Operator dossier

Donutleaks is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 42 public victims claimed by this operator between August 24, 2022 and July 24, 2024. Donutleaks is a ransomware group that emerged in August 2022, operating with primarily financial motivations and demonstrating a pattern of targeting critical infrastructure and business sectors across multiple countries. The group's origin and specific affiliations remain largely undocumented in publicly available threat intelligence reports, with limited information available from major security firms or law enforcement agencies regarding their operational structure or potential ransomware-as-a-service model. Based on the limited public documentation available, the group has demonstrated a preference for attacking healthcare, technology, manufacturing, business services, and telecommunications sectors, with their attack methodology and specific technical capabilities not extensively detailed in current threat intelligence reporting. Donutleaks has been associated with approximately 42 documented victims primarily concentrated in the United States, Italy, Iran, and Spain, though specific high-profile campaigns or ransom demands have not been widely reported by major cybersecurity organizations or law enforcement agencies. The current operational status of Donutleaks remains unclear due to limited public threat intelligence coverage of this particular threat actor.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Donutleaks

42 victims indexed · first seen 4 years ago · last activity 2 years ago

Victims indexed

#114 of 348 tracked operators

1y 11m

Active period

Aug 2022 → Jul 2024

Countries hit

top United States · 8

At a glance

Status: inactive
First seen: 4 years ago
Last activity: 2 years ago
Onion sites: 7 known endpoints
Primary sector: Healthcare · 5 hits

About

Donutleaks is a ransomware group that emerged in August 2022, operating with primarily financial motivations and demonstrating a pattern of targeting critical infrastructure and business sectors across multiple countries. The group's origin and specific affiliations remain largely undocumented in publicly available threat intelligence reports, with limited information available from major security firms or law enforcement agencies regarding their operational structure or potential ransomware-as-a-service model. Based on the limited public documentation available, the group has demonstrated a preference for attacking healthcare, technology, manufacturing, business services, and telecommunications sectors, with their attack methodology and specific technical capabilities not extensively detailed in current threat intelligence reporting. Donutleaks has been associated with approximately 42 documented victims primarily concentrated in the United States, Italy, Iran, and Spain, though specific high-profile campaigns or ransom demands have not been widely reported by major cybersecurity organizations or law enforcement agencies. The current operational status of Donutleaks remains unclear due to limited public threat intelligence coverage of this particular threat actor.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

12 months

2022-08-01T00:00:00+00:002024-07-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇮🇹 Italy

🇮🇷 IR

🇪🇸 Spain

United States dossier →Italy dossier →IR dossier →Spain dossier →

Top sectors

Healthcare

Technology

Manufacturing

Business Services

Telecommunications

Government

Not Found

Transportation/Logistics

Healthcare dossier →Technology dossier →Manufacturing dossier →Business Services dossier →

MITRE ATT&CK

5 techniques · 5 tactics

Tactics

Initial AccessExecutionDefense EvasionExfiltrationImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1567Exfiltration Over Web Service
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

7 known

http://dk4mkfzqai6ure62oukzgtypedmwlfq57yj2fube7j5wsoi6tuia7nyd.onion
http://dk4mkfzqai6ure62oukzgtypedmwlfq57yj2fube7j5wsoi6tuia7nyd.onion/index.php
http://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion
http://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion
http://sbc2zv2qnz5vubwtx3aobfpkeao6l4igjegm3xx7tk5suqhjkp5jxtqd.onion
https://doq32rjiuomfghm5a4lyf3lwwakt2774tkv4ppsos6ueo5mhx7662gid.onion
https://qkbbaxiuqqcqb5nox4np4qjcniy2q6m7yeluvj7n5i5dn7pgpcwxwfid.onion

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.