3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Z1k3n

Z1k3n

ID: 7e65b663ae1b219a75c5bc62488e537f91843
Cybercrime Cybercriminal Hacktivist
Threat types: Hacktivism, Defacement, Intrusion, Data Leak
Mexico ARG, BOL, BRA, IND, MEX, VEN
Updated: 2026-03-30
Created: 2026-03-27
Progress: 89% Completeness: 89% Freshness: 90%
Operation zone: Argentina, Bolivia, Brazil, India, Mexico, Venezuela
Aliases Limited alias preview
21k3n
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Z1k3n is a Chronus Team-linked operator/persona associated with leak-oriented activity affecting health, police, security, welfare, industrial, and public-sector targets across Latin America.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-03-30 — INFERENCE (confidence: medium): targeting pattern against exposed public-sector, health, and security services is consistent with exploit of public-facing applications. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-03-30 — INFERENCE (confidence: medium): some leak cases may have involved weak or compromised credentials rather than direct exploitation alone. · ref
T1005 Data from Local System TA0009
  • 2026-01-22 — The remsa.gob.ar leak attributed to @z1k3n involved a spreadsheet named reporte.xlsx containing mining and industrial data, consistent with collection from local systems. · ref
  • 2026-03-30 — Fresh Argentina cases linked to Z1k3n involve security, police, and health-related data exposure, consistent with collection from local institutional systems. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2025-11-23 — INFERENCE (confidence: medium): public release behavior described in the Venezuela ministry case is consistent with exfiltration and redistribution over web-based services or publication channels. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T21:18:09+00:00
Z1k3n — Chronus Team-linked operator

Classification: Unclassified / Open Source Intelligence (OSINT) + Limited Human Intelligence (HUMINT) — TLP:WHITE

Category: Cybercrime / Hacktivism-adjacent intrusion and leak activity - Origin: Mexico (assessed, not confirmed)

Author: iQBlack CTI Team


Executive Summary

Z1k3n is assessed as a public-facing operator linked to the broader Chronus Team ecosystem, a Mexico-linked and wider LATAM leak-and-disruption cluster associated with intrusion, data exposure, and public reputational pressure against state-linked and socially sensitive institutions. Available evidence does not support treating Z1k3n as a standalone organization. Instead, the alias is best modeled as an operator/persona embedded in a semi-decentralized brand environment where multiple names publicly front specific incidents or target sets.


Current confidence is medium-high that Z1k3n is an active cluster-linked operator rather than a decorative co-branding alias. Public and commercial reporting tie the name to multiple data-leak events involving Mexico and Argentina, while internally supplied reporting adds fresh Argentina-linked activity involving security, police, and health-related institutions. This pattern is significant because it moves Z1k3n beyond single-incident visibility and into a recurring operational role inside the Chronus ecosystem.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Z1k3n

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Z1k3n / Chronus Team-linked Activity


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T21:22:18+00:00

IOC Appendix — Z1k3n

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T21:25:11+00:00

OSINT Library — Z1k3n


2026-03-27 — iQBlack — “Chronus Team: an emerging intrusion-and-leak actor focused on Mexico, with signs of expansion toward Argentina”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/5
Address Verification SOCMINT
twitter.com/z1k** Restricted Not integrated
Address Verification SOCMINT
t.me/z1k** Restricted Not integrated
t.me/dat******* Restricted Not integrated
t.me/z1k******* Restricted Not integrated
t.me/fle***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Propaganda Free Preview
Propaganda
Propaganda Free Preview
Propaganda