Skip to main content

Operator dossier

Hunters International (also tracked as Hunters) is a ransomware operator currently active on public leak sites. Darkfield has indexed 695 public victims claimed by this operator between October 20, 2023 and March 26, 2026. Hunters International is a ransomware group that emerged in October 2023, operating with primarily financial motivations and demonstrating rapid expansion in their victim targeting across multiple sectors. The group's origin and specific affiliations remain largely undocumented by major security agencies, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Based on publicly available victim data, Hunters International has demonstrated a preference for targeting business services, technology, and manufacturing sectors, with their attacks primarily concentrated in English-speaking countries including the United States, France, and the United Kingdom. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations such as CISA, FBI, or Mandiant, limiting detailed analysis of their initial access vectors, encryption methods, or data exfiltration practices. With 388 documented victims since their emergence, the group has shown consistent activity levels, though specific high-profile campaigns or notable ransom demands have not been widely reported in public threat intelligence reports. As of current reporting, Hunters International appears to remain active with no documented law enforcement disruptions or operational changes reported by major cybersecurity agencies.

Most-targeted sectors

Most-affected countries

Recent disclosures by Hunters International

Most recent 150 of 695 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Hunters International

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Hunters International

aka Hunters · 695 victims indexed · first seen 3 years ago · last activity 4 months ago

695
Victims indexed
#14 of 364 tracked operators
2y 5m
Active period
Oct 2023 → Mar 2026
30
Countries hit
top United States · 352

At a glance

Status
active
Aliases
Hunters
First seen
3 years ago
Last activity
4 months ago
Onion sites
7 known endpoints
Primary sector
Business Services · 123 hits

About

Hunters International is a ransomware group that emerged in October 2023, operating with primarily financial motivations and demonstrating rapid expansion in their victim targeting across multiple sectors. The group's origin and specific affiliations remain largely undocumented by major security agencies, though their operational patterns suggest they function as an independent ransomware operation rather than a established Ransomware-as-a-Service model. Based on publicly available victim data, Hunters International has demonstrated a preference for targeting business services, technology, and manufacturing sectors, with their attacks primarily concentrated in English-speaking countries including the United States, France, and the United Kingdom. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations such as CISA, FBI, or Mandiant, limiting detailed analysis of their initial access vectors, encryption methods, or data exfiltration practices. With 388 documented victims since their emergence, the group has shown consistent activity levels, though specific high-profile campaigns or notable ransom demands have not been widely reported in public threat intelligence reports. As of current reporting, Hunters International appears to remain active with no documented law enforcement disruptions or operational changes reported by major cybersecurity agencies.

References

4 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2023-10-01T00:00:00+00:00 · 42023-11-01T00:00:00+00:00 · 372023-12-01T00:00:00+00:00 · 122024-01-01T00:00:00+00:00 · 282024-02-01T00:00:00+00:00 · 642024-03-01T00:00:00+00:00 · 382024-04-01T00:00:00+00:00 · 602024-05-01T00:00:00+00:00 · 232024-06-01T00:00:00+00:00 · 162024-07-01T00:00:00+00:00 · 522024-08-01T00:00:00+00:00 · 382024-09-01T00:00:00+00:00 · 282024-10-01T00:00:00+00:00 · 462024-11-01T00:00:00+00:00 · 482024-12-01T00:00:00+00:00 · 302025-01-01T00:00:00+00:00 · 182025-02-01T00:00:00+00:00 · 202025-03-01T00:00:00+00:00 · 122025-04-01T00:00:00+00:00 · 342025-05-01T00:00:00+00:00 · 102025-10-01T00:00:00+00:00 · 462026-01-01T00:00:00+00:00 · 82026-02-01T00:00:00+00:00 · 92026-03-01T00:00:00+00:00 · 14
2023-10-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
352
🇬🇧 United Kingdom
32
🇨🇦 Canada
29
🇫🇷 France
28
🇩🇪 Germany
21
🇪🇸 Spain
18
🇮🇹 Italy
16
🇯🇵 Japan
15

Top sectors

Business Services
123
Manufacturing
91
Technology
88
Healthcare
68
Energy
42
Transportation/Logistics
39
Government
26
Financial
24

MITRE ATT&CK

13 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1543Create or Modify System Process
  • T1055Process Injection
  • T1562Impair Defenses
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1005Data from Local System
  • T1039Data from Network Shared Drive
  • T1041Exfiltration Over C2 Channel
  • T1567Exfiltration Over Web Service
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

7 known
  • http://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion
  • http://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion
  • https://hunters33mmcwww7ek7q5ndahul6nmzmrsumfs6aenicbqon6mxfiqyd.onion/login
  • https://hunters55atbdusuladzv7vzv6a423bkh6ksl2uftwrxyuarbzlfh7yd.onion/api/public/companies
  • https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/api/public/companies
  • http://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion
  • http://huntersinternational.net

Source

Updated 4 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Hunters International posts a victim.

Add Hunters International to your watchlist — Pro pings you within 5 minutes of any new Hunters International leak-site post, Telegram callout, or affiliate-rebrand inference.