By rssfeeds-admin 
While definitive proof of a shared leadership remains elusive, multiple overlapping tactics, techniques, and procedures (TTPs) point to a likely affiliation or at least coordinated activity.
On January 14, 2025, an actor using the handle Belsen_Group published 1.6 GB of sensitive Fortinet FortiGate device data on BreachForums, later mirrored on a TOR-based blog.
The leak comprised IP addresses, firewall configurations, and VPN credentials from over 15,000 vulnerable appliances.
Analysis indicates exploitation of CVE-2022-40684, a critical authentication bypass vulnerability patched by Fortinet in October 2022, suggesting the intruders maintained undetected access for more than two years before exfiltrating the data.
After establishing credibility via free publication, the Belsen Group began offering tailored network access sales, targeting corporate victims across Africa, the United States, and Asia.
Belsen’s digital footprint extends beyond BreachForums. The group’s affiliated Twitter account, created on January 10, 2025, under a partially redacted Gmail address, replicates victim listings from both their forum posts and onion site.
Contact methods span Tox, XMPP, Telegram, and the Twitter handle. Notably, Telegram user @BelsenAdmin (ID 6161097506), who registered the account in 2023 as “K Y,” periodically solicits resources such as the eWPTX certification course.
OSINT reveals the account’s diverse channel subscriptions, ranging from cybersecurity training groups to Yemen-focused Arabic communiques and unrelated adult-themed communities.
Shared Tactics and Templates Suggest Coordination
ZeroSevenGroup first emerged in July 2024 on NulledTo before expanding to BreachForums, CrackedTo, and Leakbase. Early operations involved free database dumps unlocked by a unique password.
KELA’s data lake linked that password to a leaked email address and a machine compromised by stealer malware associated with Yemen-based threat actors, including the Yemen Shield hacking collective.
In August 2024, ZeroSevenGroup claimed responsibility for exfiltrating 240 GB of data from Toyota’s U.S. branch via a third-party contractor breach, which Toyota later confirmed after initially downplaying.
By November 2024, the group faced accusations of selling fraudulent network access to the Medusa ransomware operation. Since January 2025, ZeroSevenGroup has posted exclusively on Exploit Forum, marketing C2 and VPN access to an Italian government target and enterprises in the U.S. and Japan.
Despite differing timelines, both groups consistently employ post titles formatted as “[ Access ]” with identical spacing and bracket usage. Analysis of post content reveals near-identical phrasing, indicating a shared posting template.
A targeted keyword search on KELA’s platform returned results solely attributed to these two actors. Their social media behavior also converges: both accounts heavily utilize the #hack hashtag in updates.
While KELA refrains from declaring these overlaps as conclusive evidence of a single controlling entity, the convergence of geographical origin, exploit focus, network access monetization, posting conventions, and template-driven writing strongly suggests a collaborative infrastructure or mutual operator resource.
Further monitoring and in-depth forensic investigations may uncover definitive links, but current intelligence paints a compelling picture of an operational nexus between Belsen Group and ZeroSevenGroup.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Report Shows Operational Link Between Belsen and ZeroSeven Cybercrime Groups appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.