Global “Lone Hacker” Campaign Breaches Data of 50 Major Companies Using Stolen Passwords

A single threat actor operating under the aliases Zestix and Sentap has managed to compromise private files belonging to more than 50 major organizations worldwide, exposing a stark and uncomfortable truth about modern corporate security. According to new research published by Israeli cybersecurity firm Hudson Rock and its sister site Infostealers.com, the breaches did not rely on sophisticated exploits or zero day vulnerabilities, but on something far more basic: stolen passwords and the absence of multi factor authentication.

The affected organizations span multiple sectors and continents, including aviation, healthcare, manufacturing, military supply chains, and public infrastructure. Among the victims are Iberia Airlines, Pickett & Associates, Sekisui House, IFLUSAC, K3G Solutions, CRRC MA, GreenBills, CiberC, and Maida Health, highlighting the truly global scope of the campaign.

Who is behind the campaign

Researchers believe the attacker is an Iranian national who has been active on underground forums using the names Zestix and Sentap. Rather than quietly exploiting the stolen data, the hacker has been openly auctioning massive troves of corporate files on dark web marketplaces, offering exclusive access to the highest bidder.

This approach has allowed researchers to track the scope of the activity in unusual detail, as the attacker frequently advertised the size, nature, and sensitivity of the stolen datasets to attract buyers.

How infostealers opened the door

Despite the scale of the breach, the hacker did not directly attack the companies themselves. Instead, access was gained through infostealer malware, specifically RedLine, Lumma, and Vidar. These strains are commonly distributed through fake software downloads, cracked games, or malicious email attachments.

Once installed on a victim’s personal or work computer, the malware silently harvested every password saved in the user’s web browser. These credentials were then collected into logs and later sold or traded on underground markets.

Zestix simply purchased or obtained these logs and reused the stolen passwords to log into corporate cloud services such as ShareFile, Nextcloud, and OwnCloud. The attacks succeeded because many of the compromised accounts did not have multi factor authentication enabled.

Why MFA would have stopped everything

Multi factor authentication adds a second verification step, often a code sent to a phone or generated by an app, after a password is entered. In this campaign, the absence of that second step meant the stolen password alone was enough to grant full access.

Researchers noted that some of the compromised credentials were several years old. Simple security hygiene such as enforcing MFA or periodic password resets would likely have prevented the breaches entirely.

Scale and sensitivity of exposed data

The stolen data varied widely in size and sensitivity. Iberia Airlines reportedly lost 77 GB of internal files, including aircraft safety manuals. This is particularly concerning given that the airline had already suffered a major ransomware breach in November 2025, when the Everest ransomware group leaked 596 GB of internal and customer data.

In the United States, Pickett & Associates lost approximately 139 GB of data, including detailed maps of power lines and utility stations. Such information could pose serious risks if misused.

The campaign extended well beyond Europe and North America. In Turkey, Intecro Robotics saw designs for military drones and fighter jets offered for sale. In Brazil, Maida Health lost 2.3 terabytes of medical records linked to the military police. Public transportation systems were also affected, with internal documentation related to train braking and signalling for the LA Metro exposed through files associated with CRRC MA.

A truly global failure of basic controls

What makes this campaign particularly alarming is how little technical effort was required. The attacker did not exploit software flaws, bypass firewalls, or deploy ransomware. Instead, they relied on reused passwords and the lack of basic authentication safeguards.

Hudson Rock warned that credentials linked to employees at other major organizations, including Samsung, Walmart, and Deloitte, have also been observed in infostealer logs. This suggests that the full impact of infostealer driven access abuse may still be unfolding.

A lesson in modern security reality

The campaign serves as a blunt reminder that passwords alone are no longer sufficient to protect corporate systems. As infostealer malware continues to spread at scale, any account without multi factor authentication should be considered vulnerable by default.

For organizations, the takeaway is unambiguous. Enforcing MFA across all external services, monitoring for leaked credentials, and educating users about malware disguised as legitimate downloads are no longer optional measures. In this case, the absence of those basics turned dozens of well known companies into easy targets for a single determined individual.