Jingle Thief attribution links Atlas Lion and Storm-0539 to a Morocco-based fraud crew
Threat Actor Meta
Summary
Hide ▲
Show ▼
A moderate-confidence attribution now ties Jingle Thief to Atlas Lion and Storm-0539, clarifying the identity of a persistent gift-card-fraud crew. That matters because it places the actor in a Morocco-originating criminal ecosystem and gives defenders a clearer handle on the cluster's operating profile. The attribution also shows the group is tracked as more than a one-off phishing crew, with a durable identity behind its cloud abuse.
Related Happenings
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor Meta
First: 27.04.2026 11:15
Last: 27.04.2026 11:15
Sources 1
About this happening:
Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor MetaAbout this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
DPRK-linked cryptoasset theft campaign continuing into 2026
Campaign
First: 03.04.2026 11:35
Last: 03.04.2026 11:35
Sources 1
About this happening:
The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
DPRK-linked cryptoasset theft campaign continuing into 2026
CampaignAbout this happening: The **DPRK-linked cryptoasset theft campaign** is continuing into **2026**, keeping **crypto and Web3** targets at risk of repeated theft and laundering activity. The operation us...
UAC-0050 spear-phishing campaign targeting European financial institutions
Campaign
First: 24.02.2026 16:21
Last: 24.02.2026 16:21
Sources 1
About this happening:
The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
UAC-0050 spear-phishing campaign targeting European financial institutions
CampaignAbout this happening: The **UAC-0050** spear-phishing operation targeted a **European financial institution**, raising concern that the actor is extending its reach beyond **Ukraine** into **Western Eu...
Timeline
-
23.10.2025 10:52 2 articles · 7mo ago
Jingle Thief linked to Atlas Lion and Storm-0539
Attribution UpdateResearchers map Jingle Thief, also tracked as CL-CRI-1032, to criminal groups Atlas Lion and Storm-0539 with moderate confidence and describe the crew as a financially motivated actor originating from Morocco. The cluster is presented as active since at least late 2021 and associated with cloud-targeted phishing and smishing campaigns against retail and consumer services organizations.
Show sources
- “Jingle Thief” Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards — thehackernews.com — 23.10.2025 10:52
- “Jingle Thief” Hackers Exploit Cloud Infrastructure to Steal Millions in Gift Cards — thehackernews.com — 23.10.2025 10:52