Against NATO, SiegedSec claimed multiple breaches of unclassified portals including the Communities of Interest Cooperation Portal, Joint Advanced Distributed Learning site, NATO Lessons Learned Portal, Logistics Network Portal, NATO Investment Division Portal, and NATO Standardization Office, and claimed leaks including 845MB from the COI portal and more than 3,000 files totaling about 9GB in a later incident.
SiegedSec repeatedly framed operations around political causes, especially transgender rights. It ran #OpTransRights and #OpTransRights2 targeting organizations it considered anti-trans or otherwise politically opposed, including U.S. state entities, Real America’s Voice, River Valley Church, Hillsong, and The Heritage Foundation. In June 2023 it targeted U.S. government entities over antigender-affirming-care bills, including Fort Worth, the Nebraska Supreme Court, South Carolina Criminal Justice Information Services, Texas State Behavioral Health Executive Council, Pennsylvania’s Provider Self-Service, and South Dakota Boards and Commissions. In 2024 it claimed the Heritage Foundation breach and leak as retaliation tied to Project 2025, and also leaked alleged Signal chat logs involving Heritage executive Mike Howell. The Heritage Foundation disputed that its systems were breached.
Other notable operations in the content include the November 2023 Idaho National Laboratory breach via a federally approved vendor system supporting cloud HR services, where SiegedSec claimed access to thousands of employee and user records containing names, birth dates, addresses, phone numbers, Social Security numbers, and employment information; the Real America’s Voice breach, where it claimed exposure of more than 1,200 users’ personal information and wiping of API and AWS S3 data; and attacks on GNSS/satellite receivers in 2023, where it published screenshots and accessed sensitive data but no destructive damage was reported in those specific incidents.
SiegedSec also had reported associations or collaborations with other hacktivist groups. The content states KittenSec confirmed associations with SiegedSec and ThreatSec. Separate reporting in the content says SiegedSec collaborated with Anonymous Sudan, partnered with ByteMeCrew, and was part of a "Five Families" alliance with Ghost Security, BlackForums, ThreatSec, and Stormous Ransomware.
The content does not attribute SiegedSec to a nation-state. It is consistently described as a hacktivist or black-hat criminal hacktivist group rather than a state actor.
Ransomware.live