Operator dossier

Darkvault is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 55 public victims claimed by this operator between April 11, 2024 and January 6, 2025. Darkvault is an emerging ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad international targeting approach across multiple high-value sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest a financially motivated cybercriminal organization rather than state-sponsored activity. Given the limited public documentation from established security research organizations, specific details regarding Darkvault's attack methodology, initial access vectors, encryption techniques, and potential data exfiltration practices have not been comprehensively analyzed or reported by major threat intelligence providers such as CISA, FBI, or Mandiant. The group has reportedly compromised approximately 55 victims across diverse geographic regions, with particular concentration in India, the United States, Brazil, the United Kingdom, and South Korea, while demonstrating sector preferences for technology companies, business services, healthcare organizations, transportation and logistics firms, and financial institutions. Due to the group's recent emergence and limited coverage in established threat intelligence channels, comprehensive details regarding notable high-profile campaigns, ransom demands, or specific law enforcement actions remain undocumented in publicly available security research. Current intelligence suggests the group maintains active operations as of late 2024, though the limited public reporting on Darkvault indicates either highly effective operational security or insufficient analysis by major cybersecurity research organizations.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Darkvault

55 victims indexed · first seen 2 years ago · last activity 1 year ago

Victims indexed

#100 of 348 tracked operators

Active period

Apr 2024 → Jan 2025

Countries hit

top India · 9

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 1 year ago
Onion sites: 3 known endpoints
Primary sector: Technology · 18 hits

About

Darkvault is an emerging ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad international targeting approach across multiple high-value sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest a financially motivated cybercriminal organization rather than state-sponsored activity. Given the limited public documentation from established security research organizations, specific details regarding Darkvault's attack methodology, initial access vectors, encryption techniques, and potential data exfiltration practices have not been comprehensively analyzed or reported by major threat intelligence providers such as CISA, FBI, or Mandiant. The group has reportedly compromised approximately 55 victims across diverse geographic regions, with particular concentration in India, the United States, Brazil, the United Kingdom, and South Korea, while demonstrating sector preferences for technology companies, business services, healthcare organizations, transportation and logistics firms, and financial institutions. Due to the group's recent emergence and limited coverage in established threat intelligence channels, comprehensive details regarding notable high-profile campaigns, ransom demands, or specific law enforcement actions remain undocumented in publicly available security research. Current intelligence suggests the group maintains active operations as of late 2024, though the limited public reporting on Darkvault indicates either highly effective operational security or insufficient analysis by major cybersecurity research organizations.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

8 months

2024-04-01T00:00:00+00:002025-01-01T00:00:00+00:00

Top countries

🇮🇳 India

🇺🇸 United States

🇧🇷 Brazil

🇬🇧 United Kingdom

🇰🇷 South Korea

🇦🇪 UAE

🇲🇽 Mexico

🇸🇦 Saudi Arabia

India dossier →United States dossier →Brazil dossier →United Kingdom dossier →

Top sectors

Technology

Business Services

Healthcare

Transportation/Logistics

Financial

Not Found

Agriculture and Food Production

Hospitality and Tourism

Technology dossier →Business Services dossier →Healthcare dossier →Transportation/Logistics dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known

http://5vphklgizbimeq5l4yt274p533fgirhqnjhjuppcp2ibteavmro5fzad.onion
http://tx23pk4zw5qynq3tmfk2jz5zbel63p4nwvkheswze7r6gzxhzcbseyad.onion
http://mdhby62yvvg6sd5jmx5gsyucs7ynb5j45lvvdh4dsymg43puitu7tfid.onion

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.