On August 30th, Wealthsimple detected a data security incident. All accounts remain secure, and no funds were accessed or stolen. We acted quickly and in a few hours the issue was…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-09-01 → 2025-09-07 UTC
Choose a report date
Observed events
111
Public claims in the selected week
Data leak indicators
68
61.3% of observed events
Active actors
31
Distinct groups with observed activity
Torrent-linked events
3
Events intersecting with torrent intelligence
What changed this week?
•
Lynx generated the highest visible claim volume this week, representing 16.2% of observed events.
•
61.3% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Construction was the most represented sector in this window with 9 observed events.
•
5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
3 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-09-07 UTC.
Leak sites observed this week
31
Leak sites online near report date
1
Threat actor profiles updated this week
2
Countries represented this week
29
Sectors represented this week
57
Top active actors
By observed claim volumeLynx
18 events · 2 leak indicators
Qilin
13 events · 8 leak indicators
Akira
12 events · 3 leak indicators
INC Ransom
11 events · 10 leak indicators
SAFEPAY
9 events · 9 leak indicators
Kill Security
7 events · 7 leak indicators
PEAR
4 events · 3 leak indicators
PLAY
4 events · 4 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- LeakedData 2 events
- Cicada3301 1 event
- MyData 1 event
- RALord 1 event
- Yurei 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States65
- Akira11 events · 3 leak indicators
- Lynx11 events · 2 leak indicators
- INC Ransom8 events · 8 leak indicators
- SAFEPAY7 events · 7 leak indicators
- Qilin6 events · 4 leak indicators
- PEAR4 events · 3 leak indicators
- PLAY4 events · 4 leak indicators
- Kill Security2 events · 2 leak indicators
Canada4
- INC Ransom2 events · 1 leak indicator
- Lynx2 events · 0 leak indicators
Argentina3
- Beast1 event · 1 leak indicator
- BlackNevas1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
Germany3
- Lynx2 events · 0 leak indicators
- INC Ransom1 event · 1 leak indicator
India3
- Akira1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
Spain3
- BlackNevas1 event · 0 leak indicators
- Lynx1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
Austria2
- Lynx1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Colombia2
- Kill Security2 events · 2 leak indicators
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Construction9
- Lynx3 events · 0 leak indicators
- Akira2 events · 0 leak indicators
- Anubis1 event · 0 leak indicators
- Chaos1 event · 1 leak indicator
- INC Ransom1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Law Practice6
- LeakedData2 events · 2 leak indicators
- SAFEPAY2 events · 2 leak indicators
- INC Ransom1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
Appliances, Electrical, and Electronics Manufacturing4
- Dire Wolf1 event · 1 leak indicator
- Gunra1 event · 0 leak indicators
- Lynx1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
Chemical Manufacturing4
- Akira1 event · 0 leak indicators
- Devman1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- PLAY1 event · 1 leak indicator
Food and Beverage Services4
- INC Ransom2 events · 1 leak indicator
- Dire Wolf1 event · 1 leak indicator
- Payouts King1 event · 1 leak indicator
Hospitals and Health Care4
- Kill Security1 event · 1 leak indicator
- MyData1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Medical Practice4
- PEAR2 events · 1 leak indicator
- Qilin1 event · 0 leak indicators
- SAFEPAY1 event · 1 leak indicator
Software Development4
- Kill Security2 events · 2 leak indicators
- BlackNevas1 event · 0 leak indicators
- Qilin1 event · 0 leak indicators
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 51-200 employees 44
- 11-50 employees 20
- 1,001-5,000 employees 11
- 201-500 employees 11
- 501-1,000 employees 10
- 2-10 employees 5
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Lynx | Food Production | United States | Claim only | 2025-09-07 |
| Kill Security | Human Resources Services | United Arab Emirates | Data leak | 2025-09-07 |
| Dire Wolf | Food and Beverage Services | Indonesia | Data leak | 2025-09-07 |
| SECUROTROP | Oil and Gas | United States | Data leak | 2025-09-07 |
| Kill Security | Hospitals and Health Care | United States | Data leak | 2025-09-07 |
| Kill Security | Software Development | United States | Data leak | 2025-09-07 |
| LeakedData | Law Practice | United States | Data leak | 2025-09-07 |
| Qilin | Appliances, Electrical, and Electronics Manufacturing | United States | Data leak | 2025-09-06 |
| Beast | Entertainment Providers | Argentina | Data leak | 2025-09-06 |
| BlackNevas | Medical Device | Spain | Claim only | 2025-09-06 |
| Kill Security | Medical Device | Peru | Data leak | 2025-09-06 |
| Kill Security | Health and Human Services | Colombia | Data leak | 2025-09-06 |
News and research context
Recent articles from the same time window.
A subcontractor of the National Lottery (Loterie Nationale) has been the victim of a cyber attack, resulting in stolen data.
Customer data such as names, addresses, phone numbe…
Related actor: PromptLock
It all started as an idea for a research paper.
Within a week, however, it nearly set the security industry on fire over what was believed to be the first-ever AI-powered rans…
Related actor: Rhysida
In a case observed by At-Bay, a user at an organization fell victim to a tactic known as Search Engine Optimization (SEO) poisoning and downloaded a trojanized version of Putty.ex…
Related actor: Obscura
On 29 August 2025, Huntress analysts encountered a previously unseen ransomware variant called “Obscura.” This name was taken from the ransom note (README_Obscura.txt), which also…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.