Mr. Raccoon

Executive Summary

“Mr. Raccoon” is a criminal handle / persona that surfaced publicly in 2026 in connection with the Adobe BPO-data breach disclosures and adjacent corporate-victim extortion activity. The persona’s observed operational posture is extortion-centric: public messaging against named victim organisations referencing exfiltrated corporate documents and helpdesk-adjacent data, with implicit or explicit demands tied to the prospect of further release.

Threatpedia holds Mr. Raccoon at the persona level rather than treating it as a distinct named threat actor. Adjacent reporting — specifically Google Threat Intelligence Group’s April 2026 naming of the UNC6783 cluster — has been summarised in secondary media alongside Mr. Raccoon mentions, but no primary source currently establishes identity between the two. The persona may represent a front handle for UNC6783 operators, a cooperating handle, an affiliate, or an independent extortion persona who happens to be trafficking overlapping data. Attribution confidence is A5: identity behind the persona is speculative.

This profile treats the persona as a provenance artefact — useful for tracking specific public claims and follow-on victim correspondence — rather than as a cluster profile in its own right.

Notable Campaigns

Adobe BPO breach extortion (2026)

The persona is most prominently associated with the Adobe BPO-data breach claims that surfaced in early 2026. Public posts attributed to Mr. Raccoon referenced internal corporate material and demanded payment against onward release. Threatpedia’s adobe-mr-raccoon-breach-2026 incident page is the canonical record of that event; this actor page exists to capture the persona-level provenance that complements it.

Possible UNC6783 adjacency (2026)

SecurityWeek and BleepingComputer’s coverage of GTIG’s UNC6783 disclosure note that Mr. Raccoon has been linked by some observers to the same activity cluster. The link is not asserted by GTIG in the primary disclosure summarised in those reports and is not treated as confirmed here.

Technical Capabilities

Little can be said about Mr. Raccoon’s technical capability set directly:

• Public-channel extortion. Operational visibility is concentrated in the persona’s public messaging, not in observed intrusion tradecraft. Extortion operations reference previously-exfiltrated material rather than demonstrating ongoing intrusion capability.
• Pre-collected victim context. Messaging tied to the persona demonstrates knowledge of named employees, departmental structure, and internal document conventions for at least one corporate victim — consistent with genuine access to exfiltrated data of non-trivial depth.
• No attributed intrusion toolset. No malware family, implant, exploitation capability, or infrastructure cluster has been publicly attributed to the persona itself. If Mr. Raccoon is a front for UNC6783 or an adjacent crew, the underlying intrusion capability would be that group’s; see the UNC6783 profile for what is currently documented on the intrusion side.

Attribution

Attribution confidence is A5 (speculative). The persona is real in the sense that public messaging under the handle has been observed and corroborated in Ankura CTIX reporting and secondary coverage of the Adobe breach. What is not established:

• Whether Mr. Raccoon is a distinct individual or a group handle.
• Whether the persona is operated by the same people responsible for the underlying intrusion(s).
• Whether Mr. Raccoon is identical with, a front for, a cooperating handle of, or independent from UNC6783.

Per Threatpedia’s attribution hygiene, the two profiles are preserved as distinct until primary evidence justifies a merge. If future disclosure establishes identity between the persona and UNC6783 (or a different underlying cluster), the correct action is a canonicalisation PR that consolidates the two — not a silent edit to either profile.

The Mr. Raccoon persona sits alongside a broader class of extortion-first handles that have surfaced around high-profile corporate data-breach disclosures since 2023. The operational pattern — pre-collected victim context, public extortion messaging, selective document release — is consistent with the extortion economy around BPO-mediated and helpdesk-mediated intrusions tracked by multiple vendors. Whether Mr. Raccoon is a durable identity or an ephemeral handle that will be superseded by the next extortion campaign’s branding is itself an open question; that uncertainty is the reason this profile is held at persona level rather than named-actor level.

MITRE ATT&CK Profile

Mapped techniques reflect the persona’s observed public posture rather than a full intrusion chain:

• T1657 — Financial Theft (Impact): the defining observed behaviour.
• T1213 — Data from Information Repositories (Collection): inferred from the nature of material publicly referenced.
• T1589 — Gather Victim Identity Information (Reconnaissance): inferred from the depth of victim-org context visible in persona messaging.

This mapping should be extended only as primary evidence surfaces. The persona is not a substitute for the underlying intrusion actor’s profile (if they are distinct) and no intrusion-side techniques are asserted here.

Sources & References

• Ankura CTIX: Flash Update — April 10, 2026 (Adobe BPO breach and Mr. Raccoon extortion context) — Ankura CTIX, 2026-04-10
• SecurityWeek: Google Warns of New Campaign Targeting BPOs to Steal Corporate Data — SecurityWeek, 2026-04-09
• BleepingComputer: Google — New UNC6783 hackers steal corporate Zendesk support tickets — BleepingComputer, 2026-04-09
• CISA: Joint Advisory AA23-320A — Scattered Spider helpdesk social engineering tradecraft (corroborating TTP source for the BPO-extortion ecosystem; not Mr. Raccoon-specific) — CISA, 2023-11-16