The Cyberattacks That Never Happened: Five Fake Breaches Devised By Cybercriminals

Organizations face unprecedented challenges protecting against narrative attacks caused by misinformation and disinformation, now a go-to tactic for opportunistic cyber threat actors.

Sarah Boutboul, Beatrice Titus, Thomas Hynes, and Blackbird.AI’s RAV3N Narrative Intelligence and Research Team

Cybercriminals increasingly rely on narrative attacks created by deception and information manipulation to achieve their goals. Fooling organizations into believing they have been the victim of a data breach is a compelling example of disinformation’s threat in the cybersecurity world. Public institutions and renowned companies have made headlines over the last two years due to a supposed large-scale data leak, only to be debunked a few hours or days later. However, panic and loss of trust can quickly set in, reflecting the ever-growing challenge of discerning authentic information from manipulated content – especially regarding high-risk cybersecurity incidents.

In 2023, the U.S. Securities and Exchange Commission adopted new guidelines requiring registrants to disclose cybersecurity incidents within four days of exposure. The rapid timeline exposes companies to negative messaging, as the cycle from news to social media to create harmful narratives can start with a single post and scale within minutes- necessitating a swift and appropriate response. This adverse exposure is exacerbated by deceptive tactics employed by cybercriminals, as there are few regulations protecting organizations from misleading or exaggerated claims of breaches. If not handled strategically and quickly, these fake cyberattacks can make organizations more vulnerable to financial, operational, and reputational harm.   

LEARN MORE: What Is A Narrative Attack?

In this article, Blackbird.AI’s RAV3N Narrative Intelligence and Research Team overviews examples of harmful narratives created by fake data breaches that affected public and private organizations, intentionally conducted by threat actors to cause real-world harm by leveraging chaotic scenarios. Using insights from the Constellation Platform and Compass by Blackbird.AI, the RAV3N team dissected online reactions to these five case studies to illustrate how information manipulation can crucially reshape public perception of once-trusted institutions – even though the cyberattack has never actually happened. 

Narrative #1 – Sony’s Data Breach: A Clout-Chasing Hoax

Sony has endured numerous verified high-profile security incidents, such as the massive 2011 PlayStation Network hack that leaked 77 million user data. This denigrated public opinion of their security operations and trust in the company’s ability to handle customers’ personal identifying information. The damage a cyberattack can exhibit was exacerbated on September 25th, 2023, when a threat actor collective called Ransomed.VC claimed on a dark web forum to have breached Sony’s systems. They threatened to release the stolen data on September 28th, contingent upon paying an undisclosed ransom. Sony launched an investigation but revealed these claims were exaggerated, signifying that the incident appeared to be a clout-chasing hoax. Despite the discredited claims, the brand suffered reputational and financial damage. Social media narratives had already formed, and many validated these assertions due to Sony’s prior history.

This activity graph represents the initial spike of engagements following the news of the alleged hack. This chart also depicts how quickly narratives can spread across social media regardless of the veracity of the claims.

Sony’s alleged breach became a significant topic of discussion online among tech media, gamers, and other consumers. Customers expressed frustration over Sony’s perceived inability to secure its network. Rather than view this incident in isolation, thousands posted Sony’s breach-laden history. Still feeling the reputational damage from 2011’s massive PlayStation Network hack, they lamented that Sony had been victimized yet again by cyber criminals.  

The narrative cultivated  a loss of trust in the brand, causing many to urge  PlayStation customers to remove their payment information, as they added they were removing their own “just in case.” Others complained that despite repeated price increases on Sony’s products, the company still could not invest in better security systems. Customers of competing brands, such as longtime rival XBOX, took the opportunity to boast about their console’s superiority and encouraged Sony’s users to switch to protect their data. This event illustrates the effect non-threat actors can also have following a security incident.

This Constellation network graph visualizes narratives on social media discussing the alleged Sony breach. 

The false allegation prompted customers to lose trust in the brand’s ability to protect their users despite the misrepresented claims. The common thread throughout the conversations was that this was not Sony’s first security breach. The company’s previous cyber incidents rendered it more vulnerable to reputational and financial damage, as a second breach seemed plausible. It also illustrates the damage that a cyberattack can have long after the incident and the reputational harm of a false claim.

Narrative #2 – Europcar’s High-Profile Fake Data Breach 

On January 28, 2024, a user announced on a dark web hacking forum that they had access to nearly 50 million sensitive customer records of well-known car rental company Europcar, including alleged victims’ passwords, bank details, passport numbers, and other forms of identity that are often required to rent a car. While the user provided a sample set of supposedly stolen customer data to bolster their claim, Europcar quickly declared that the number of records was inconsistent and the email addresses did not exist – thus assessing that the data offered for sale online was not legitimate.

However, in the two days separating the cybercriminal’s claim and the company’s debunking, a few reactions to the narrative generated moderate engagement by expressing concerns over what they believed to be a genuine leak. These posts alerted anyone who had “ever rented a car through Europcar” to the risk of identity theft and expressed their distrust of the company, claiming that the breach was unsurprising given that Europcar reportedly regularly uses third-party car rental websites.

This Constellation network graph depicts narratives discussing the alleged Europcar breach. The cluster to the left represents a narrative concerned with the breach, while the cluster to the right contains a narrative surrounding the possible use of AI. 

In addition, other posts responded skeptically when the car rental company stated that the alleged data in the screenshot was “likely ChatGPT-generated” without detailing the arguments behind this assessment. While acknowledging that the leak was fake, this post listed evidence showing that it was not the result of AI – focusing on the presence of allegedly authentic email addresses in the screenshot and asserting that ChatGPT refused to assist them when asked to create fake, stolen customer data. This narrative doubted Europcar’s assessment, even calling it “hilarious.”

Narrative #3 – Epic Games Amid A Fake Hack Supposedly Against Hackers 

On February 28, 2024, Mogilevich—a new hacking group named after Russian organized crime boss Semion Mogilevich and self-described as extorting data from companies that fail to secure their infrastructure—claimed to have attacked Epic Games’ servers. The group specified that the leak contained nearly 200 GB of sensitive data, up for sale. Five days after the announcement, the ransomware gang claimed they had fabricated the databases to gain visibility by targeting a renowned brand and enticing other hackers to buy fake data. 

This activity graph depicts social media engagement with the narrative surrounding Epic Games’ fake hack. The visualization illustrates two narrative spikes: the first on February 28—the day Mogelevich proclaimed the breach and Epic Games stated that they uncovered no evidence in their investigation—and March 4, the day Mogilevic confessed the hack was illegitimate. Notably, February 28 attracted nearly double the number of users, further demonstrating the widespread public attention that false data leak allegations attract.

As cyberattacks are increasingly frequent in the gaming industry, with detrimental effects on targeted employees, customers, and game developers, over 4,000 social media users closely followed developments related to the fake hack. In the five days leading up to Mogilevich’s confession and despite Epic Games almost immediately confirming through an internal investigation that there was no evidence of a data leak, panic still set in online. While users widely relayed the company’s rejection of the attack, self-described gamers, and gaming news outlets warned of the hack and advised Epic Games users and employees to change their password immediately. A few posts noted that Epic Games accounts had allegedly been breached by hackers several times. At the same time, another post leveraged the rumor to express opposition to the company’s strategy of spending significant amounts to obtain exclusive games for its platform – adding that it should instead be concerned with the safety of its infrastructures. 

This Constellation network graph visualizes narratives discussing the purported hack of Epic Games.

Although this time fake, Epic Games was not Mogilevich’s first target, who successfully hacked into customer data of Infiniti USA – the luxury vehicle division of the Japanese carmaker Nissan – in January 2024. This case study shows the ability of cybercriminals to control the narrative effectively – in this case, a claim of data breach and the admission that it was not authentic.

Narrative #4 – Failure To Authenticate Fabricated Cyberattacks On The State Of Maine Data Breach Reporting Portal 

On February 19, 2024, a few cybersecurity-focused outlets reported that a threat actor had “fooled” the Maine Attorney General’s Office into publishing a police data breach notification on its dedicated portal that contained clear signs of manipulation. The state implemented the portal to allow public organizations and businesses to report any data breaches affecting Maine residents as part of its mandatory effort to enhance public transparency. Although the controversy didn’t gain much traction online and faded away the next day, one post pointed out that the lack of “robust verification of submissions” on the state of Maine’s data breach reporting portal could further contribute to the spread of false leaks, with a damaging impact on the reputation of the entities involved and on the state itself.

This claim was checked by Compass by Blackbird.AI.

Narrative #5 – Misattributed UK Ransomware Strike

On August 15, 2022, the Clop ransomware group announced on its Tor leak-focused website it had breached the systems of UK water company Thames Water. The cybercriminals claimed to have stolen more than 5TB of data from the largest water supplier in the UK, providing nearly 15 million people with water. Notably, the ransomware group boasted about spending months in the organization’s system, alleging it suffered multiple weak security points. However the same day, South Staffs Water – a smaller UK water company – revealed they had actually been the target of a cyber attack. Further inspection of Clop data confirmed the alleged breach indeed targeted South Staffs Water, as email addresses in the data were linked to the company. Clop did not specify whether it had misidentified its target or deliberately leveraged fabricated evidence to extort a large-scale water company.

Thames Water quickly released a statement officially categorizing the cyberattack as a hoax. Nevertheless, Clop’s allegations had already caused distress in Thames Water’s online customer base – especially as the fake breach occurred amid water ration policies following a drought period. Posts continuously reported that the company had experienced a real breach, while the controversy resonated with Tier 1 news media outlets. Days after the correction, a self-described customer claimed they fell for additional scams, alleging their emails to Thames Water were intercepted by the hackers. In addition, conflicting reports regarding the breach’s target – Thames Water or South Staffs Water –  exacerbated confusion and intensified apprehensions of a larger-scale hack. This fake hack triggered customers’ and organizations’ anxieties, portraying an assault on critical infrastructure as an unprecedented threat that could greatly impact drinking water supply and public safety.

While Thames Water remained uncompromised, it found itself drawn into adverse messaging, attracting undesired attention and casting customers’ fears. At the time, the company was particularly susceptible to financial and reputational harm as it was already under scrutiny for its water ration policies. This case study illustrates how fake breaches can mislead the public and affect a large-scale, vital, and trusted organization.  

This claim was checked by Compass by Blackbird.AI.

The Way Forward

Cyber threat actors increasingly use narrative attacks created by disinformation to reduce confidence in their targets—often large corporations and public organizations—posing a significant challenge to digital security and trust. Cybercriminals claim responsibility for breaches they did not commit or exaggerate their severity, prompting companies to launch investigations to confirm or deny the validity of these adverse claims. 

While the breach allegations cited in each case study lacked veracity, some investigations lasted several days, allowing the claims to quickly migrate to social media where the reputational and financial damage and loss of trust were immediate in Sony’s case. Such incidents can constitute an additional layer of vulnerability when entities involved have a history of successful cyberattacks. 

Fake cyberattacks targeting Fortune 2000 corporations are also a growing national security concern, as their reputations are the gatekeepers of Western hegemony and thus represent a key infrastructure to protect. It is, therefore, a national imperative to address this threat accordingly by safeguarding the reputations of brands at risk. From a public threat perspective, bad actors could falsely claim breaches of essential infrastructures to sow chaos as part of foreign interference efforts, undermining domestic confidence in defenseless organizations. 

The danger posed by fake cyberattacks can only become more sophisticated with the development of Generative AI, offering endless possibilities to generate instant simulations of stolen data for hackers – whether renowned or novice. There is no doubt that threat actors will increasingly rely on machine learning models to produce realistic yet manipulated leaks indistinguishable from human-generated attacks. This powerful tool poses an unprecedented narrative risk from a cybersecurity perspective, as attacking brands will get even more accessible.

Deception leaves organizations vulnerable to narrative attacks that profit from widespread chaos surrounding high-risk breaches. In this sense, knowing how to tackle this constant threat at its root and learning to discern real from fabricated leaks is paramount. Companies and organizations must quickly rebuild brand trust by understanding and monitoring these harmful narratives and staying one step ahead of evolving cyberattacks designed to alter human perception. It demonstrates a common need to embrace tools such as Blackbird.AI’s Constellation Narrative Intelligence Platform to proactively and accurately identify and analyze those narrative threats as they emerge. Finally, the right crisis communications are key to reducing damage posed by real and fake cyberattacks. An accurate and timely response can only be provided in close collaboration with cybersecurity, communications, and executive teams to communicate the real facts around a security incident to maintain public trust.

‍‍To learn more about how Blackbird.AI can help you in these situations, contact us here.

About Blackbird.AI

BLACKBIRD.AI protects organizations from narrative attacks created by misinformation and disinformation that cause financial and reputational harm. Our AI-driven Narrative Intelligence Platform – identifies key narratives that impact your organization/industry, the influence behind them, the networks they touch, the anomalous behavior that scales them, and the cohorts and communities that connect them. This information enables organizations to proactively understand narrative threats as they scale and become harmful for better strategic decision-making. A diverse team of AI experts, threat intelligence analysts, and national security professionals founded Blackbird.AI to defend information integrity and fight a new class of narrative threats. Learn more at Blackbird.AI.

Need help protecting your organization?

Book a demo today to learn more about Blackbird.AI.