Operator dossier

Hunters International (also tracked as Hunters) is a ransomware operator currently active on public leak sites. Darkfield has indexed 388 public victims claimed by this operator between October 20, 2023 and March 26, 2026. Hunters International is a ransomware group that emerged in October 2023, operating with primarily financial motivations and demonstrating rapid expansion in their victim targeting across multiple sectors. The group's origin and specific affiliations remain largely undocumented by major security agencies, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Based on publicly available victim data, Hunters International has demonstrated a preference for targeting business services, technology, and manufacturing sectors, with their attacks primarily concentrated in English-speaking countries including the United States, France, and the United Kingdom. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations such as CISA, FBI, or Mandiant, limiting detailed analysis of their initial access vectors, encryption methods, or data exfiltration practices. With 388 documented victims since their emergence, the group has shown consistent activity levels, though specific high-profile campaigns or notable ransom demands have not been widely reported in public threat intelligence reports. As of current reporting, Hunters International appears to remain active with no documented law enforcement disruptions or operational changes reported by major cybersecurity agencies.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Hunters International

aka Hunters · 388 victims indexed · first seen 3 years ago · last activity 2 months ago

388

Victims indexed

#24 of 348 tracked operators

2y 5m

Active period

Oct 2023 → Mar 2026

Countries hit

top United States · 202

At a glance

Status: active
Aliases: Hunters
First seen: 3 years ago
Last activity: 2 months ago
Onion sites: 5 known endpoints
Primary sector: Business Services · 60 hits

About

Hunters International is a ransomware group that emerged in October 2023, operating with primarily financial motivations and demonstrating rapid expansion in their victim targeting across multiple sectors. The group's origin and specific affiliations remain largely undocumented by major security agencies, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Based on publicly available victim data, Hunters International has demonstrated a preference for targeting business services, technology, and manufacturing sectors, with their attacks primarily concentrated in English-speaking countries including the United States, France, and the United Kingdom. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations such as CISA, FBI, or Mandiant, limiting detailed analysis of their initial access vectors, encryption methods, or data exfiltration practices. With 388 documented victims since their emergence, the group has shown consistent activity levels, though specific high-profile campaigns or notable ransom demands have not been widely reported in public threat intelligence reports. As of current reporting, Hunters International appears to remain active with no documented law enforcement disruptions or operational changes reported by major cybersecurity agencies.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2023-10-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

202

🇫🇷 France

🇬🇧 United Kingdom

🇨🇦 Canada

🇩🇪 Germany

🇯🇵 Japan

🇪🇸 Spain

🇮🇹 Italy

United States dossier →France dossier →United Kingdom dossier →Canada dossier →

Top sectors

Business Services

Technology

Manufacturing

Not Found

Healthcare

Transportation/Logistics

Energy

Consumer Services

Business Services dossier →Technology dossier →Manufacturing dossier →Not Found dossier →

MITRE ATT&CK

13 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1059Command and Scripting Interpreter
T1543Create or Modify System Process
T1055Process Injection
T1562Impair Defenses
T1003OS Credential Dumping
T1021Remote Services
T1005Data from Local System
T1039Data from Network Shared Drive
T1041Exfiltration Over C2 Channel
T1567Exfiltration Over Web Service
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

5 known

http://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion
http://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion
https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login
https://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion/api/public/companies
https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/api/public/companies

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.