Skip to main content

Operator dossier

worldleaks is a ransomware operator currently active on public leak sites. Darkfield has indexed 173 public victims claimed by this operator between May 18, 2025 and July 2, 2026. Based on the limited available data, worldleaks is a recently emerged ransomware group that was first observed in May 2025 and appears to be primarily financially motivated, having claimed 134 victims in a relatively short timeframe since its emergence. The group's origin and organizational structure remain unclear, with no publicly documented information from major cybersecurity firms or law enforcement agencies regarding their country of origin, potential affiliations, or operational model. Their targeting patterns indicate a focus on English-speaking countries, particularly the United States, United Kingdom, and Canada, with additional activity observed in Germany and Japan, while their sector targeting shows a preference for healthcare, technology, manufacturing, and consumer services organizations. Due to the group's recent emergence and limited public documentation by established threat intelligence sources, specific details about their attack methodologies, encryption techniques, extortion tactics, and notable campaigns have not yet been comprehensively analyzed or reported by organizations such as CISA, FBI, or major cybersecurity research firms. The group appears to remain active as of the most recent observations, though comprehensive threat intelligence profiling awaits further analysis and documentation by established cybersecurity authorities.

Most-targeted sectors

Most-affected countries

Recent disclosures by worldleaks

Most recent 150 of 173 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for worldleaks

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

worldleaks

173 victims indexed · first seen 1 year ago · last activity 13 days ago

173
Victims indexed
#51 of 364 tracked operators
1y 2m
Active period
May 2025 → Jul 2026
10
Countries hit
top US · 76

At a glance

Status
active
First seen
1 year ago
Last activity
13 days ago
Onion sites
2 known endpoints
Primary sector
Not Found · 35 hits

About

Based on the limited available data, worldleaks is a recently emerged ransomware group that was first observed in May 2025 and appears to be primarily financially motivated, having claimed 134 victims in a relatively short timeframe since its emergence. The group's origin and organizational structure remain unclear, with no publicly documented information from major cybersecurity firms or law enforcement agencies regarding their country of origin, potential affiliations, or operational model. Their targeting patterns indicate a focus on English-speaking countries, particularly the United States, United Kingdom, and Canada, with additional activity observed in Germany and Japan, while their sector targeting shows a preference for healthcare, technology, manufacturing, and consumer services organizations. Due to the group's recent emergence and limited public documentation by established threat intelligence sources, specific details about their attack methodologies, encryption techniques, extortion tactics, and notable campaigns have not yet been comprehensively analyzed or reported by organizations such as CISA, FBI, or major cybersecurity research firms. The group appears to remain active as of the most recent observations, though comprehensive threat intelligence profiling awaits further analysis and documentation by established cybersecurity authorities.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

11 months
2025-05-01T00:00:00+00:00 · 92025-06-01T00:00:00+00:00 · 222025-07-01T00:00:00+00:00 · 202025-08-01T00:00:00+00:00 · 182025-09-01T00:00:00+00:00 · 132025-10-01T00:00:00+00:00 · 92025-11-01T00:00:00+00:00 · 102025-12-01T00:00:00+00:00 · 132026-01-01T00:00:00+00:00 · 32026-02-01T00:00:00+00:00 · 62026-03-01T00:00:00+00:00 · 11
2025-05-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
76
🇬🇧 United Kingdom
8
🇩🇪 Germany
6
🇨🇦 Canada
6
🇯🇵 Japan
5
🇧🇷 Brazil
5
🇮🇳 India
3
🇫🇷 France
3

Top sectors

Healthcare
23
Technology
13
Manufacturing
13
Consumer Services
10
Business Services
7
Education
5
Hospitality and Tourism
5
Energy
5

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1204User Execution
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://3jguvp6xhyypdjgxhxweu4zklse66v3awjj2zljpftcjyeoimepnwtyd.onion
  • http://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion

Source

Updated 13 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time worldleaks posts a victim.

Add worldleaks to your watchlist — Pro pings you within 5 minutes of any new worldleaks leak-site post, Telegram callout, or affiliate-rebrand inference.