3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Shadow Kill Hackers

Shadow Kill Hackers

ID: 8a915a9c5677af420e8bf3b78d244ab5
Hacktivist Group Hacktivism
Threat types: Hacktivism
Unknown UNKNOWN
Updated: 2026-04-12
Created: 2026-04-03
Progress: 70% Completeness: 61% Freshness: 90%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Shadow Kill Hackers is a thinly documented criminal extortion brand most strongly associated with the October 2019 City of Johannesburg incident. Public reporting supports a ransom demand, claims of stolen municipal data, and public social-media pressure, but not a mature repeat-offender ecosystem.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2019-10-24 — INFERENCE (confidence: low): Public reporting supports compromise of municipal systems and shutdown of public services, but the precise initial access vector was not documented. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2019-10-27 — INFERENCE (confidence: low): Claimed internal access to municipal systems and screenshots of sensitive data could be consistent with use of valid accounts or privileged credentials. · ref
T1005 Data from Local System TA0009
  • 2019-10-27 — The actor publicly claimed it had downloaded sensitive finance data from the City of Johannesburg's servers and threatened to upload it to the Internet if unpaid. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2019-10-24 — INFERENCE (confidence: low): The operation involved a threat to publish allegedly stolen data online, but the actual exfiltration channel or publication workflow was not publicly documented. · ref
T1491.001 Internal Defacement TA0040
  • 2019-10-27 — INFERENCE (confidence: low): The actor claimed it had turned the city's DNS off from an internal server, suggesting possible internal manipulation of public-facing service presentation, but the technical details remain thin. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-04-12T19:19:07+00:00
Shadow Kill Hackers — Early data-extortion / pseudo-ransom cluster

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Data-extortion - Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

Shadow Kill Hackers is best assessed as a short-lived criminal extortion cluster that became publicly visible during the October 2019 compromise of the City of Johannesburg. Public reporting consistently ties the brand to a ransom demand of 4 BTC, claims of sensitive-data theft, screenshots allegedly showing internal access, and public pressure designed to force payment.


The group is unusual because the strongest open reporting does not support conventional ransomware encryption as the central coercive mechanism. Later retrospective analysis characterized the case as a largely social extortion event: the operators claimed to have stolen financial and personal data and threatened publication if the city did not pay, but no stable evidence base emerged for broad-scale file encryption, mature leak-site operations, or a long-running affiliate ecosystem.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Shadow Kill HackersClassification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITEWhat happenedShadow Kill Hackers is the public label used by the operators who extorted the City of Johannesburg in October 2019. The group claimed access to municipal systems, threatened release of allegedly stolen financial and personal data, and demanded 4 BTC. The city shut down website and e-services as a precaution and later refused payment.Why it mattersThe

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Shadow Kill HackersClassification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITEAnalytical positioning: Shadow Kill Hackers is best tracked as a short-lived data-extortion cluster associated with the October 2019 compromise of the City of Johannesburg. Public reporting supports ransom pressure, claimed data theft, screenshots allegedly showing internal access, and service-impact pressure, but does not strongly support a mature ransomware program.Use cas

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-04-12T19:23:26+00:00

1. File-based Artifacts (hashes, filenames, paths)

No defensible malware hash set, filename cluster, or stable locker artifact could be established from the reviewed public record.

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-04-12T19:23:43+00:00

OSINT Library — Shadow Kill Hackers


2019-10-27 — MyBroadband — "We did not attack your banks – City of Joburg hackers"

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.