Codebreakers
Codebreakers is a hacker group identified in the content in connection with a March 2025 intrusion claim against Bank Sepah, a government-owned Iranian bank with historical ties to Iran’s military community. According to the content, Codebreakers announced on Telegram and other social platforms that it had infiltrated Bank Sepah’s systems and exfiltrated more than 12 terabytes of confidential data associated with more than 42 million individuals. The group claimed the stolen data included account numbers, passwords, mobile phone numbers, residential addresses, transaction histories, and information related to military personnel. The content states that Codebreakers gave Bank Sepah a 72-hour negotiation window and demanded $42 million in Bitcoin to prevent disclosure. After Bank Sepah publicly denied the breach, Codebreakers released sample data and claimed exposure of data belonging to 20,000 individuals, including high-profile civilian and military-linked customers. Based on the content, the group’s observed tactics included data theft, public breach claims via Telegram/social media, extortion through a Bitcoin ransom demand, and subsequent leaking of sample data after the victim rejected or denied the demand. No additional aliases, sub-groups, or attribution to a nation state are provided in the content.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- banking
- financial services
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Data theft and extortion operation attributed with stealing and leaking large volumes of banking customer records after ransom demands were rejected.
Actor claimed access to tens of millions of banking customer records and associated sensitive financial data; attribution and details are presented as claims in the content.
Claimed intrusion and large-scale data theft from Iran’s Bank Sepah, followed by extortion demand ($42M in Bitcoin) and selective leaking of purported customer/bank data after the bank denied the breach.
Claimed intrusion into Bank Sepah and exfiltration of large-scale customer and military-linked data; attempted extortion by threatening public release unless paid $42M in Bitcoin; later published sample data to substantiate claims.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.