Threat Actors

The Threat Actors tab provides organizations with direct visibility into the malicious groups and individuals operating in underground ecosystems who are actively publishing, selling, or distributing compromised data. This section transforms abstract risk into attributable adversary activity, enabling defenders to understand who is behind the threats.

What it shows

• Avatar & Threat Actor Name → Each actor is displayed with an identifier and avatar, making it easier to track recurring groups across multiple leaks.

• Threat Actor Link → Direct link to the actor’s channel or forum (e.g., Telegram, dark web forums), allowing analysts to investigate the source environment.

• First Seen / Last Seen → Timestamps that track the actor’s activity window, providing context on whether the group is active or dormant.

• Motivations → Tags such as Hacktivism, Financial, Educational, etc. highlight the primary intent behind the actor’s campaigns, giving security teams context about potential attack objectives.

Interactive Options

• Search Bar → Allows filtering actors by name, activity, or keywords.

• Export Button → The Export option enables downloading the entire threat actor dataset for offline analysis, reporting, or enrichment within threat intelligence platforms.

Why it matters

• Moves beyond “what was leaked” to “who leaked it”, adding valuable attribution to underground threats.

• Helps analysts identify patterns of behavior, e.g., repeated targeting of a specific industry by the same actor.

• Supports executives with clear intelligence on adversary motivations, whether financial gain, disruption, or espionage.

• Equips incident response teams with source-level evidence, strengthening takedown requests or law enforcement collaboration.

AttackMetricx goes beyond surface-level monitoring by enriching threat actor profiles with behavioral analytics and machine-learning correlation. Analysts can see not only who leaked the data, but also uncover relationships between actors, their preferred TTPs (tactics, techniques, and procedures), and their historical targeting of specific industries. This transforms the dashboard from a monitoring tool into a true threat attribution and intelligence platform.

Example Use Case

The dashboard reveals that the group Combo List Fresh Daily Updates has been consistently publishing fresh credential dumps on Telegram since 2022. Analysts can see both the threat actor’s link and their motivation tag (Hacktivism), helping the organization anticipate politically motivated attacks. The security team then exports the data to enrich their TI platform, automatically flagging future references to the same actor.