Operator dossier

cipherforce is a ransomware operator currently active on public leak sites. Darkfield has indexed 6 public victims claimed by this operator between February 23, 2026. CipherForce is a relatively new ransomware group that emerged in February 2026, appearing to be financially motivated based on their targeting patterns and operational characteristics. Given their recent emergence and limited public documentation, details about their specific country of origin and affiliations remain unclear, though their targeting of victims across the United States, United Arab Emirates, India, China, and Vietnam suggests either a geographically distributed operation or deliberate international scope. With only six known victims documented to date, the group appears to focus on technology companies, business services, and transportation/logistics sectors, though their attack methodology and specific tools have not been extensively documented by major threat intelligence firms or law enforcement agencies. No notable high-profile campaigns or significant ransoms have been publicly reported by CISA, FBI, or established security researchers, likely due to the group's recent emergence and relatively small victim count. CipherForce appears to remain active as of current reporting, though their limited operational history makes it difficult to assess their long-term viability or potential for expansion.

Most-targeted sectors

Most-affected countries

US2 victims
AE1 victims
IN1 victims
CN1 victims
VN1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

cipherforce

6 victims indexed · first seen 3 months ago · last activity 3 months ago

Victims indexed

#229 of 348 tracked operators

<1m

Active period

Feb 2026 → Feb 2026

Countries hit

top US · 2

At a glance

Status: active
First seen: 3 months ago
Last activity: 3 months ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 2 hits

About

CipherForce is a relatively new ransomware group that emerged in February 2026, appearing to be financially motivated based on their targeting patterns and operational characteristics. Given their recent emergence and limited public documentation, details about their specific country of origin and affiliations remain unclear, though their targeting of victims across the United States, United Arab Emirates, India, China, and Vietnam suggests either a geographically distributed operation or deliberate international scope. With only six known victims documented to date, the group appears to focus on technology companies, business services, and transportation/logistics sectors, though their attack methodology and specific tools have not been extensively documented by major threat intelligence firms or law enforcement agencies. No notable high-profile campaigns or significant ransoms have been publicly reported by CISA, FBI, or established security researchers, likely due to the group's recent emergence and relatively small victim count. CipherForce appears to remain active as of current reporting, though their limited operational history makes it difficult to assess their long-term viability or potential for expansion.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/cipherforce

Timeline

1 months

2026-02-01T00:00:00+00:002026-02-01T00:00:00+00:00

Top countries

🇺🇸 US

🇦🇪 AE

🇮🇳 IN

🇨🇳 CN

🇻🇳 VN

US dossier →AE dossier →IN dossier →CN dossier →

Top sectors

Not Found

Technology

Business Services

Transportation/Logistics

Not Found dossier →Technology dossier →Business Services dossier →Transportation/Logistics dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://22evxpggnkyrxpluewqsrv5j4jtde6hut2peq3w44d6ase676qlkoead.onion
http://o3ydbkayttkyg4iw2nc732jxmmex25bjeyqyvuuyngnxmpehdefjr3qd.onion

Source

Updated 3 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.