Skip to main content

Operator dossier

Dragonforce (also tracked as DRAGON FORCE) is a ransomware operator currently active on public leak sites. Darkfield has indexed 627 public victims claimed by this operator between December 13, 2023 and July 14, 2026. Dragonforce is a relatively new ransomware group that emerged in December 2023, operating with apparent financial motivations based on their targeting patterns and victim selection. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their rapid accumulation of 439 documented victims suggests either sophisticated capabilities or possible connections to existing ransomware infrastructure. Based on their targeting patterns across diverse sectors including manufacturing, business services, technology, and construction, Dragonforce appears to employ opportunistic attack methodologies, though specific initial access vectors, encryption methods, and extortion tactics have not been publicly detailed by major security firms or law enforcement agencies. The group has demonstrated a preference for targeting organizations primarily in English-speaking countries and Western Europe, with the United States, United Kingdom, Germany, Australia, and Italy representing their most frequent victim locations, suggesting possible language capabilities or geographic operational preferences. As of current reporting, Dragonforce appears to remain active given their recent emergence and ongoing victim acquisition, though the lack of detailed public analysis from major threat intelligence organizations indicates either operational security measures that have limited researcher visibility or that the group has not yet conducted sufficiently high-profile attacks to warrant extensive public documentation by CISA, FBI, or established security research firms.

Most-targeted sectors

Most-affected countries

Recent disclosures by Dragonforce

Most recent 150 of 627 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Dragonforce

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Dragonforce

aka DRAGON FORCE · 627 victims indexed · first seen 3 years ago · last activity 20 hours ago

627
Victims indexed
#17 of 364 tracked operators
2y 7m
Active period
Dec 2023 → Jul 2026
30
Countries hit
top United States · 257

At a glance

Status
active
Aliases
DRAGON FORCE
First seen
3 years ago
Last activity
20 hours ago
Onion sites
4 known endpoints
Primary sector
Not Found · 149 hits

About

Dragonforce is a relatively new ransomware group that emerged in December 2023, operating with apparent financial motivations based on their targeting patterns and victim selection. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their rapid accumulation of 439 documented victims suggests either sophisticated capabilities or possible connections to existing ransomware infrastructure. Based on their targeting patterns across diverse sectors including manufacturing, business services, technology, and construction, Dragonforce appears to employ opportunistic attack methodologies, though specific initial access vectors, encryption methods, and extortion tactics have not been publicly detailed by major security firms or law enforcement agencies. The group has demonstrated a preference for targeting organizations primarily in English-speaking countries and Western Europe, with the United States, United Kingdom, Germany, Australia, and Italy representing their most frequent victim locations, suggesting possible language capabilities or geographic operational preferences. As of current reporting, Dragonforce appears to remain active given their recent emergence and ongoing victim acquisition, though the lack of detailed public analysis from major threat intelligence organizations indicates either operational security measures that have limited researcher visibility or that the group has not yet conducted sufficiently high-profile attacks to warrant extensive public documentation by CISA, FBI, or established security research firms.

References

8 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 142024-08-01T00:00:00+00:00 · 122024-09-01T00:00:00+00:00 · 62024-10-01T00:00:00+00:00 · 52024-11-01T00:00:00+00:00 · 42024-12-01T00:00:00+00:00 · 82025-01-01T00:00:00+00:00 · 132025-02-01T00:00:00+00:00 · 62025-03-01T00:00:00+00:00 · 162025-04-01T00:00:00+00:00 · 192025-05-01T00:00:00+00:00 · 22025-06-01T00:00:00+00:00 · 262025-07-01T00:00:00+00:00 · 222025-08-01T00:00:00+00:00 · 302025-09-01T00:00:00+00:00 · 92025-10-01T00:00:00+00:00 · 172025-11-01T00:00:00+00:00 · 272025-12-01T00:00:00+00:00 · 342026-01-01T00:00:00+00:00 · 92026-02-01T00:00:00+00:00 · 372026-03-01T00:00:00+00:00 · 632026-04-01T00:00:00+00:00 · 652026-05-01T00:00:00+00:00 · 692026-06-01T00:00:00+00:00 · 18
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
257
🇺🇸 United States
47
🇬🇧 United Kingdom
33
🇩🇪 Germany
23
🇦🇺 Australia
16
🇮🇹 Italy
15
🇨🇦 Canada
14
🇬🇧 United Kingdom
12

Top sectors

Manufacturing
79
Business Services
74
Technology
50
Construction
43
Healthcare
37
Transportation/Logistics
25
Financial Services
21
Agriculture and Food Production
19

MITRE ATT&CK

8 techniques · 7 tactics

Tactics

Initial AccessExecutionDefense EvasionLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1021Remote Services
  • T1083File and Directory Discovery
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

4 known
  • http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion
  • http://3pktcrcbmssvrnwe5skburdwe2h3v6ibdnn5kbjqihsg6eu6s6b7ryqd.onion/login
  • http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion
  • http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/api/guest/blog/posts?page=1

Source

Updated 20 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Dragonforce posts a victim.

Add Dragonforce to your watchlist — Pro pings you within 5 minutes of any new Dragonforce leak-site post, Telegram callout, or affiliate-rebrand inference.