Operator dossier

minteye is a ransomware operator currently active on public leak sites. Darkfield has indexed 5 public victims claimed by this operator between December 12, 2025. Based on available information, minteye is an emerging ransomware group first observed in December 2025 with limited documented activity, having targeted at least five known victims primarily for financial gain. The group's origin and affiliations remain unknown, with no publicly documented information from major security firms regarding their operational structure or whether they operate as a ransomware-as-a-service model. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by reputable security researchers, though their targeting pattern suggests they focus on diverse sectors including construction, transportation/logistics, and agriculture/food production. The group has primarily targeted organizations in the United States and Chile, indicating either a regional focus or opportunistic targeting based on access rather than strategic selection. No major high-profile campaigns or significant law enforcement actions have been publicly reported by CISA, FBI, or established threat intelligence firms. Given the recent emergence date of December 2025 and limited victim count, minteye appears to be a newly active group with minimal public documentation of their capabilities or impact.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

minteye

5 victims indexed · first seen 5 months ago · last activity 5 months ago

Victims indexed

#238 of 348 tracked operators

<1m

Active period

Dec 2025 → Dec 2025

Countries hit

top US · 4

At a glance

Status: active
First seen: 5 months ago
Last activity: 5 months ago
Onion sites: 1 known endpoint
Primary sector: Not Found · 2 hits

About

Based on available information, minteye is an emerging ransomware group first observed in December 2025 with limited documented activity, having targeted at least five known victims primarily for financial gain. The group's origin and affiliations remain unknown, with no publicly documented information from major security firms regarding their operational structure or whether they operate as a ransomware-as-a-service model. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by reputable security researchers, though their targeting pattern suggests they focus on diverse sectors including construction, transportation/logistics, and agriculture/food production. The group has primarily targeted organizations in the United States and Chile, indicating either a regional focus or opportunistic targeting based on access rather than strategic selection. No major high-profile campaigns or significant law enforcement actions have been publicly reported by CISA, FBI, or established threat intelligence firms. Given the recent emergence date of December 2025 and limited victim count, minteye appears to be a newly active group with minimal public documentation of their capabilities or impact.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/minteye

Timeline

1 months

2025-12-01T00:00:00+00:002025-12-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇱 CL

US dossier →CL dossier →

Top sectors

Not Found

Construction

Transportation/Logistics

Agriculture and Food Production

Not Found dossier →Construction dossier →Transportation/Logistics dossier →Agriculture and Food Production dossier →

MITRE ATT&CK

3 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known

http://i6575ykikb3yvut4btucoqjshbktouxxyu3eb3ffa3ukvyvtam5y5pqd.onion

Source

Updated 5 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.