Atraf / Cyberserve breach by Black Shadow
The Iran-linked Black Shadow group breached Israeli hosting provider Cyberserve, then leaked the full database of LGBTQ dating app Atraf — including users' locations and HIV status — after a $1 million ransom went unpaid.
- Victim
- Cyberserve / Atraf
- records
- 1.0M
- users
- 1.0M
In late October 2021, the Iran-linked Black Shadow group — the same actor behind the 2020 Shirbit breach — attacked Israeli web-hosting company Cyberserve and, days later, leaked the entire user database of Atraf, a popular Israeli LGBTQ dating and nightlife app. Because the exposed data included users' locations and, for some, their HIV status, the breach was widely described as life-threatening for parts of Israel's LGBTQ community.
What happened
On 29 October 2021, Black Shadow announced it had compromised Cyberserve, taking down the hosting provider's servers and numerous sites it served — including Atraf, a major bus operator's site, and others. The group demanded $1 million in cryptocurrency within 48 hours to prevent publication of the stolen data.
When the ransom went unpaid, the attackers released the material in stages. On 2 November 2021, they published what they described as the full Atraf database — around one million listings — to a Telegram channel. The data included users' names, locations, and HIV-status information that members had entered into their profiles.
Impact
- Around a million Atraf records were exposed, alongside data from other Cyberserve clients. A follow-on leak included the medical records of roughly 290,000 patients from a separate hosted service.
- Calls to Israel's LGBT helpline (Aguda) doubled as users feared being outed; for closeted individuals, exposure carried serious personal-safety risks.
- The Atraf website was permanently removed from the internet in an effort to limit further harm — a rare case where a service was shut down entirely as part of incident response.
Attribution
Israeli analysts attributed the operation to Black Shadow, assessed as an Iran-linked actor, citing the same techniques, leak-and-extort playbook and victim-blaming seen in earlier attacks. The strike came just days after a cyberattack disrupted Iranian fuel-station payment systems, fuelling the assessment that it was part of the broader Iran–Israel cyber conflict rather than ordinary cybercrime.
Why it matters
The Atraf leak is a stark illustration of how breaches can cause direct human harm that no insurance payout or credit-monitoring offer can undo. Sensitive attributes like sexual orientation and HIV status are precisely the categories GDPR and similar laws designate as "special" — and this case showed why. It also marked an escalation in the Iran–Israel cyber confrontation, in which civilian, deeply personal data was deliberately weaponised to terrorise a vulnerable population.
Financial impact
Reported costs in USD
Timeline
Black Shadow announces it has breached Israeli web-hosting company Cyberserve, knocking offline multiple sites including the LGBTQ dating app Atraf.
The group threatens to leak Cyberserve customers' data and demands $1 million in cryptocurrency within 48 hours to prevent disclosure.
Users of Atraf express fear of being outed; Israel's LGBT helpline Aguda reports a doubling of calls. The ransom deadline passes without payment.
Black Shadow publishes the full Atraf user database — roughly a million records including locations and, in some cases, HIV status — to a Telegram channel.
The Atraf website is permanently taken offline to limit further harm; additional Cyberserve client data, including medical records of around 290,000 patients, is leaked.
Sources
- timesofisrael.comhttps://www.timesofisrael.com/hackers-claim-to-leak-details-of-lgbtq-dating-site-after-ransom-not-paid/
- jpost.comhttps://www.jpost.com/israel-news/iranian-hackers-breach-israeli-company-cyberserve-683529
- france24.comhttps://www.france24.com/en/live-news/20211102-hackers-release-israeli-lgbtq-dating-site-details
- timesofisrael.comhttps://www.timesofisrael.com/black-shadow-hackers-leak-medical-records-of-290000-israeli-patients/