UNC3753: Vishing and Physical Breaches in US Data Theft Extortion

Robert Moore · 2026-06-08

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and Google Threat Intelligence Group (GTIG) to a threat actor dubbed UNC3753, which is also known as a sophisticated group blending social engineering with physical intrusions. This isn't your typical phishing scheme. UNC3753 uses vishing (voice phishing) to trick employees into handing over credentials or letting them into secure areas. Once inside, they grab sensitive data and demand a ransom. It's a scary reminder that cyber threats don't always start with a suspicious email. ### How UNC3753 Operates The group's tactics are surprisingly low-tech for such high-stakes targets. They call employees pretending to be IT support or a vendor, asking for login details or building access. If that fails, they might show up in person, posing as a delivery person or technician. It's a blend of old-school con artistry and modern tech theft. - **Vishing Calls:** Attackers use spoofed phone numbers to impersonate trusted contacts. - **Physical Intrusions:** They gain entry to offices by tailgating or using fake credentials. - **Data Exfiltration:** Once inside, they copy sensitive files to external drives or cloud accounts. - **Extortion:** Victims are threatened with public data leaks unless a ransom is paid in Bitcoin or other crypto. > "The combination of voice phishing and physical access makes UNC3753 particularly dangerous," says a Mandiant report. "They exploit human trust, not just software bugs." ### Who's at Risk? The campaign has hit professional, legal, and financial services firms across the U.S. These industries hold tons of confidential data—client records, financial documents, legal strategies—which makes them prime targets. Small and mid-sized businesses are especially vulnerable because they often lack robust security training for staff. ### Protecting Your Organization So, what can you do? Start by training employees to spot vishing attempts. Remind them that no legitimate IT person will ask for passwords over the phone. Also, tighten physical security: require ID badges, use visitor logs, and install cameras at entry points. - **Employee Training:** Run regular drills on phone scams and tailgating. - **Access Controls:** Use multi-factor authentication for all systems. - **Incident Response:** Have a plan for both digital and physical breaches. - **Monitor Networks:** Look for unusual data transfers or login attempts. ### The Bigger Picture UNC3753 shows that cybercriminals are getting creative. They're blending social engineering with physical tactics because it works. For professionals using antidetect browsers to protect their own online privacy, this is a wake-up call: security isn't just about software. It's about awareness and human behavior. In the end, the best defense is a culture of caution. If something feels off—a strange call, an unfamiliar face in the lobby—trust your gut. Report it. That instinct could save your company millions.