As part of my role at DXC Technology, I oversee our security business, and I frequently deal with attacks on our customers. But on Saturday, July 4, 2020, as I was stepping out of…
Weekly intelligence
Trend-first
Weekly ransomware & data leak landscape
A seven-day view of claim activity, leak escalation, actor concentration, sector shifts, and supporting news context from eCrime.ch.
Window: 2025-12-08 → 2025-12-14 UTC
Choose a report date
Observed events
195
Public claims in the selected week
Data leak indicators
117
60.0% of observed events
Active actors
34
Distinct groups with observed activity
Torrent-linked events
11
Events intersecting with torrent intelligence
What changed this week?
•
Qilin generated the highest visible claim volume this week, representing 26.2% of observed events.
•
60.0% of observed events in this window showed a public data-leak indicator, which is a stronger escalation signal than a fresh listing alone.
•
Real Estate was the most represented sector in this window with 13 observed events.
•
5 actor(s) appeared active this week without matching activity in the prior 30-day lookback, suggesting fresh campaigns, rebrands, or resurfacing infrastructure.
•
11 observed events in this week intersected with torrent intelligence, which is useful for understanding data-distribution tactics beyond plain leak-site posts.
•
1 tracked leak sites were still online as of the report date snapshot, giving useful context on current ecosystem churn and monitoring pressure.
Coverage snapshot
As of 2025-12-14 UTC.
Leak sites observed this week
34
Leak sites online near report date
1
Threat actor profiles updated this week
6
Countries represented this week
40
Sectors represented this week
81
Top active actors
By observed claim volumeQilin
51 events · 23 leak indicators
Akira
20 events · 11 leak indicators
Coinbase Cartel
18 events · 7 leak indicators
Kill Security
11 events · 11 leak indicators
Sinobi
9 events · 9 leak indicators
Devman
8 events · 0 leak indicators
DragonForce
8 events · 8 leak indicators
SAFEPAY
7 events · 7 leak indicators
Emerging or resurfacing actors
No matching activity in prior 30 days- Kill Security 11 events
- MintEye Team 5 events
- Obscura 3 events
- Abyss 1 event
- Leaknet Blog 1 event
Country mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
United States78
- Qilin21 events · 8 leak indicators
- Akira12 events · 5 leak indicators
- Sinobi6 events · 6 leak indicators
- DragonForce5 events · 5 leak indicators
- MintEye Team4 events · 0 leak indicators
- PLAY4 events · 4 leak indicators
- INC Ransom3 events · 3 leak indicators
- Kill Security3 events · 3 leak indicators
Canada12
- Akira3 events · 2 leak indicators
- Qilin3 events · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- INTERLOCK1 event · 1 leak indicator
- Medusa1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- SECUROTROP1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
United Arab Emirates10
- Coinbase Cartel10 events · 1 leak indicator
United Kingdom9
- Qilin3 events · 2 leak indicators
- Chaos1 event · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Genesis1 event · 0 leak indicators
- Kill Security1 event · 1 leak indicator
- NightSpire1 event · 0 leak indicators
- World Leaks1 event · 1 leak indicator
France7
- Qilin5 events · 3 leak indicators
- Devman1 event · 0 leak indicators
- RALord1 event · 1 leak indicator
India6
- Kill Security3 events · 3 leak indicators
- BlackShrantac1 event · 0 leak indicators
- Sinobi1 event · 1 leak indicator
- Tengu1 event · 0 leak indicators
Brazil5
- World Leaks3 events · 3 leak indicators
- Devman1 event · 0 leak indicators
- Space Bears1 event · 1 leak indicator
Germany5
- Akira2 events · 2 leak indicators
- BrotherHood1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
Sector mix
Share of weekly events across the last 12 reporting windows. Click to expand top actors for this week.
Real Estate13
- Coinbase Cartel10 events · 1 leak indicator
- Qilin3 events · 1 leak indicator
Construction11
- Qilin4 events · 1 leak indicator
- PLAY3 events · 3 leak indicators
- Akira2 events · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- World Leaks1 event · 1 leak indicator
IT Services and IT Consulting8
- BlackShrantac1 event · 0 leak indicators
- Chaos1 event · 1 leak indicator
- Coinbase Cartel1 event · 1 leak indicator
- Obscura1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- SAFEPAY1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Civil Engineering7
- Akira2 events · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- MintEye Team1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
- Space Bears1 event · 1 leak indicator
Hospitals and Health Care7
- Devman2 events · 0 leak indicators
- Coinbase Cartel1 event · 0 leak indicators
- Kill Security1 event · 1 leak indicator
- Leaknet Blog1 event · 1 leak indicator
- PEAR1 event · 1 leak indicator
- RALord1 event · 1 leak indicator
Retail6
- Qilin3 events · 2 leak indicators
- World Leaks2 events · 2 leak indicators
- Akira1 event · 0 leak indicators
Transportation, Logistics, Supply Chain and Storage6
- Qilin2 events · 1 leak indicator
- DragonForce1 event · 1 leak indicator
- Kill Security1 event · 1 leak indicator
- MintEye Team1 event · 0 leak indicators
- Obscura1 event · 0 leak indicators
Architecture and Planning5
- Akira1 event · 0 leak indicators
- DragonForce1 event · 1 leak indicator
- MintEye Team1 event · 0 leak indicators
- Qilin1 event · 1 leak indicator
- Sinobi1 event · 1 leak indicator
Organization size bands
Share of weekly events by employee-size group across the last 12 reporting windows.
- 11-50 employees 61
- 51-200 employees 50
- 201-500 employees 26
- 501-1,000 employees 15
- 1,001-5,000 employees 13
- 2-10 employees 7
Notable actor profile updates
Active actor records only.
New ransom note observed
No ransom-note change logged in this reporting window.
New actor infrastructure / contact channel
No infrastructure/contact-channel change logged in this reporting window.
New vuln / TTP intelligence
No vuln/TTP change logged in this reporting window.
Recent signal samples
Selected weekly signals.
| Actor | Sector | Country | Leak proof | Seen |
|---|---|---|---|---|
| Qilin | Civil Engineering | United States | Data leak | 2025-12-14 |
| SAFEPAY | Utilities | Argentina | Data leak | 2025-12-14 |
| SAFEPAY | IT Services and IT Consulting | Greece | Data leak | 2025-12-14 |
| SAFEPAY | Building Materials | United States | Data leak | 2025-12-14 |
| SAFEPAY | Renewable Energy Equipment Manufacturing | Germany | Data leak | 2025-12-14 |
| SAFEPAY | Non-profit Organizations | Singapore | Data leak | 2025-12-14 |
| SAFEPAY | Government Administration | Canada | Data leak | 2025-12-14 |
| BlackShrantac | IT Services and IT Consulting | India | Claim only | 2025-12-14 |
| Qilin | Manufacturing | United Kingdom | Data leak | 2025-12-14 |
| Qilin | Real Estate | Dominican Republic | Data leak | 2025-12-14 |
| Qilin | Wholesale | France | Data leak | 2025-12-14 |
| World Leaks | Technology, Information and Internet | United Kingdom | Data leak | 2025-12-14 |
News and research context
Recent articles from the same time window.
In the third quarter of 2025 (July-September), Dragos identified 742 ransomware incidents affecting industrial entities worldwide, an increase from the 708 incidents documented in…
Related actor: Warlock
In mid-August 2025, Counter Threat Unit™ (CTU) researchers identified the use of the legitimate Velociraptor digital forensics and incident response (DFIR) tool in likely ransomwa…
Related actor: CyberVolk
CyberVolk, a pro-Russian hacktivist crew, is back after months of silence with a new ransomware service. There's some bad news and some good news here.
First, the bad news: the…
Related actor: 01flip
01flip is a new ransomware family fully written in Rust. Activity linked to 01flip points to alleged dark web data leaks.
SEOUL, Dec 10 (Reuters) - South Korea's biggest online retailer Coupang said on Wednesday that CEO Park Dae-jun has resigned, taking responsibility for a huge data breach at the c…
In 2025, a new breed of cybercriminal hit the UK mainstream: young, English-speaking hackers. Alleged ‘Scattered Spider’ attacks on high-profile UK retailers caused hundreds of mi…
Related actor: Conti
The Health Service Executive has started offering compensation to victims of the HSE cyberattack that occurred in May 2021.
The HSE has not confirmed the amounts involved but i…
Related actor: DeadLock
Talos observed that the threat actor deployed DeadLock ransomware as the payload in their attack. DeadLock ransomware has been active since as early as July 2025 and, unlike other…
Related actor: Makop
The pattern which emerged was that attackers prefer to work in a low complexity and low effort manner. Most victims were compromised through RDP and frequently after that attacker…
Notes
- Observed events reflect monitored leak-site and extortion activity, not independent confirmation of every intrusion.
- Data-leak indicators reflect visible public leak evidence or escalation, which is stronger than a fresh listing alone.
- Country, sector, and company-size metadata can be incomplete. Unknown values are excluded from the public mix views.
- The goal is to explain concentration, escalation, churn, and patterns — not to build a wall of named victims.
Method
- The page uses a fixed seven-day window based on the selected date.
- Only public-facing actor and event records are included.
- Counts and breakdowns are designed for trend review, not incident confirmation.