Skip to main content

Operator dossier

LeakBazaar (also tracked as leak bazaar) is a ransomware operator currently active on public leak sites. Darkfield has indexed 9 public victims claimed by this operator between May 10, 2026. Based on available public reporting, LeakBazaar is a relatively new ransomware group that first emerged in May 2026, appearing to be financially motivated given their targeting of high-value sectors and geographic focus on developed economies. The group's country of origin and potential affiliations with other cybercriminal organizations remain unknown at this time, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only nine documented victims since their emergence, LeakBazaar demonstrates a targeted approach focusing primarily on manufacturing, technology, business services, transportation/logistics, and financial services sectors across the United States, India, Singapore, and the United Kingdom, though their specific initial access vectors, encryption methods, and whether they employ double or triple extortion tactics have not been publicly documented by major threat intelligence firms or law enforcement agencies. Due to the group's recent emergence and limited public reporting from established sources such as CISA, FBI, or Mandiant, there are no widely reported notable campaigns or high-profile attacks that have gained significant attention in the cybersecurity community. LeakBazaar appears to remain active as of current reporting, though the limited intelligence available makes it difficult to assess their operational tempo or expansion plans.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

LeakBazaar

aka leak bazaar · 9 victims indexed · first seen 2 months ago · last activity 2 months ago

9
Victims indexed
#214 of 364 tracked operators
<1m
Active period
May 2026 → May 2026
4
Countries hit
top US · 6

At a glance

Status
active
Aliases
leak bazaar
First seen
2 months ago
Last activity
2 months ago
Primary sector
Manufacturing · 2 hits

About

Based on available public reporting, LeakBazaar is a relatively new ransomware group that first emerged in May 2026, appearing to be financially motivated given their targeting of high-value sectors and geographic focus on developed economies. The group's country of origin and potential affiliations with other cybercriminal organizations remain unknown at this time, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only nine documented victims since their emergence, LeakBazaar demonstrates a targeted approach focusing primarily on manufacturing, technology, business services, transportation/logistics, and financial services sectors across the United States, India, Singapore, and the United Kingdom, though their specific initial access vectors, encryption methods, and whether they employ double or triple extortion tactics have not been publicly documented by major threat intelligence firms or law enforcement agencies. Due to the group's recent emergence and limited public reporting from established sources such as CISA, FBI, or Mandiant, there are no widely reported notable campaigns or high-profile attacks that have gained significant attention in the cybersecurity community. LeakBazaar appears to remain active as of current reporting, though the limited intelligence available makes it difficult to assess their operational tempo or expansion plans.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2026-05-01T00:00:00+00:00 · 9
2026-05-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
6
🇮🇳 India
1
🇸🇬 Singapore
1
🇬🇧 United Kingdom
1

Top sectors

Manufacturing
2
Technology
2
Business Services
1
Transportation/Logistics
1
Financial Services
1
Construction
1
Healthcare
1

MITRE ATT&CK

2 techniques · 2 tactics

Tactics

Initial AccessImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time LeakBazaar posts a victim.

Add LeakBazaar to your watchlist — Pro pings you within 5 minutes of any new LeakBazaar leak-site post, Telegram callout, or affiliate-rebrand inference.