Skip to main content

Operator dossier

minteye is a ransomware operator currently active on public leak sites. Darkfield has indexed 5 public victims claimed by this operator between December 12, 2025. Based on available information, minteye is an emerging ransomware group first observed in December 2025 with limited documented activity, having targeted at least five known victims primarily for financial gain. The group's origin and affiliations remain unknown, with no publicly documented information from major security firms regarding their operational structure or whether they operate as a ransomware-as-a-service model. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by reputable security researchers, though their targeting pattern suggests they focus on diverse sectors including construction, transportation/logistics, and agriculture/food production. The group has primarily targeted organizations in the United States and Chile, indicating either a regional focus or opportunistic targeting based on access rather than strategic selection. No major high-profile campaigns or significant law enforcement actions have been publicly reported by CISA, FBI, or established threat intelligence firms. Given the recent emergence date of December 2025 and limited victim count, minteye appears to be a newly active group with minimal public documentation of their capabilities or impact.

Most-targeted sectors

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

minteye

5 victims indexed · first seen 7 months ago · last activity 7 months ago

5
Victims indexed
#252 of 364 tracked operators
<1m
Active period
Dec 2025 → Dec 2025
2
Countries hit
top US · 4

At a glance

Status
active
First seen
7 months ago
Last activity
7 months ago
Onion sites
1 known endpoint
Primary sector
Not Found · 2 hits

About

Based on available information, minteye is an emerging ransomware group first observed in December 2025 with limited documented activity, having targeted at least five known victims primarily for financial gain. The group's origin and affiliations remain unknown, with no publicly documented information from major security firms regarding their operational structure or whether they operate as a ransomware-as-a-service model. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by reputable security researchers, though their targeting pattern suggests they focus on diverse sectors including construction, transportation/logistics, and agriculture/food production. The group has primarily targeted organizations in the United States and Chile, indicating either a regional focus or opportunistic targeting based on access rather than strategic selection. No major high-profile campaigns or significant law enforcement actions have been publicly reported by CISA, FBI, or established threat intelligence firms. Given the recent emergence date of December 2025 and limited victim count, minteye appears to be a newly active group with minimal public documentation of their capabilities or impact.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

1 months
2025-12-01T00:00:00+00:00 · 5
2025-12-01T00:00:00+00:002025-12-01T00:00:00+00:00

Top countries

🇺🇸 United States
4
🇨🇱 Chile
1

Top sectors

Construction
1
Transportation/Logistics
1
Agriculture and Food Production
1

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://i6575ykikb3yvut4btucoqjshbktouxxyu3eb3ffa3ukvyvtam5y5pqd.onion

Source

Updated 7 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time minteye posts a victim.

Add minteye to your watchlist — Pro pings you within 5 minutes of any new minteye leak-site post, Telegram callout, or affiliate-rebrand inference.