Ransomware Scammers: 6 Chinese nationals operating from the 8th floor, working online to send malicious links to Chinese companies for ransomware deployment. Computer evidence sho…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-06-11 → 2025-06-17 UTC
Choose a report date
Observed events
134
Public claims in the selected week
Data leak indicators
116
86.6% of observed events
Active actors
27
Distinct groups with observed activity
Torrent-linked events
4
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 20.9% of observed events.
•
86.6% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 12 observed events.
•
3 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
4 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-06-17 UTC.
Leak sites observed this week
27
Leak sites online near report date
1
Threat actor profiles updated this week
2
Countries represented this week
24
Sectors represented this week
68
Top active actors
By observed claim volumeQilin
28 events · 22 leak indicators
SAFEPAY
17 events · 17 leak indicators
DragonForce
16 events · 16 leak indicators
World Leaks
8 events · 8 leak indicators
Akira
7 events · 3 leak indicators
TeamXXX
7 events · 6 leak indicators
Global
6 events · 6 leak indicators
INC Ransom
6 events · 5 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- DragonForce 16 events
- TeamXXX 7 events
- Frag 2 events
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States82
- Qilin22 events · 17 leak indicators
- SAFEPAY13 events · 13 leak indicators
- DragonForce12 events · 12 leak indicators
- PLAY5 events · 5 leak indicators
- World Leaks5 events · 5 leak indicators
- Akira4 events · 2 leak indicators
- TeamXXX4 events · 3 leak indicators
- Global3 events · 3 leak indicators
Canada7
- Qilin2 events · 1 leak indicator
- Apos Security1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
Germany6
- SAFEPAY4 events · 4 leak indicators
- Akira1 event · 0 leak indicators
- Sarcoma1 event · 1 leak indicator
United Kingdom6
- INC Ransom2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Global1 event · 1 leak indicator
- Kairos1 event · 1 leak indicator
- TeamXXX1 event · 1 leak indicator
Australia3
- DragonForce1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- Space Bears1 event · 0 leak indicators
Belgium3
- Global1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
Colombia3
- Gunra2 events · 0 leak indicators
- IMN Crew1 event · 1 leak indicator
Spain3
- Qilin2 events · 2 leak indicators
- DATACARRY1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction12
- DragonForce4 events · 4 leak indicators
- Qilin2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
- Frag1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- Sarcoma1 event · 1 leak indicator
- TeamXXX1 event · 1 leak indicator
Government Administration7
- Gunra2 events · 0 leak indicators
- SAFEPAY2 events · 2 leak indicators
- 3AM1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
Hospitals and Health Care7
- World Leaks2 events · 2 leak indicators
- Crypto241 event · 1 leak indicator
- Global1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- TeamXXX1 event · 1 leak indicator
Insurance5
- Qilin2 events · 1 leak indicator
- Akira1 event · 1 leak indicator
- Crypto241 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
Accounting4
- DragonForce1 event · 1 leak indicator
- Everest1 event · 0 leak indicators
- Lynx1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
Financial Services4
- Akira1 event · 0 leak indicators
- Global1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Hospitality4
- DATACARRY1 event · 1 leak indicator
- Global1 event · 1 leak indicator
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
IT Services and IT Consulting4
- DragonForce2 events · 2 leak indicators
- Akira1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 48
- 51-200 employees 39
- 201-500 employees 14
- 501-1,000 employees 13
- 2-10 employees 10
- 1,001-5,000 employees 3
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| INC Ransom | Dentists | United States | Claim only | 2025-06-17 |
| SAFEPAY | Banking | United States | Data leak | 2025-06-17 |
| DragonForce | Construction | United States | Data leak | 2025-06-17 |
| DragonForce | Construction | United States | Data leak | 2025-06-17 |
| DragonForce | Machinery Manufacturing | United States | Data leak | 2025-06-17 |
| DragonForce | Mechanical Or Industrial Engineering | Australia | Data leak | 2025-06-17 |
| DragonForce | Insurance | United States | Data leak | 2025-06-17 |
| DragonForce | Accounting | United States | Data leak | 2025-06-17 |
| DragonForce | Chemical Manufacturing | United States | Data leak | 2025-06-17 |
| DragonForce | Consumer Goods | United States | Data leak | 2025-06-17 |
| SAFEPAY | Government Administration | United States | Data leak | 2025-06-17 |
| DragonForce | IT Services and IT Consulting | United States | Data leak | 2025-06-17 |
News and research context
Recent articles from the same time window.
Cyber-crime crew Scattered Spider has infected US insurance companies following a series of ransomware attacks against American and British retailers, according to Google, which u…
Radford City Public Schools on Tuesday disclosed a "cybersecurity incident" affecting portions of the division's computer network.
Superintendent Adam Joyce sent an update to f…
On June 9, 2025, Zoomcar Holdings, Inc. (the “Company”) identified a cybersecurity incident involving unauthorized access to its information systems. The Company became aware of t…
WestJet is aware of a cybersecurity incident involving internal systems and the WestJet app, which has restricted access for several users. We have activated specialized internal…
ALBEMARLE COUNTY, Va. (WVIR) - It started with an alert on Thursday, June 12, that the county’s internet was down, followed by the admission that actually, a cyber security incide…
India News | Delhi Police Launches Probe into Cyberattack on Servers of 2 Hospitals | LatestLY
2025-06-13
New Delhi, Jun 13 (PTI) The Delhi Police has launched an investigation into a cyber attack on the servers of two hospitals in the city, police sources said on Friday.
According…
Related actor: Qilin
Coop Hospital confirms probe into a reported cyberattack, says services remain normal as it works with authorities to assess breach.
The Palawan Medical Mission Group Multipurp…
A serious cybersecurity incident at NHS Professionals (NHSP), the U.K. government-owned staffing organization for the National Health Service, has come to light. Investigators rev…
Related actor: Anubis
A new ransomware-as-a-service (RaaS) group has emerged and has been making a name for itself in 2025. Anubis is a recently identified group that sets itself apart by partnering en…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.