3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Ukrainian Cyber Alliance

Ukrainian Cyber Alliance

ID: 59ac0d103560fd5e71607c1e90776709
Hacktivist Group Hacktivism
Threat types: Defacement
Ukraine RUS
Updated: 2026-04-08
Created: 2025-10-25
Progress: 94% Completeness: 96% Freshness: 90%
Operation zone: Russia
Aliases Limited alias preview
Alianza Cibernética Ucraniana UCA Uk******************** У**
Ук*********************
Showing 2 of 5 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-07-26 — Vendor reporting and incident analysis indicate exploitation of public-facing management consoles and provider web portals in July 2024 cluster. · ref
T1499 Endpoint Denial of Service TA0040
  • 2022-02-26 — Volunteer DDoS operations coordinated in IT Army channels accompanied many pro-Ukraine offensive activities in early 2022. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2022-03-01 — Public leaking and posting of exfiltrated archives on Telegram and allied mirrors observed in multiple UCA claims. · ref
T1485 Data Destruction TA0040
  • 2024-07-26 — Reported destructive intrusions (wipes and data destruction) impacting provider infrastructure during July 2024 cluster. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-09T04:28:36+00:00
Ukrainian Cyber Alliance (UCA) — pro-Ukraine hacktivist coalition (FalconsFlame ∙ Trinity ∙ RUH8 ∙ CyberHunta origins)

CLASSIFICATION: Unclassified / Open Source Intelligence (OSINT)

Category: Cyber / Hacktivism — Origin: Ukraine (formed 2016; activity surged 2022–present)


Executive Summary

The Ukrainian Cyber Alliance (UCA) is a volunteer, patriotic-aligned hacktivist coalition formed in 2016 through the merger of smaller Ukrainian groups (FalconsFlame, Trinity, RUH8, CyberHunta). UCA conducts offensive cyber-operations—web defacements, data exfiltration/leaks, and destructive intrusions—primarily against Russian state, military, and commercial targets, and occasionally Belarusian entities. The group publicly claims many operations via Telegram and allied channels; some of its campaigns have been corroborated by victim statements and vendor reporting. Since 2022 the UCA has operated inside a broader Ukrainian volunteer ecosystem (including the loosely coordinated “IT Army”) that increased both operational tempo and public visibility for pro-Ukraine hacktivism. UCA accepts cryptocurrency donations and has been linked in open reporting to at least six-figure crypto flows traced in early 2022. Analytical confidence on historical formation, public claims and key incidents is high; confidence on internal governance and precise command relationships inside the volunteer ecosystem is medium.


  • Industries / Sectors: Government ministries/agencies; telecommunications and Internet providers; state media; defense-industrial firms; finance/payment rails; local/regional administrations inside Russia/occupied territories.
  • Geography (Region): Primary: Russia and Russian-controlled/occupied territories; secondary: Belarus, Russian-service providers with regional ties.
  • Timeframe: 2016 (formation) – present, with marked surge in offensive operations and public claims from 2022-02 onward.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO

Who / What: Ukrainian Cyber Alliance (UCA) — volunteer pro-Ukraine hacktivist coalition (2016→) that publicly claims data theft, destruction and defacement operations primarily against Russian targets; active surge since 2022.

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook (high-value rules & logic)

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-09T04:36:22+00:00

IOC Appendix (TLP:WHITE)

Note: these are behavioral and technical seeds derived from vendor reporting and UCA/public claims. Validate before blocking; prefer behavior rules.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-09T04:36:37+00:00

OSINT Library — Ukrainian Cyber Alliance (UCA)


2025-03-05 — Trustwave SpiderLabs — “UCA shuts down Russian provider Nodex (Jan 7, 2025)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
twitter.com/UCA******** Restricted Not integrated
Address Verification SOCMINT
t.me/UCA***** Restricted Not integrated
Address Verification SOCMINT
uh*****@gmail.com Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–5 of 5 images
Banner Free Preview
Banner
Logo variant Free Preview
Logo variant
Hacked website evidence Free Preview
Hacked website evidence
Logo variant Free Preview
Logo variant
Affiliation between actors Free Preview
Affiliation between actors
Showing 4 of 5 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.