Cosmetic surgery hacked. Nude photos and data exposed on the dark web, as hackers blackmail patients

A chain of cosmetic surgery clinics in Lithuania has been hacked, and fallen victim to cold-hearted extortionists who have no qualms about blackmailing both the business and its customers.

According to media reports, a hacking group called the Tsar Team broke into the servers of Grožio Chirurgija and stole the personal data and more than 25,000 private photos of clients.

Blurred photo of cosmetic surgery patient leaked by hackers
Blurred photo of cosmetic surgery patient leaked by hackers

At first the Tsar Team attempted to sell the stolen data back to the clinic, for the eye-watering sum of 300 bitcoins (about half a million dollars). But when the clinic refused to play ball, the hackers targeted patients – demanding payments of up to 2000 Euros for the victim’s photos, home addresses, scans of passports and national insurance numbers.

The Grožio Chirurgija cosmetic surgery clinics has thousands of customers in more than 60 countries around the world, including the UK, Germany, and Denmark, who travel to Lithuania for nips and tucks on the cheap.

Sign up to our free newsletter.
Security news, advice, and tips.

Clients are thought to include celebrities, who might have particular interest in their details and private photos not leaking onto the internet.

Even the most selfie-obsessed individual would probably balk at the thought of private photographs of their wobbly or intimate body parts taken before and after surgery falling into the hands of the public.

The full database is now being offered for a 50 bitcoin, a measly $112,000 at current rates, which is quite a reduction from the hackers’ initial demands.

A redacted screenshot of data stolen by the hackers
A redacted screenshot of data stolen by the hackers

On its website, the hacked chain of clinics says that it is working closely with the police, and is urging customers to take precautions.

Those precautions include telling clients to be wary of opening emails or clicking on links which may have been sent by the blackmailers, and to pass any communications (including SMS text messages they may receive) to the authorities.

Grožio Chirurgija is also advising concerned customers that if they find a link to their private data online, to request its removal from the Google search engine as soon as possible.

All of which seems like sensible advice to me, but I was disappointed to see it only offered on the Lithuanian version of the surgery’s website and not on its (probably more widely understood) English language edition.

The cosmetic surgery says that it is strengthening its IT security in the wake of the attack. But for those innocent patients whose privacy has been put at risk, it really is a case of too little, too late.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.