3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
RedHack

RedHack

ID: fc2c9179c9cd5d4a3311c5f07ae94c3494640
Hacktivist Group Collective Defacement Crew Hacktivism
Threat types: Defacement, DDoS Attack, Data Leak, Intrusion, Propaganda
Turkey TUR
Updated: 2026-03-14
Created: 2025-10-10
Progress: 91% Completeness: 100% Freshness: 70%
Operation zone: Turkey
Aliases Limited alias preview
Kizilhack Kızıl Hackerlar Kı********************* r3*****
r3***** Re****** Re********************* Re****************
RE********** R** th******** Th********
Showing 2 of 12 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

RedHack — Turkish Marxist–Leninist hacktivist group founded in 1997 with a reported core of ~12 members. Open sources attribute to RedHack intrusions and data-leak operations against police and ministries (2012), exploitation of public-facing apps and mass disclosures tied to parliament and agencies (2013–2014), breaches of major telecoms (TTNet, Turkcell, Vodafone) with PII leaks (2014), DDoS/availability actions, and the 2016 compromise and leak of Energy Minister Berat Albayrak’s emails.


Technique Technique name Tactics Evidence
T1491.002 External Defacement TA0040
  • 2012-02-28 — Intrusion against Ankara Police Directorate / POLNET with data published. · ref
  • 2015-03-12 — Defacement of Istanbul Police Association website (tribute to Berkin Elvan). · ref
T1498 Network Denial of Service TA0040
  • 2012-04-27 — Regulator acknowledged a DDoS that slowed TTNet (impact disputed). · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2016-12-07 — Berat Albayrak email trove attributed to RedHack; later mirrored/hosted and platform access temporarily blocked. · ref
  • 2016-12-07 — International coverage of access to Albayrak’s accounts and publication of contents. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2016-12-06 — Publication/mirroring of large volumes of emails and documents following mailbox access. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2013-06-28 — SecurityWeek reports authentication flaws and access to the Istanbul Special Provincial Administration portal (public-facing app exploitation). · ref
  • 2014-01-11 — XSS exploited on the Parliament/TBMM site to inject messages; additional compromises the same day. · ref
T1565.001 Stored Data Manipulation TA0040
  • 2013-07-01 — Debt write-off/forgiveness in Istanbul administration portals after access. · ref
  • 2014-11-16 — Reported bill cancellations in the Soma electricity distribution system after intrusion. · ref
T1110.001 Password Guessing TA0006
  • 2012-03-06 — INFERENCE: Media reporting of very weak/default passwords (e.g., '123456') in Ankara Police systems supports password guessing/use of trivial credentials during compromises. · ref
T1566 Phishing TA0001
  • 2016-12-07 — INFERENCE: Mailbox compromise of a senior official is consistent with phishing-based initial access; delivery vector not confirmed in open sources. · ref
T1589 Gather Victim Identity Information TA0043
  • 2014-02-04 — INFERENCE: Campaigns involving PII exposure against telcos and targets imply prior gathering of victim identity information to enable impact and amplification. · ref
T1590 Gather Victim Network Information TA0043
  • 2013-06-28 — INFERENCE: Targeting of specific public portals (e.g., Istanbul administration) indicates prior collection of victim network/service information for route-to-impact. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-11-01T01:14:38+00:00

RedHack Hacktivist Group

CLASSIFICATION: Unclassified / Open Source


Executive Summary

RedHack (Kızıl Hackerlar) is a Marxist–Leninist hacktivist collective founded in 1997, commonly described as having a core of ~12 members supported by a wider circle of sympathizers (we have identified 15 verified members). Open sources attribute to RedHack a long-running pattern of politically framed cyber operations: intrusions and data-leak campaigns against police and ministries (2012), exploitation of public-facing applications and high-visibility actions touching Parliament and administrative portals with data disclosures (2013–2014), breaches involving Turkish telcos (TTNet, Turkcell, Vodafone) and publication of PII (2014), DDoS/availability impacts, and—most prominently—the 2016 compromise and mass release of Energy Minister Berat Albayrak’s emails.


Socio-legal scholarship frames 2012–2017 as the group’s peak period of visibility and emphasizes the state’s criminalization of RedHack (terrorism/cyber-terror labels, emergency measures, and pressure on journalists around sensitive leaks). The evidence supports a pattern of politicized hacktivism with strong disclosure/amplification strategy; however, primary technical artifacts are uneven and some attributions rest on revendications and secondary reporting. Overall confidence: medium.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — RedHackClassification: Unclassified / OSINT1) Who / whatRedHack is a Turkish, Marxist-aligned hacktivist collective active since the late 1990s that has repeatedly targeted Turkish state and commercial infrastructure with website defacements, data exfiltration and public leaks. Its operations historically include leaks of government/official emails and credentials and disruption of public web assets. Core profile and timeline summaries are documented in open re

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — RedHack Category A — Defacement & Webroot Tamper (HIGH priority) Hunt 1 — Webroot file creation / modification: known RedHack defacement file names ATT&CK® techniques: [T1190][T1491.002] Rationale: RedHack historically drops defacement pages. Monitor for creation/serving of those filenames. Splunk (SPL) index=osquery OR index=filebeat OR index=sysmon (file_path=*webroot* OR file_path=*www* OR file_path=*htdocs* OR file_path=*public_html*) AND (file_name="Hakkimizda.as

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2025-11-25T20:46:02+00:00

Confirmed / well-reported indicators & hosting (evidence-backed)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2025-11-25T20:46:03+00:00


2016-10-08 — The Hacker News — “Turkey blocks GitHub, Google Drive and Dropbox after RedHack leaks”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/22
Address Verification SOCMINT
twitter.com/The******* Restricted Not integrated
twitter.com/the******* Restricted Not integrated
twitter.com/r3d**** Restricted Not integrated
twitter.com/Kiz*********** Restricted Not integrated
twitter.com/Red******* Restricted Not integrated
twitter.com/Red*********** Restricted Not integrated
twitter.com/Red******** Restricted Not integrated
x.com/Kiz****** Restricted Not integrated
Address Verification SOCMINT
www.facebook.com/Red***************** Restricted Not integrated
Address Verification SOCMINT
t.me/r3d**** Restricted Not integrated
Address Verification SOCMINT
www*********************** Restricted Not integrated
vimeo.com/kiz*********** Restricted Not integrated
irc******************** Restricted Not integrated
Address Verification SOCMINT
re*****@activist.com Restricted Not integrated
ke****@red-hack.org Restricted Not integrated
me*****@red-hack.org Restricted Not integrated
me*****@kizilhack.org Restricted Not integrated
me*****@kizilhack.com Restricted Not integrated
Address Verification SOCMINT
www.kizilhack.org Restricted Not integrated
www.red-hack.org Restricted Not integrated
www.redhackers.org Restricted Not integrated
redhackgercekleri.blogspot.com Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–6 of 6 images
RedHack banner (first time) Free Preview
RedHack banner (first time)
Hacked website evidence Free Preview
Hacked website evidence
Hacked website evidence Free Preview
Hacked website evidence
RedHack Twitter account evidence Free Preview
RedHack Twitter account evidence
RedHack Twitter account evidence Free Preview
RedHack Twitter account evidence
RedHack Twitter account evidence Free Preview
RedHack Twitter account evidence
Showing 4 of 6 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.