Kazu

Kazu is a cybercrime and digital extortion threat actor described as a relative newcomer among cybercrime gangs, with activity referenced from spring 2025 and accelerated data-dump/extortion activity in June-July 2025. Available reporting characterizes Kazu as focused on data-theft extortion rather than ransomware encryption, and as likely targeting internet-facing web portals and web-enabled services. There is no solid evidence in the provided content that Kazu is a rebrand, splinter, or affiliate of another known extortion group, and it is unclear whether Kazu is a single individual or a group. The actor has claimed victims across government, military, and healthcare sectors. Reporting in the provided content states that most of Kazu's nearly three dozen listed victims were in Southeast Asia, the Middle East, and South America, with countries mentioned including Argentina, Bolivia, Colombia, Costa Rica, Iran, Mauritania, Mexico, Nepal, Saudi Arabia, Sri Lanka, Thailand, and Venezuela. Doctor Alliance was described as the only listed U.S. victim and the incident was characterized as Kazu's apparent first attack in North America. Kazu has been linked in the content to major healthcare-related extortion incidents. In the ManageMyHealth/Manage My Health breach in New Zealand, Kazu claimed responsibility for unauthorized access to a document storage module, claimed theft of more than 400,000 health documents / more than 428,000 files, published samples online, and demanded approximately US$60,000 while threatening public release or sale of the data. Reporting states Kazu later removed the listing and sample data from Telegram and a dark web leak site, but no public confirmation of payment was provided. In the Doctor Alliance incident, Kazu claimed theft initially of 353 GB / 1.24 million files, demanded US$200,000, and later claimed a second compromise that increased the alleged haul to nearly 1.27 TB / about 5 million files and raised the demand to US$500,000. Kazu told DataBreaches that an older unpatched vulnerability was exploited and that the same vulnerability was used again in the second intrusion; those specific intrusion details are claims by the actor and were not independently verified in the content. Observed tradecraft in the provided content includes claiming intrusions on underground forums, Telegram, dark web leak sites, and clearnet forums; exfiltrating large volumes of sensitive data; publishing sample files to substantiate claims; setting ransom deadlines; threatening to leak or sell stolen data; and operating extortion sites listing multiple victims. The content also notes Kazu-associated leaks involving sensitive personal, medical, and protected health information. One report states Kazu said the group was not politically motivated and was acting for financial gain and reputation building.