siegedsec

SiegedSec

also known as: Sieged Security Gay Furry Hackers (self-described) led by "vio" / "YourAnonWolf" affiliated: GhostSec, KittenSec

Self-described "gay furry hackers" — a US-based hacktivist collective that spent two years targeting NATO, a major nuclear research lab, right-wing organizations, and anti-LGBTQ+ state governments under explicitly queer political framing. The Idaho National Laboratory breach demanded the facility research "creating IRL catgirls." SiegedSec was notable not for technical sophistication but for a willingness to breach genuinely sensitive targets — nuclear laboratory employee PII, NATO unclassified portals, the Heritage Foundation's user database — while conducting operations with a distinctive combination of political seriousness and deliberate absurdism. Disbanded July 11, 2024 following FBI scrutiny and the arrest of its leader.

leader alias"vio" (formerly "YourAnonWolf")

operational periodApril 2022 — July 11, 2024

disbandment reasonFBI scrutiny; leader "vio" reportedly raided and arrested

primary motivationLGBTQ+ rights; anti-right-wing; anti-NATO; "lulz"

most significant breachIdaho National Laboratory — 45,000+ individuals; nuclear DOE facility

nato attacks2 confirmed (Jul 2023; Oct 2023) — 3,000+ internal documents

affiliationsGhostSec (vio was member); KittenSec (joint operations)

technical sophisticationLow — SQL injection, credential stuffing, opportunistic exploits

multiple disbandmentsDec 2022 (first); Jul 2024 (final)

Overview

SiegedSec emerged in April 2022 with the creation of its Telegram channel, shortly after Russia's invasion of Ukraine. The group was led by an individual known as "vio" (earlier "YourAnonWolf"), who was also reportedly a member of the hacktivist group GhostSec. From the outset, SiegedSec combined a distinctive online persona — deliberate vulgarity, furry fandom references, dark humor — with genuinely disruptive attacks on targets that would draw significant media and law enforcement attention. The self-identification as "gay furry hackers" was simultaneously a community-building device, an attention mechanism, and a defiant political statement: the group positioned its online identity as continuous with its political mission of targeting anti-LGBTQ+ organizations and legislation.

SiegedSec's target selection was ideologically coherent despite the eclectic range of victims. The group targeted state governments that passed anti-gender-affirming-care or anti-abortion legislation under #OpTransRights. It targeted right-wing organizations — Westboro Baptist Church, Real America's Voice, The Heritage Foundation (the author of Project 2025). It targeted NATO, citing human rights concerns related to member state actions. The Idaho National Laboratory breach was anomalous by political logic — a nuclear research facility is not an obvious LGBTQ+ rights target — but the demand for research into "creating IRL catgirls" was a public demonstration of the group's willingness to weaponize its absurdist identity against unexpected targets. The group did not access or disclose any data related to nuclear research at INL; the breach reached only the Oracle HCM human resources system.

The group's political seriousness was periodically complicated by its own self-contradictions. Members told CyberScoop in 2023 that they considered themselves "more blackhat than activists," and the operational archives analyzed by Flare revealed patterns of less politically motivated attacks alongside the headline breaches. The group also showed a recurring pattern of partial or temporary disbandments — going dark in December 2022 before resuming — suggesting internal instability beneath the public-facing persona.

SiegedSec's final operation targeted The Heritage Foundation in early July 2024 — releasing passwords, usernames, user logs, and approximately 2GB of data from the Foundation's servers (which the Heritage Foundation denied came from its own systems). In the correspondence between Heritage Executive Director Mike Howell and SiegedSec's "vio" that the group released publicly, Howell stated that the FBI had been alerted and was working to identify group members. Within 48 hours, the group announced disbandment on Telegram, citing mental health, stress, and fear of FBI scrutiny. Several months later, independent journalists covering the group reported that "vio" had been raided and arrested by the FBI — though no official confirmation of this arrest has been publicly confirmed.

Political Identity and Motivation

SiegedSec's political motivations were among the most explicitly stated of any hacktivist group in recent memory. The group articulated its targeting criteria directly — it attacked organizations it perceived as threatening LGBTQ+ rights, enabling conservative policy agendas, or violating human rights through NATO membership. This transparency set it apart from groups that claim broad political mandates while operating primarily for financial gain or notoriety.

Trans rights (#OpTransRights, #OpTransRights2): The group's primary and most sustained political campaign. In June 2023, SiegedSec targeted US state governments and agencies in states that had passed anti-gender-affirming-care legislation — including the city of Fort Worth, Texas; the Nebraska Supreme Court; and South Carolina police. In April–May 2024, #OpTransRights2 returned, targeting Real America's Voice and River Valley Church as organizations the group associated with anti-trans advocacy.
Anti-right-wing operations: The Heritage Foundation was SiegedSec's final and highest-profile right-wing target, specifically selected because of its authorship of Project 2025 — the conservative policy agenda that included rollbacks of abortion access and LGBTQ+ protections. Earlier targets included Westboro Baptist Church, Real America's Voice, and unnamed right-wing organizations the group associated with anti-LGBTQ+ policy positions.
Anti-NATO operations: Two attacks on NATO unclassified portals (July 2023; October 2023) were framed around human rights concerns attributed to NATO member states. The group collaborated with KittenSec on anti-NATO operations targeting government systems in Romania, Greece, France, Chile, Panama, and Italy. The NATO operations had the highest geopolitical impact of any SiegedSec actions, prompting NATO to announce formal investigations.
Pro-Palestine operations: In late 2023, SiegedSec attacked Bezeq, a major Israeli telecommunications provider, leaking data on approximately 50,000 customers. In July 2024, the group's "Seven Days of Siege" campaign claimed breaches of organizations accused of aiding Israel — though these claims were largely unverified at the time of disbandment.
"Lulz" operations: Alongside the political campaigns, the group engaged in less motivated attacks for entertainment value. The University of Connecticut LISTSERV spoofing — sending fake emails to undergraduate students announcing the death of the university president — was explicitly attributed to having been done "for the lulz" by "vio" in a Hartford Courant interview.

Key Operations

Atlassian Employee Data Leak Feb 2023

SiegedSec claimed possession of records belonging to thousands of Atlassian employees, including floor plans of the Australian company's offices. Investigation revealed the breach did not originate from Atlassian's own systems but from a third-party app that Atlassian used for office resource coordination. An employee credential for the third-party service had been compromised. This breach illustrates SiegedSec's frequent use of third-party and supply chain access points rather than direct exploitation of primary target systems.

#OpTransRights — State Government Breaches Jun 2023

SiegedSec targeted several US state government entities to protest anti-gender-affirming-care legislation. Confirmed breaches released data from the city of Fort Worth, Texas; the Nebraska Supreme Court; and South Carolina police files. The group also targeted state-run platforms in Nebraska, South Dakota, Texas, Pennsylvania, and South Carolina. City of Fort Worth officials subsequently determined that much of the information released was already publicly available — a common outcome in SiegedSec operations where breach impact was overstated relative to actual system access. The group claimed earlier attacks against Arkansas and Kentucky government systems following those states' abortion bans after the Dobbs v. Jackson ruling.

NATO Portal Breaches — Two Attacks Jul 2023 and Oct 2023

SiegedSec attacked NATO on two separate occasions in 2023. In July, the group compromised the NATO Communities of Interest Cooperation Portal, leaking documents. In October, the group leaked over 3,000 internal NATO documents from multiple portals — the Joint Advanced Distributed Learning portal, NATO Lessons Learned Portal, Logistics Network Portal, Communities of Interest Cooperation Portal, NATO Investment Division Portal, and NATO Standardization Office portal. All breached portals were unclassified. NATO announced formal investigations following both incidents. The second attack was conducted in collaboration with KittenSec. These operations had the highest geopolitical resonance of any SiegedSec campaign and directly contributed to the law enforcement attention that ultimately prompted the group's disbandment.

Idaho National Laboratory — Oracle HCM Breach Nov 2023

On November 20, 2023, SiegedSec compromised the Oracle Human Capital Management system used by the Idaho National Laboratory (INL), a US Department of Energy nuclear research facility employing approximately 5,700 personnel. Data exfiltrated included full names, Social Security numbers, bank account and routing numbers, dates of birth, home addresses, health care information, and marital status of current, former, and retired employees — INL confirmed the breach affected more than 45,000 individuals. The group created a custom announcement on INL's internal system, then publicly posted proof of access on Telegram and BreachForums. The demand attached to the release: that INL conduct research into "creating real-life catgirls." No nuclear research data was accessed or disclosed. CISA, the FBI, and the Department of Energy opened investigations. INL did not officially attribute the attack to SiegedSec, though the group's public claim and accompanying proof of access were extensively documented. In February 2024, some employees began receiving physical mail containing ransom payment requests for their exposed data.

Bezeq — Israeli Telecom Customer Data Oct 2023

On October 30, 2023, SiegedSec attacked Bezeq, one of Israel's largest telecommunications providers, leaking information on approximately 50,000 customers. The attack was positioned as part of the group's response to the Israel-Gaza conflict following the October 7 Hamas attacks. The Bezeq operation represented SiegedSec's expansion beyond its prior focus on US and NATO targets into the Israel-Palestine conflict theater.

The Heritage Foundation — Final Operation Jul 2024

SiegedSec's final operation before disbandment targeted The Heritage Foundation, the American conservative think tank and primary architect of Project 2025. The group released passwords, usernames, user logs, and claimed 2GB of data from Heritage Foundation systems, publishing the full dataset of credentials and full names on Mega. Heritage Foundation disputed that its servers were breached. Simultaneously, SiegedSec released the full text chat log of its communications with Heritage Executive Director Mike Howell, in which Howell told "vio" that the FBI had been alerted and was working to identify group members. Within 48 hours of releasing the Howell correspondence, SiegedSec posted its disbandment announcement on Telegram on July 11, 2024, citing mental health, stress, and fear of FBI investigation.

Tactics, Techniques & Procedures

SiegedSec's technical capabilities were limited relative to its high-profile targets. The group relied primarily on opportunistic vulnerability exploitation and third-party supply chain access, supplemented by data exfiltration and public pressure rather than persistent network access or sophisticated lateral movement.

SQL Injection: SiegedSec's primary documented attack vector. Exploiting SQL injection vulnerabilities in web applications gave the group unauthorized access to underlying databases — providing direct access to user account data, credentials, and PII without requiring complex exploitation chains or custom malware. The Oracle HCM INL breach and several state government breaches were achieved through web application vulnerability exploitation.
Third-Party and Supply Chain Access: The Atlassian breach illustrates SiegedSec's use of supply chain pivot points — a compromised credential for a third-party resource coordination app gave access to Atlassian employee data without breaching Atlassian's primary systems. This pattern of targeting trusted third parties with weaker security than the intended primary target was consistent across multiple operations.
Credential Exploitation: Reuse of compromised credentials obtained through phishing, credential stuffing, or credential marketplaces was documented as a secondary access vector. Several state government breaches relied on credential-based access rather than direct vulnerability exploitation.
Immediate Public Disclosure: SiegedSec's consistent operational pattern was to exfiltrate data and post proof of access on Telegram and BreachForums before engaging the target in any ransom or negotiation. This distinguished the group from financially motivated actors: the primary objective was reputational and political impact through public disclosure, not monetization. The Heritage Foundation breach, NATO portal leaks, and INL breach all followed this pattern of immediate public data release.
Social Engineering and Spoofing: The University of Connecticut LISTSERV operation demonstrated SiegedSec's use of email spoofing to create disruptive social engineering attacks that did not require any system compromise — exploiting legitimate mailing list infrastructure to distribute false announcements to thousands of students.
DDoS (claimed, less documented): SiegedSec claimed involvement in distributed denial-of-service attacks against various targets, though these claims were less consistently verified than the data breach operations. The group's collaboration with KittenSec on NATO operations reportedly included DDoS components.

Disbandment and Aftermath

SiegedSec's first disbandment announcement came in December 2022 — less than a year after formation — though the group resumed operations within months. The second and final disbandment on July 11, 2024 followed a compressed sequence of escalation: the Heritage Foundation breach, the public release of the FBI-referencing Howell correspondence, and the near-simultaneous disbandment announcement within a 48-hour window.

disbandment status

SiegedSec's official Telegram disbandment announcement cited mental health, stress, and FBI scrutiny. Several months after the formal disbandment, multiple independent journalists with documented experience covering the group reported that "vio" had been raided and arrested by the FBI. No official public confirmation of this arrest exists as of this writing. The group's first disbandment (December 2022) did not prevent resumption of operations. Whether the July 2024 disbandment is permanent — or whether former members will resurface under new identities within affiliated groups like GhostSec or KittenSec — remains an open question.

The broader significance of SiegedSec's two-year operational run is less about technical capability than about what its target selection demonstrated: relatively low-sophistication actors using opportunistic web application vulnerabilities can breach genuinely sensitive targets if those targets have weak credential hygiene, unpatched web-facing applications, or third-party dependencies with inadequate security controls. The Idaho National Laboratory breach — a DOE nuclear research facility employing thousands of cleared personnel — was achieved through an Oracle HCM system, not a classified nuclear network. The NATO portal breaches involved unclassified information-sharing systems. The gap between the symbolic significance of these targets and the actual technical difficulty of breaching them is the most analytically important lesson from SiegedSec's operational history.

Mitigation & Lessons

Web Application Vulnerability Management for HR and Support Systems: The INL breach reached a DOE nuclear research facility through its Oracle HCM HR platform — not its classified research networks. HR systems, payroll platforms, and workforce management applications are consistently under-prioritized in security programs despite containing dense concentrations of PII. Apply the same vulnerability management and penetration testing rigor to cloud-based HR and support systems as to production networks. The fact that a data breach of a nuclear laboratory employee database is operationally possible via an Oracle HR system should drive organizations across all sectors to reassess the attack surface of their cloud-connected HR platforms.
Third-Party Application Security Review: The Atlassian breach originated in a third-party office resource coordination app, not Atlassian's core systems. Conduct regular security assessments of all third-party integrations with internal systems, particularly those that have access to employee data, credentials, or internal directories. Enforce least-privilege credential policies for third-party applications — a credential for an office room booking app should not enable access to employee databases.
Web Application Firewall and SQL Injection Controls: SQL injection remains SiegedSec's documented primary access vector. Ensure all web-facing applications have WAF protections with SQL injection rule sets enabled, apply parameterized queries and input validation at the application layer, and conduct regular application security testing including SQLi scanning against internet-facing services. Regular penetration testing of state government portals, regulatory databases, and public-facing institutional applications should include SQLi as a required test category.
Monitoring Public Disclosure Channels for Breach Detection: SiegedSec consistently posted proof of breach on Telegram and BreachForums before notifying or engaging targets. Security teams should monitor dark web and Telegram breach disclosure channels as an early-warning mechanism — in several SiegedSec cases, the group's public announcement was the first indication the target had of the breach. Services monitoring BreachForums and high-activity hacktivist Telegram channels provide meaningful detection lead time before targeted organizations are directly contacted.
PII Exposure Response for Employees: The INL breach resulted in Social Security numbers, bank account details, home addresses, and health care information for more than 45,000 current, former, and retired employees being publicly circulated, with some employees receiving physical mail ransom demands months later. HR breach response plans should include credit monitoring enrollment for all affected individuals, proactive communication to current and former employees, and specific guidance on protecting against downstream fraud from the specific PII categories exposed.

analyst note

SiegedSec occupies an analytically unusual position in the hacktivist landscape because its public identity was so deliberately constructed and so legible. Unlike Anonymous or other amorphous collectives, SiegedSec was a named group with a named leader, an explicit political agenda, a documented community space on Telegram, and a consistent aesthetic identity. This transparency about identity and motivation — while operationally reckless — made attribution straightforward and allowed observers to track the group's political evolution in real time. The group's willingness to breach genuinely consequential targets (a DOE nuclear facility, NATO information-sharing portals) while using relatively unsophisticated methods challenges a common assumption that sensitive infrastructure requires sophisticated attackers to breach. The INL and NATO operations were high-profile precisely because of their targets' institutional gravity, not because the technical methods involved were advanced. Security posture for "sensitive" institutions cannot rely on the assumption that only well-resourced state actors will attempt to breach them — SiegedSec's operational history demonstrates that politically motivated actors with basic SQL injection skills and access to credential markets can access systems that carry significant national security optics, even if not classified content. The absurdist catgirl demand at Idaho National Laboratory was SiegedSec's most quotable moment and arguably its most revealing: the group was willing to embarrass a nuclear research facility for ideological territory-marking, knowing the demand itself would attract more coverage than any straightforward ransom note could.

Sources & Further Reading

— end of profile