Skip to main content

Operator dossier

Moneymessage (also tracked as money message) is a ransomware operator currently active on public leak sites. Darkfield has indexed 34 public victims claimed by this operator between March 29, 2023 and July 9, 2026. Moneymessage is a relatively new ransomware group that emerged in March 2023, operating with primarily financial motivations and targeting organizations across multiple sectors globally. Given the group's recent emergence and limited public documentation from major security agencies, detailed information about their origin and affiliations remains largely unknown, though their targeting patterns suggest they may operate as a smaller independent operation rather than a large-scale RaaS model. The group has demonstrated a broad targeting approach across healthcare, business services, public sector, government, and financial organizations, with their 29 documented victims spanning geographically diverse regions including the United States, Italy, Argentina, Bangladesh, and Russia, though specific attack methodologies and technical capabilities have not been extensively documented by major threat intelligence firms. Notable campaigns and high-profile attacks attributed to Moneymessage have not been widely reported by established security researchers or law enforcement agencies, likely due to the group's relatively recent emergence and smaller scale of operations compared to more prominent ransomware families. The group appears to remain active as of available reporting, though comprehensive analysis of their current operational status is limited by the lack of detailed public documentation from authoritative sources such as CISA, FBI, or major cybersecurity firms.

Most-targeted sectors

Most-affected countries

Recent disclosures by Moneymessage

Most recent 32 of 34 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Moneymessage

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Moneymessage

aka money message · 34 victims indexed · first seen 3 years ago · last activity 6 days ago

34
Victims indexed
#133 of 364 tracked operators
3y 4m
Active period
Mar 2023 → Jul 2026
12
Countries hit
top United States · 17

At a glance

Status
active
Aliases
money message
First seen
3 years ago
Last activity
6 days ago
Onion sites
2 known endpoints
Primary sector
Manufacturing · 5 hits

About

Moneymessage is a relatively new ransomware group that emerged in March 2023, operating with primarily financial motivations and targeting organizations across multiple sectors globally. Given the group's recent emergence and limited public documentation from major security agencies, detailed information about their origin and affiliations remains largely unknown, though their targeting patterns suggest they may operate as a smaller independent operation rather than a large-scale RaaS model. The group has demonstrated a broad targeting approach across healthcare, business services, public sector, government, and financial organizations, with their 29 documented victims spanning geographically diverse regions including the United States, Italy, Argentina, Bangladesh, and Russia, though specific attack methodologies and technical capabilities have not been extensively documented by major threat intelligence firms. Notable campaigns and high-profile attacks attributed to Moneymessage have not been widely reported by established security researchers or law enforcement agencies, likely due to the group's relatively recent emergence and smaller scale of operations compared to more prominent ransomware families. The group appears to remain active as of available reporting, though comprehensive analysis of their current operational status is limited by the lack of detailed public documentation from authoritative sources such as CISA, FBI, or major cybersecurity firms.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

16 months
2023-03-01T00:00:00+00:00 · 22023-04-01T00:00:00+00:00 · 62023-07-01T00:00:00+00:00 · 22023-09-01T00:00:00+00:00 · 42023-10-01T00:00:00+00:00 · 42024-01-01T00:00:00+00:00 · 12024-05-01T00:00:00+00:00 · 12024-06-01T00:00:00+00:00 · 12024-11-01T00:00:00+00:00 · 12024-12-01T00:00:00+00:00 · 22025-01-01T00:00:00+00:00 · 12025-05-01T00:00:00+00:00 · 12025-07-01T00:00:00+00:00 · 12025-08-01T00:00:00+00:00 · 12026-01-01T00:00:00+00:00 · 12026-05-01T00:00:00+00:00 · 3
2023-03-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
17
🇹🇷 Turkey
1
🇦🇷 Argentina
1
🇧🇩 Bangladesh
1
🇦🇺 Australia
1
🇮🇹 Italy
1
🇬🇧 United Kingdom
1
🇯🇵 Japan
1

Top sectors

Manufacturing
5
Healthcare
4
Business Services
4
Transportation & Logistics
3
Public Sector
2
Education
2
Government
2
Technology
2

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1204User Execution
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion
  • http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion/news.php?contentId=1

Source

Updated 6 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Moneymessage posts a victim.

Add Moneymessage to your watchlist — Pro pings you within 5 minutes of any new Moneymessage leak-site post, Telegram callout, or affiliate-rebrand inference.