In recent developments, cybersecurity experts have uncovered a possible link between two prominent Yemen-based cybercriminal entities: the Belsen Group and ZeroSevenGroup. This discovery stems from a thorough analysis of their operational behaviors and attack strategies, highlighting a sophisticated network intrusion campaign that poses a significant threat to critical infrastructure and enterprise systems worldwide.
The Emergence of the Belsen Group
The Belsen Group first came to the forefront in January 2025, making headlines with the leak of 1.6 GB of sensitive data from over 15,000 vulnerable Fortinet FortiGate devices. This compromised information encompassed IP addresses, system configurations, and VPN credentials. To establish credibility within cybercriminal communities, the group initially disseminated this data freely on BreachForums and their dedicated TOR-based blog.
Their attack vector primarily exploited CVE-2022-40684, a critical authentication bypass vulnerability in FortiGate firewalls. This suggests that the Belsen Group maintained unauthorized access to victim systems for over two years before the public disclosure of the vulnerability.
The Operations of ZeroSevenGroup
ZeroSevenGroup, the more established of the two entities, has been active since July 2024. Initially operating on platforms such as NulledTo, the group expanded its presence to BreachForums, CrackedTo, and Leakbase. Specializing in data monetization strategies, ZeroSevenGroup targeted organizations across Poland, Israel, the United States, UAE, Russia, and Brazil.
Their most notable breach occurred in August 2024, involving Toyota’s US operations. The group claimed responsibility for exfiltrating 240GB of sensitive corporate data, underscoring their capability to infiltrate and exploit major multinational corporations.
Operational Similarities and Forensic Analysis
Analysts from the KELA Cyber Team conducted a forensic examination of both groups’ posting patterns and communication styles, revealing significant operational similarities. Notably, both organizations employed identical title formatting conventions in their forum posts and victim announcements, specifically using “[ Access ]” with square brackets and spaces. This distinctive formatting was unique to these two actors within KELA’s comprehensive threat intelligence database.
Tactical Convergence and Attribution Analysis
Further technical analysis through Open Source Intelligence (OSINT) investigations uncovered deeper connections between the groups. Researchers identified matching stylistic patterns in their social media presence, particularly consistent hashtag usage, including #hack, across their Twitter profiles.
Both groups demonstrated similar operational security practices, maintaining multiple communication channels such as Tox, XMPP, Telegram, and X for victim negotiations and data sales.
Belsen Group’s Infrastructure
The Belsen Group’s operational infrastructure included a sophisticated onion site for victim listings and contact information, registered under the partially redacted email address [email protected]. Their Telegram administrator account (@BelsenAdmin, ID 6161097506) provided additional intelligence through subscription patterns to cybersecurity certification groups, regional Arabic-speaking communities in Yemen, and technical training channels.
Previous usernames associated with this account (@m_kyan0, @mmmkkk000000) offered further attribution markers for ongoing investigations.
ZeroSevenGroup’s Evolution
ZeroSevenGroup’s technical profile showed evolution from their earlier incarnation as “ZeroXGroup” on RaidForums under the username zerox296. The group’s password reuse patterns across leaked databases and infostealers provided crucial attribution links, connecting their operations to Yemen-based threat actors associated with the Yemen Shield hacking group.
Their transition to exclusive operations on Exploit Forum since January 2025 demonstrated tactical adaptation following exposure of their scamming activities against the Medusa Ransomware group.
Implications and Recommendations
While definitive attribution remains challenging, the convergence of operational patterns, geographic origins, and tactical preferences strongly suggests coordination or shared resources between these cybercriminal entities. This represents an evolving threat landscape that necessitates enhanced defensive measures.
Organizations are advised to implement robust cybersecurity protocols, including regular vulnerability assessments, timely patch management, and comprehensive monitoring of network activities. Collaboration with threat intelligence platforms can provide valuable insights into emerging threats and facilitate proactive defense strategies.
As cyber threats continue to evolve, staying informed and vigilant is paramount in safeguarding critical infrastructure and sensitive data from sophisticated cybercriminal operations.
