Bashe
Bashe is a cybercriminal threat group active since April 2024 that focuses on data-theft extortion and ransomware. The group is also referred to as APT73 and Eraleign. Supporting reporting states that Bashe is known for falsely claiming responsibility for high-profile breaches, taking credit for attacks it did not commit, and using recycled or publicly accessible data to fabricate or exaggerate victim claims in order to attract affiliates, bolster credibility, and increase extortion pressure. In the Hargreaves Lansdown case, Bashe listed the company on its Tor leak site on 27 April 2026 and claimed to have stolen a customer database containing 658,259 unique users, but analysis cited in the content assessed with high confidence that the alleged breach was fabricated. The reporting states that Bashe likely exploited public awareness of Hargreaves Lansdown’s prior IT issues to build a plausible false hack narrative and apply psychological and reputational pressure for extortion rather than demonstrate a genuine technical compromise. Additional reporting describes Bashe/APT73 as a regional group active in Latin America that has claimed compromises such as Grupo Petersen in Argentina, and notes that it often fabricates breach claims using publicly accessible or previously breached data.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Financial Services
Where they target
Geographies tied to known operations.
- 🇬🇧 United Kingdom
Tradecraft
5 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A cybercriminal group focused on data-theft extortion and ransomware that allegedly fabricated a breach claim against Hargreaves Lansdown, likely using fake leaked data and exploiting recent IT outages to support a false extortion narrative.
Regional ransomware/extortion group active in Latin America, claiming compromise of an Argentine engineering and construction firm and noted for frequently fabricating breach claims using public or previously leaked data.
A cybercriminal group focused on data-theft extortion and ransomware that allegedly listed Hargreaves Lansdown as a victim, but the content assesses with high confidence that the claimed breach was fabricated to support extortion and boost credibility.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.