Skip to main content

Operator dossier

teamxxx (also tracked as TEAM XXX) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 12 public victims claimed by this operator between June 10, 2025 and August 4, 2025. Based on the limited available information, teamxxx is a recently emerged ransomware group first observed in June 2025, appearing to be financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Their attack methodology and specific tools have not been extensively documented, though their diverse geographic targeting across the United States, Czech Republic, Hong Kong, Sweden, and Germany, combined with their focus on high-value sectors including healthcare, financial services, and hospitality suggests a financially-driven operation seeking maximum impact and payment potential. With only 12 known victims documented since their emergence, the group has not yet conducted any widely-publicized major campaigns that have drawn significant attention from law enforcement or security researchers. Given their recent first observation in June 2025, teamxxx appears to still be active, though their limited victim count and lack of extensive public reporting suggests they remain a relatively minor player in the current ransomware landscape.

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

teamxxx

aka TEAM XXX · 12 victims indexed · first seen 1 year ago · last activity 11 months ago

12
Victims indexed
#202 of 364 tracked operators
2m
Active period
Jun 2025 → Aug 2025
8
Countries hit
top United States · 5

At a glance

Status
inactive
Aliases
TEAM XXX
First seen
1 year ago
Last activity
11 months ago
Onion sites
1 known endpoint
Primary sector
Not Found · 4 hits

About

Based on the limited available information, teamxxx is a recently emerged ransomware group first observed in June 2025, appearing to be financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to their recent emergence and limited public documentation by major threat intelligence organizations. Their attack methodology and specific tools have not been extensively documented, though their diverse geographic targeting across the United States, Czech Republic, Hong Kong, Sweden, and Germany, combined with their focus on high-value sectors including healthcare, financial services, and hospitality suggests a financially-driven operation seeking maximum impact and payment potential. With only 12 known victims documented since their emergence, the group has not yet conducted any widely-publicized major campaigns that have drawn significant attention from law enforcement or security researchers. Given their recent first observation in June 2025, teamxxx appears to still be active, though their limited victim count and lack of extensive public reporting suggests they remain a relatively minor player in the current ransomware landscape.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

3 months
2025-06-01T00:00:00+00:00 · 92025-07-01T00:00:00+00:00 · 22025-08-01T00:00:00+00:00 · 1
2025-06-01T00:00:00+00:002025-08-01T00:00:00+00:00

Top countries

🇺🇸 United States
5
🇸🇪 Sweden
1
🇬🇧 United Kingdom
1
🇩🇪 Germany
1
Hong Kong SAR China
1
🇳🇴 Norway
1
🇨🇿 Czechia
1
🇮🇪 Ireland
1

Top sectors

Healthcare
3
Agriculture and Food Production
1
Hospitality and Tourism
1
Business Services
1
Financial Services
1
Transportation/Logistics
1

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

1 known
  • http://tp5cwh6d2b5hekcg6jlhoe6mawa7dlwiv47epvnfmzuaaur2dnaa3uid.onion

Source

Updated 11 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time teamxxx posts a victim.

Add teamxxx to your watchlist — Pro pings you within 5 minutes of any new teamxxx leak-site post, Telegram callout, or affiliate-rebrand inference.