Operator dossier

Moneymessage (also tracked as money message) is a ransomware operator currently active on public leak sites. Darkfield has indexed 32 public victims claimed by this operator between March 29, 2023 and May 16, 2026. Moneymessage is a relatively new ransomware group that emerged in March 2023, operating with primarily financial motivations and targeting organizations across multiple sectors globally. Given the group's recent emergence and limited public documentation from major security agencies, detailed information about their origin and affiliations remains largely unknown, though their targeting patterns suggest they may operate as a smaller independent operation rather than a large-scale RaaS model. The group has demonstrated a broad targeting approach across healthcare, business services, public sector, government, and financial organizations, with their 29 documented victims spanning geographically diverse regions including the United States, Italy, Argentina, Bangladesh, and Russia, though specific attack methodologies and technical capabilities have not been extensively documented by major threat intelligence firms. Notable campaigns and high-profile attacks attributed to Moneymessage have not been widely reported by established security researchers or law enforcement agencies, likely due to the group's relatively recent emergence and smaller scale of operations compared to more prominent ransomware families. The group appears to remain active as of available reporting, though comprehensive analysis of their current operational status is limited by the lack of detailed public documentation from authoritative sources such as CISA, FBI, or major cybersecurity firms.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Moneymessage

aka money message · 32 victims indexed · first seen 3 years ago · last activity 5 days ago

Victims indexed

#132 of 348 tracked operators

3y 2m

Active period

Mar 2023 → May 2026

Countries hit

top United States · 8

At a glance

Status: active
Aliases: money message
First seen: 3 years ago
Last activity: 5 days ago
Onion sites: 2 known endpoints
Primary sector: Healthcare · 4 hits

About

Moneymessage is a relatively new ransomware group that emerged in March 2023, operating with primarily financial motivations and targeting organizations across multiple sectors globally. Given the group's recent emergence and limited public documentation from major security agencies, detailed information about their origin and affiliations remains largely unknown, though their targeting patterns suggest they may operate as a smaller independent operation rather than a large-scale RaaS model. The group has demonstrated a broad targeting approach across healthcare, business services, public sector, government, and financial organizations, with their 29 documented victims spanning geographically diverse regions including the United States, Italy, Argentina, Bangladesh, and Russia, though specific attack methodologies and technical capabilities have not been extensively documented by major threat intelligence firms. Notable campaigns and high-profile attacks attributed to Moneymessage have not been widely reported by established security researchers or law enforcement agencies, likely due to the group's relatively recent emergence and smaller scale of operations compared to more prominent ransomware families. The group appears to remain active as of available reporting, though comprehensive analysis of their current operational status is limited by the lack of detailed public documentation from authoritative sources such as CISA, FBI, or major cybersecurity firms.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/money message

Timeline

15 months

2023-03-01T00:00:00+00:002026-01-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇮🇹 Italy

🇦🇷 Argentina

🇧🇩 Bangladesh

🇷🇺 Russia

🇦🇺 Australia

🇪🇬 Egypt

United States dossier →Italy dossier →Argentina dossier →Bangladesh dossier →

Top sectors

Healthcare

Business Services

Public Sector

Government

Financial

Education

Healthcare dossier →Business Services dossier →Public Sector dossier →Government dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion
http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion/news.php?contentId=1

Source

Updated 5 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.