Skip to main content

Operator dossier

Cicada3301 is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 75 public victims claimed by this operator between June 20, 2024 and September 4, 2025. Cicada3301 is a recently emerged ransomware group that began operations in June 2024, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available regarding their operational structure or potential connections to other cybercriminal organizations. Based on observed targeting patterns, Cicada3301 has demonstrated a preference for attacking business services, technology, manufacturing, and financial sector organizations, with their operations concentrated primarily in English-speaking countries including the United States, United Kingdom, and Canada, as well as extending to Spain and Singapore. The group has successfully compromised approximately 75 known victims since their emergence, though specific details regarding their attack methodologies, initial access vectors, encryption techniques, and extortion tactics have not been extensively documented in publicly available threat intelligence reports from major cybersecurity firms or government agencies. Given the limited public documentation available from CISA, FBI, Mandiant, or other reputable security researchers, the group's current operational status, technical capabilities, and specific attack infrastructure remain largely uncharacterized in open-source intelligence reporting. As of the most recent observations, Cicada3301 appears to remain active in conducting ransomware operations, though comprehensive analysis of their tactics, techniques, and procedures awaits more detailed public reporting from established threat intelligence sources.

Most-targeted sectors

Most-affected countries

Recent disclosures by Cicada3301

All 75 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Cicada3301

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Cicada3301

75 victims indexed · first seen 2 years ago · last activity 10 months ago

75
Victims indexed
#87 of 364 tracked operators
1y 3m
Active period
Jun 2024 → Sep 2025
16
Countries hit
top United States · 42

At a glance

Status
inactive
First seen
2 years ago
Last activity
10 months ago
Onion sites
1 known endpoint
Primary sector
Business Services · 20 hits

About

Cicada3301 is a recently emerged ransomware group that began operations in June 2024, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and affiliations remain largely undocumented in public threat intelligence reporting, with limited information available regarding their operational structure or potential connections to other cybercriminal organizations. Based on observed targeting patterns, Cicada3301 has demonstrated a preference for attacking business services, technology, manufacturing, and financial sector organizations, with their operations concentrated primarily in English-speaking countries including the United States, United Kingdom, and Canada, as well as extending to Spain and Singapore. The group has successfully compromised approximately 75 known victims since their emergence, though specific details regarding their attack methodologies, initial access vectors, encryption techniques, and extortion tactics have not been extensively documented in publicly available threat intelligence reports from major cybersecurity firms or government agencies. Given the limited public documentation available from CISA, FBI, Mandiant, or other reputable security researchers, the group's current operational status, technical capabilities, and specific attack infrastructure remain largely uncharacterized in open-source intelligence reporting. As of the most recent observations, Cicada3301 appears to remain active in conducting ransomware operations, though comprehensive analysis of their tactics, techniques, and procedures awaits more detailed public reporting from established threat intelligence sources.

References

8 links

External sources curated by the MISP threat-intel community.

Timeline

12 months
2024-06-01T00:00:00+00:00 · 42024-07-01T00:00:00+00:00 · 62024-08-01T00:00:00+00:00 · 162024-09-01T00:00:00+00:00 · 82024-10-01T00:00:00+00:00 · 82024-12-01T00:00:00+00:00 · 32025-01-01T00:00:00+00:00 · 12025-02-01T00:00:00+00:00 · 132025-03-01T00:00:00+00:00 · 22025-04-01T00:00:00+00:00 · 52025-07-01T00:00:00+00:00 · 82025-09-01T00:00:00+00:00 · 1
2024-06-01T00:00:00+00:002025-09-01T00:00:00+00:00

Top countries

🇺🇸 United States
42
🇬🇧 United Kingdom
6
🇨🇦 Canada
4
🇪🇸 Spain
3
🇧🇷 Brazil
3
🇸🇬 Singapore
3
🇫🇷 France
3
🇯🇵 Japan
2

Top sectors

Business Services
20
Manufacturing
8
Technology
8
Financial
5
Hospitality and Tourism
5
Healthcare
4
Transportation/Logistics
4
Education
2

MITRE ATT&CK

46 techniques · 12 tactics

Tactics

CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth

Techniques

Recent victims

Loading…

Onion infrastructure

1 known
  • http://cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion

Source

Updated 10 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Cicada3301 posts a victim.

Add Cicada3301 to your watchlist — Pro pings you within 5 minutes of any new Cicada3301 leak-site post, Telegram callout, or affiliate-rebrand inference.