ByteToBreach

ByteToBreach is a financially motivated cybercriminal described as a data leak trader and access broker, active since at least June 2025. The actor operates across DarkForums, Dread, Telegram, Pastebin, and a public WordPress site branded "Pentesting Ltd.," which was used for self-promotion, victim shaming, and monetization. Reported communication channels include Telegram, ProtonMail, Tuta, Gmail, Signal, and Session, and the actor has also shared or sold data via Google Drive and OwnCloud. The content describes ByteToBreach as targeting high-impact organizations globally across banking, insurance, telecom, airlines, transportation, healthcare, universities, government, and IT services. Reported victim geography spans multiple countries, including the United States, India, Italy, Spain, Russia, the Netherlands, France, Finland, Poland, Portugal, Cyprus, Seychelles, Singapore, Chile, Panama, Uzbekistan, Kazakhstan, Thailand, Ukraine, Ethiopia, and Sweden. The victimology is described as financially driven rather than politically constrained, including targeting of CIS countries as well as Ukraine. Reported initial access methods include exploitation of known vulnerabilities in internet-facing cloud and enterprise software, reuse of stolen credentials from infostealers and phishing, and occasional brute force or abuse of misconfigurations. Post-compromise behavior described in the content includes lateral movement, credential harvesting, tunneling, compromise of backups and security tooling, data exfiltration, extortion, and in at least one claimed case ransomware deployment. Specific claimed techniques in the content include exploitation of public-facing applications, SQL injection, Oracle WebLogic exploitation, Microsoft Exchange ProxyLogon exploitation, Apache Solr local file inclusion, JSP reverse shell upload, Jenkins compromise, Docker escape, SSH key pivots, SQL copy-to-program pivots, credential dumping, tunneling with Ligolo, and exfiltration over web services. The actor is associated in the content with claimed breaches involving VUMI Group, National Oil Ethiopia PLC, Viking Line, CGI Sverige AB and Sweden's e-government platform, Eurofiber France's GLPI and ATE environments, and other alleged victims including banks, telecom providers, airlines, universities, and government-related entities. In the Eurofiber case, ByteToBreach claimed theft of data from roughly 10,000 business and government clients. KELA describes the actor as credible and adaptable, noting that some leaked datasets were later corroborated by affected organizations or contained verifiable technical artifacts. Known aliases and related identifiers directly mentioned in the content include bytetobreach, ByteToBreach, Telegram handle @ByteToBreach, prior Telegram names "CvHNWwEG" and "inesslopez," and the public-facing brand "Pentesting Ltd." The content assesses the actor as likely a single technically skilled individual or a small group.