Skip to main content

Operator dossier

Darkvault (also tracked as DARK VAULT) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 55 public victims claimed by this operator between April 11, 2024 and January 6, 2025. Darkvault is an emerging ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad international targeting approach across multiple high-value sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest a financially motivated cybercriminal organization rather than state-sponsored activity. Given the limited public documentation from established security research organizations, specific details regarding Darkvault's attack methodology, initial access vectors, encryption techniques, and potential data exfiltration practices have not been comprehensively analyzed or reported by major threat intelligence providers such as CISA, FBI, or Mandiant. The group has reportedly compromised approximately 55 victims across diverse geographic regions, with particular concentration in India, the United States, Brazil, the United Kingdom, and South Korea, while demonstrating sector preferences for technology companies, business services, healthcare organizations, transportation and logistics firms, and financial institutions. Due to the group's recent emergence and limited coverage in established threat intelligence channels, comprehensive details regarding notable high-profile campaigns, ransom demands, or specific law enforcement actions remain undocumented in publicly available security research. Current intelligence suggests the group maintains active operations as of late 2024, though the limited public reporting on Darkvault indicates either highly effective operational security or insufficient analysis by major cybersecurity research organizations.

Most-targeted sectors

Most-affected countries

Recent disclosures by Darkvault

All 55 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Darkvault

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Darkvault

aka DARK VAULT · 55 victims indexed · first seen 2 years ago · last activity 2 years ago

55
Victims indexed
#104 of 364 tracked operators
9m
Active period
Apr 2024 → Jan 2025
20
Countries hit
top United States · 10

At a glance

Status
inactive
Aliases
DARK VAULT
First seen
2 years ago
Last activity
2 years ago
Onion sites
3 known endpoints
Primary sector
Technology · 18 hits

About

Darkvault is an emerging ransomware group first observed in April 2024, operating with apparent financial motivations and demonstrating a broad international targeting approach across multiple high-value sectors. The group's origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest a financially motivated cybercriminal organization rather than state-sponsored activity. Given the limited public documentation from established security research organizations, specific details regarding Darkvault's attack methodology, initial access vectors, encryption techniques, and potential data exfiltration practices have not been comprehensively analyzed or reported by major threat intelligence providers such as CISA, FBI, or Mandiant. The group has reportedly compromised approximately 55 victims across diverse geographic regions, with particular concentration in India, the United States, Brazil, the United Kingdom, and South Korea, while demonstrating sector preferences for technology companies, business services, healthcare organizations, transportation and logistics firms, and financial institutions. Due to the group's recent emergence and limited coverage in established threat intelligence channels, comprehensive details regarding notable high-profile campaigns, ransom demands, or specific law enforcement actions remain undocumented in publicly available security research. Current intelligence suggests the group maintains active operations as of late 2024, though the limited public reporting on Darkvault indicates either highly effective operational security or insufficient analysis by major cybersecurity research organizations.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

8 months
2024-04-01T00:00:00+00:00 · 192024-05-01T00:00:00+00:00 · 32024-06-01T00:00:00+00:00 · 102024-07-01T00:00:00+00:00 · 42024-08-01T00:00:00+00:00 · 112024-11-01T00:00:00+00:00 · 42024-12-01T00:00:00+00:00 · 22025-01-01T00:00:00+00:00 · 2
2024-04-01T00:00:00+00:002025-01-01T00:00:00+00:00

Top countries

🇺🇸 United States
10
🇮🇳 India
9
🇧🇷 Brazil
6
🇬🇧 United Kingdom
5
🇰🇷 South Korea
3
🇦🇪 UAE
3
🇲🇽 Mexico
2
🇸🇦 Saudi Arabia
2

Top sectors

Technology
18
Business Services
15
Healthcare
6
Financial
4
Transportation/Logistics
4
Agriculture and Food Production
2
Hospitality and Tourism
1
Government
1

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known
  • http://5vphklgizbimeq5l4yt274p533fgirhqnjhjuppcp2ibteavmro5fzad.onion
  • http://tx23pk4zw5qynq3tmfk2jz5zbel63p4nwvkheswze7r6gzxhzcbseyad.onion
  • http://mdhby62yvvg6sd5jmx5gsyucs7ynb5j45lvvdh4dsymg43puitu7tfid.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Darkvault posts a victim.

Add Darkvault to your watchlist — Pro pings you within 5 minutes of any new Darkvault leak-site post, Telegram callout, or affiliate-rebrand inference.