This story is over 5 years old.


Hacker Publicly Posts Data Stolen From Government-Linked Cyberespionage Group

Last week, Motherboard obtained data from the so-called ZooPark hacking group, which some suspect is connected to Iran. Now the hacker responsible has seemingly dumped the information after receiving a $1,000 payment.
Image: Shutterstock

Last week, Motherboard reported that a vigilante hacker had stolen data from a hacking group that researchers say is a government-linked cyberespionage unit. The data included GPS locations, text messages, and phone calls that the group had taken from their own victims. Now, that hacker has seemingly published the stolen data online for anyone to download.

The act itself highlights not only the fact that government hackers can sometimes face retribution, but also the ethical issues that come along with releasing such data to the public.


“Heads up,” the anonymous hacker told Motherboard on Monday, “in 48 hours [the data] […] will be in the public domain.” The hacker said someone had paid them the $1,000 worth of bitcoin they were asking for in order to publicly dump the data.

The files the hacker apparently publicly released do seem to line-up with those Motherboard previously obtained.

The stolen files were seemingly from a server controlled by the so-called ZooPark group, a hacking outfit that cybersecurity researchers from Kaspersky revealed earlier this month in a report. At the time of the breach, Motherboard cross-referenced the stolen material with details in that Kaspersky report to corroborate the ZooPark link.

Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on, or email

In its report, Kaspersky said ZooPark had victims in Egypt, Jordan, Morocco, Lebanon, and Iran. Motherboard found similar results in the stolen GPS locations. The hacker previously told Motherboard that they believe ZooPark is an Iranian group, and some cybersecurity experts tentatively agreed. But Kaspersky previously told Motherboard it could not link the ZooPark activity to another known group.

ZooPark used Android malware to target its victims, sometimes tricking people into installing fake applications, such as one for the independence referendum in Kurdistan, or pushing the malware through malicious websites, according to Kaspersky’s research.

Now that the data is public, anyone—security researchers, nation states, or perhaps even targets themselves—can look through what ZooPark seemingly obtained through its hacking campaigns. This sort of information rarely becomes public; typically it will be kept within a circle of intelligence agencies, the hackers they may work with, or rival agencies from other nations who want to piggyback on the gathered intelligence.

So, what happens when it is exposed? As Motherboard found, at least one of the infected devices was seemingly visiting Islamic State-themed websites (the context of why that phone was visiting those sites is unclear.) Although hacking campaigns do sometimes pinpoint journalists, activists, or, as in the case of at least some of ZooPark, employees of international organizations, some targets may be legitimate, such as terrorists.

“Someone sent the payment through,” the hacker said.