Cybersecurity Alert: Threat Actor Zestix/Sentap Exploits Stolen Credentials in Major Data Breaches A threat actor known as Zestix—also linked to the online persona Sentap—has been identified as an initial access broker (IAB) behind multiple high-profile data breaches, according to cybersecurity firm Hudson Rock. Active since late 2024–early 2025, Zestix’s operations trace back to Sentap’s activities dating to 2021, with both personas leveraging stolen credentials to infiltrate enterprise networks. ### Attack Method & Victim Profile Zestix/Sentap targets organizations across aerospace, government infrastructure, legal, robotics, and defense sectors, exploiting credentials harvested from information stealers like RedLine, Lumma, and Vidar. These credentials—some freshly stolen, others lingering in logs for years—were used to breach file-transfer services such as ShareFile, OwnCloud, and Nextcloud, often due to missing multi-factor authentication (MFA). The actor has successfully compromised systems roughly 50 times, exfiltrating data for sale on Russian-language hacker forums or auctioning access to the networks themselves. ### Notable Breaches & Financial Impact Zestix has claimed responsibility for large-scale breaches, including: - Iberia (Spanish flag carrier) – 77 GB of data, listed for $150,000 - Pickett & Associates (engineering firm for energy orgs) - Intecro Robotics (aerospace/defense equipment) - Maida Health (Brazilian military police contractor) - CRRC MA (rolling stock manufacturer) - Pan-Pacific Mechanical (1.04 TB), Bradley R. Tyer & Associates (1.02 TB), and The Providence Group (1 TB) Under the Sentap alias, the actor’s victim list expands further, though Hudson Rock could not confirm all breaches stemmed from infostealer infections. ### Broader Infostealer Threat The incident underscores the persistent risk of information stealers, which Hudson Rock warns have exposed credentials for thousands of organizations using ShareFile, OwnCloud, and Nextcloud, including Deloitte, Honeywell, KPMG, Samsung, and Walmart. These attacks thrive on malware-as-a-service (MaaS), enabling even unskilled actors to deploy stealers that exfiltrate data in minutes before self-deleting, leaving minimal forensic traces. The commodification of cybercrime—where stolen credentials fuel credential stuffing, identity theft, and fraud—continues to drive large-scale breaches, with no immediate solution in sight.