Overview

This report presents an in-depth profile of an underground cyber actor operating under the alias 1ucif3r, also known as Lucifer. Leveraging the investigative capabilities of the StealthMole platform, this profile consolidates information derived from historical breach datasets, forum activity, dark web infrastructure, and open-source intelligence (OSINT). 1ucif3r has maintained an active digital footprint since at least 2021 and is believed to be based in ******, based on recurring indicators such as domain registration, language use, school-linked credentials, and Telegram group memberships.

1ucif3r is not only known for operating in breach and exploit communities but also attempts to cultivate an identity through branded assets such as "DARKARMY", GitHub repositories, and personalized onion sites. While there is speculation around his ties to the ransomware group "D4RK 4RMY," this report maintains separation between the two identities due to the lack of direct technical links. The analysis focuses solely on 1ucif3r’s independent operational identity.

Incident Timeline: Historical Breach Activity

1ucif3r’s emergence can be traced back to high-profile breach incidents that surfaced throughout 2023 and 2024, which were detected and catalogued via StealthMole’s ransomware and leak monitoring tools. These events illustrate a pattern of attacking state-linked or military-grade targets, likely to maximize geopolitical impact and underground recognition.

1. UAE Abu Dhabi & Dubai Police Leak (2023)
   • Leaked internal documentation, credentials, and identity cards.
   • Exposed personnel data and backend systems tied to UAE law enforcement.

2. South Korea Military Database Breach (2023)

• Infiltrated access logs, internal networks, and military login credentials.
• Claimed on forums by actors using stylizations resembling 1ucif3r’s aliases.

3. Vietnam Government Webmail Leak (2024)

• Sensitive government webmail login credentials were exfiltrated and leaked.
• The data was hosted on multiple dark web paste sites where 1ucif3r’s email or usernames appeared in associated metadata.

4. Iraq National Security Database (2023)

• Leaked on both Omertà and exposed.vc platforms.
• Tied to government-level surveillance records.

Miscellaneous High-Volume or Corporate Leaks:

1. PwC.com Leaked Downloads (2023)
   • Multiple instances posted on leakbase.io, attributed to 1ucif3r.
2. UberHub MDM Internal Leak (2023)
   • 20M mobile device management logs associated with uberhub.uberinternal.com.
3. 480 SQL Dumps (2023)
   • 9GB SQL dump set released twice on separate dates.
4. Russian Crypto Documents Leak (2023)
   • Documents related to Russian crypto entities and platforms.
5. Twitter DB/Scrape Leak (2023)
   • Over 200 million lines of scraped Twitter data. Shared on Nulled.to and other platforms.
6. Web Site Open Source Leaked Databases
   • Aggregation of various exposed data assets from open-source platforms.