On 31 May, it emerged that a group of hackers had published personal health records and tens of thousands of naked "before-and-after" images belonging to patients and celebrities who had visited a Lithuanian plastic surgery clinic, called Grozio Chirurgija, onto the dark web.

The records, which included data on more than 1,500 Britons, were uploaded in a searchable format, with the hackers demanding up to £2,000 to have files removed. Now, in correspondence with IBTimes UK, one of the hackers claiming to be involved says he or she "just wants a better life."

Lithuanian police said the culprits started to release surgery images in March, with the rest of the data being published this week after a failed extortion attempt.

Interestingly, the group used the name "Tsar Team", a name linked with APT28, an alleged Russian state-backed hacking and espionage group.

"Clients, of course, are in shock," said Jonas Staikunas, director of Grozio Chirurgija, who refused to pay an initial ransom demand of 300 Bitcoin (£500,000).

"I would like to apologise. Cybercriminals are blackmailers. They are blackmailing our clients with inappropriate text messages."

What follows is a brief exchange with one of the alleged hackers claiming to be involved, reached via contact details found on one dark web-hosted website hosting the Grozio Chirurgija leak. Note: the language, as requested by the contact, has been slightly edited for clarity.

Why did you target this clinic and why publish such sensitive data?

"We had one target - OpenCMS, because there were some nice easy bugs.

"We targeted not only Grozio Chirurgija, but targeted some other companies via OpenCMS. All of them paid us very fast without any issues. But when we contacted Grozio Chirurgija and they said that they [would] catch us and kick our ass, it was a surprise for us.

"We sent [the clinic] several emails and explained what we would do, but they said they didn't care. We don't like to go public and take money from clients, because it's bad karma for us, but there was no other way to teach Grozio Chirurgija. We decided to go with data selling in darknet.

"We said that all files go public 30 May. There were some clever people who bought our data, but [the clinic] heard only police voice, they said, 'Please don't pay...' All data is now public."

Do you expect to make money from this hack?

"It will be a good lesson in the future for other companies. I think we will not have any trouble with the payments in the next two years."

Hooded Hacker
plastic surgery
Alleged hacker: “We sent [the clinic] several emails and explained what we would do, but they said they didn’t care." Credit: iStock

Heightened attention will result in more interest from the police, are you concerned?

"We don't want any glory from it. We just want to live a better life, hacking is just good business for us.

"Talking about prosecution, we can't say that we are ghosts. We respect law forces, because they are doing what they must do, only dumb people think they are uncatchable. Our country has no extradition law with EU and USA, so we can live here forever without any trouble. If we want to go abroad we can use another passport for extra security. It's easy in our country."

Media reports claim you could be linked to the APT28, are you?

"Yes we are linked to this group very closely, but I can't confirm that we are working for government forces. There are a lot of myths. It's 5% true and 95% burble, you know the media :)"

What's next for your group?

"Good question. We think that we will go to other countries, because Lithuania is too small for big business. Poland looks nice from the first sight...it's just a joke...or maybe not... see you next time... for all of you... think about what you are doing online...!"


The alleged hacker did not respond to additional requests for evidence to back up the claim they were closely linked to the actual Tsar Group, and could very well be posing as the notorious Russian hacking unit suspected of infiltrating the US Democratic Party last year.

Traditionally, APT28 targets large businesses, government and military groups using persistent and targeted email phishing techniques. The Grozio Chirurgija clinic is now working with law enforcement and cybersecurity companies to probe the massive hack.