Operator dossier

LeakBazaar (also tracked as leak bazaar) is a ransomware operator currently active on public leak sites. Darkfield has indexed 9 public victims claimed by this operator between May 10, 2026. Based on available public reporting, LeakBazaar is a relatively new ransomware group that first emerged in May 2026, appearing to be financially motivated given their targeting of high-value sectors and geographic focus on developed economies. The group's country of origin and potential affiliations with other cybercriminal organizations remain unknown at this time, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only nine documented victims since their emergence, LeakBazaar demonstrates a targeted approach focusing primarily on manufacturing, technology, business services, transportation/logistics, and financial services sectors across the United States, India, Singapore, and the United Kingdom, though their specific initial access vectors, encryption methods, and whether they employ double or triple extortion tactics have not been publicly documented by major threat intelligence firms or law enforcement agencies. Due to the group's recent emergence and limited public reporting from established sources such as CISA, FBI, or Mandiant, there are no widely reported notable campaigns or high-profile attacks that have gained significant attention in the cybersecurity community. LeakBazaar appears to remain active as of current reporting, though the limited intelligence available makes it difficult to assess their operational tempo or expansion plans.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

LeakBazaar

aka leak bazaar · 9 victims indexed · first seen 11 days ago · last activity 11 days ago

Victims indexed

#202 of 348 tracked operators

<1m

Active period

May 2026 → May 2026

Countries hit

top US · 6

At a glance

Status: active
Aliases: leak bazaar
First seen: 11 days ago
Last activity: 11 days ago
Primary sector: Manufacturing · 2 hits

About

Based on available public reporting, LeakBazaar is a relatively new ransomware group that first emerged in May 2026, appearing to be financially motivated given their targeting of high-value sectors and geographic focus on developed economies. The group's country of origin and potential affiliations with other cybercriminal organizations remain unknown at this time, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only nine documented victims since their emergence, LeakBazaar demonstrates a targeted approach focusing primarily on manufacturing, technology, business services, transportation/logistics, and financial services sectors across the United States, India, Singapore, and the United Kingdom, though their specific initial access vectors, encryption methods, and whether they employ double or triple extortion tactics have not been publicly documented by major threat intelligence firms or law enforcement agencies. Due to the group's recent emergence and limited public reporting from established sources such as CISA, FBI, or Mandiant, there are no widely reported notable campaigns or high-profile attacks that have gained significant attention in the cybersecurity community. LeakBazaar appears to remain active as of current reporting, though the limited intelligence available makes it difficult to assess their operational tempo or expansion plans.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/leak bazaar

Timeline

1 months

2026-05-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 US

🇮🇳 IN

🇸🇬 SG

🇬🇧 GB

US dossier →IN dossier →SG dossier →GB dossier →

Top sectors

Manufacturing

Technology

Business Services

Transportation/Logistics

Financial Services

Construction

Healthcare

Manufacturing dossier →Technology dossier →Business Services dossier →Transportation/Logistics dossier →

MITRE ATT&CK

2 techniques · 2 tactics

Tactics

Initial AccessImpact

Techniques

T1190Exploit Public-Facing Application
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 11 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.