On 19 January 2022, the International Committee of the Red Cross (ICRC) revealed a cyberattack that led to the theft of personal data of more than 500,000 people receiving Red Cross or Red Crescent assistance. The hack also involved data from the Restoring Family Links programme, which aims to reconnect people separated by war, violence, or migration.
On the same day, cybersecurity researchers discovered that a hacker called Sheriff was offering the data for sale on a dark web forum, implying that a ransom note had been sent to the ICRC and that it had refused to pay.
The email used by this Sheriff also appears in an FBI warrant from early 2021 concerning a large-scale cyber influence operation originating in Iran. The email was used to create at least three domain names for fake news sites, aimed at “promoting political narratives consistent with Iranian interests,” including “anti-Saudi, anti-Israeli, and pro-Palestinian themes,” according to FireEye researchers who worked with the FBI.
The ICRC said it had never been in contact with the perpetrators of the cyberattack, had never received a ransom note and had no evidence of the stolen data being offered for sale.