Operator dossier

teamxxx is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 12 public victims claimed by this operator between June 10, 2025 and August 4, 2025. Based on the limited available information, teamxxx is a recently emerged ransomware group first observed in June 2025, appearing to be financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Their attack methodology and specific tools have not been extensively documented, though their diverse geographic targeting across the United States, Czech Republic, Hong Kong, Sweden, and Germany, combined with their focus on high-value sectors including healthcare, financial services, and hospitality suggests a financially-driven operation seeking maximum impact and payment potential. With only 12 known victims documented since their emergence, the group has not yet conducted any widely-publicized major campaigns that have drawn significant attention from law enforcement or security researchers. Given their recent first observation in June 2025, teamxxx appears to still be active, though their limited victim count and lack of extensive public reporting suggests they remain a relatively minor player in the current ransomware landscape.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

teamxxx

12 victims indexed · first seen 11 months ago · last activity 10 months ago

Victims indexed

#193 of 348 tracked operators

Active period

Jun 2025 → Aug 2025

Countries hit

top US · 2

At a glance

Status: inactive
First seen: 11 months ago
Last activity: 10 months ago
Primary sector: Not Found · 4 hits

About

Based on the limited available information, teamxxx is a recently emerged ransomware group first observed in June 2025, appearing to be financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Their attack methodology and specific tools have not been extensively documented, though their diverse geographic targeting across the United States, Czech Republic, Hong Kong, Sweden, and Germany, combined with their focus on high-value sectors including healthcare, financial services, and hospitality suggests a financially-driven operation seeking maximum impact and payment potential. With only 12 known victims documented since their emergence, the group has not yet conducted any widely-publicized major campaigns that have drawn significant attention from law enforcement or security researchers. Given their recent first observation in June 2025, teamxxx appears to still be active, though their limited victim count and lack of extensive public reporting suggests they remain a relatively minor player in the current ransomware landscape.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/teamxxx

Timeline

3 months

2025-06-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇿 CZ

🇭🇰 HK

🇸🇪 SE

🇩🇪 DE

🇮🇪 IE

🇳🇴 NO

🇬🇧 GB

US dossier →CZ dossier →HK dossier →SE dossier →

Top sectors

Not Found

Healthcare

Agriculture and Food Production

Financial Services

Hospitality and Tourism

Transportation/Logistics

Business Services

Not Found dossier →Healthcare dossier →Agriculture and Food Production dossier →Financial Services dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 10 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.