Operator dossier

worldleaks is a ransomware operator currently active on public leak sites. Darkfield has indexed 155 public victims claimed by this operator between May 18, 2025 and May 12, 2026. Based on the limited available data, worldleaks is a recently emerged ransomware group that was first observed in May 2025 and appears to be primarily financially motivated, having claimed 134 victims in a relatively short timeframe since its emergence. The group's origin and organizational structure remain unclear, with no publicly documented information from major cybersecurity firms or law enforcement agencies regarding their country of origin, potential affiliations, or operational model. Their targeting patterns indicate a focus on English-speaking countries, particularly the United States, United Kingdom, and Canada, with additional activity observed in Germany and Japan, while their sector targeting shows a preference for healthcare, technology, manufacturing, and consumer services organizations. Due to the group's recent emergence and limited public documentation by established threat intelligence sources, specific details about their attack methodologies, encryption techniques, extortion tactics, and notable campaigns have not yet been comprehensively analyzed or reported by organizations such as CISA, FBI, or major cybersecurity research firms. The group appears to remain active as of the most recent observations, though comprehensive threat intelligence profiling awaits further analysis and documentation by established cybersecurity authorities.

Most-targeted sectors

Not Found35 victims
Healthcare23 victims
Technology13 victims
Manufacturing13 victims
Consumer Services10 victims
Business Services7 victims

Most-affected countries

US76 victims
GB8 victims
DE6 victims
CA6 victims
JP

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

worldleaks

155 victims indexed · first seen 1 year ago · last activity 8 days ago

155

Victims indexed

#53 of 348 tracked operators

1y 0m

Active period

May 2025 → May 2026

Countries hit

top US · 76

At a glance

Status: active
First seen: 1 year ago
Last activity: 8 days ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 35 hits

About

Based on the limited available data, worldleaks is a recently emerged ransomware group that was first observed in May 2025 and appears to be primarily financially motivated, having claimed 134 victims in a relatively short timeframe since its emergence. The group's origin and organizational structure remain unclear, with no publicly documented information from major cybersecurity firms or law enforcement agencies regarding their country of origin, potential affiliations, or operational model. Their targeting patterns indicate a focus on English-speaking countries, particularly the United States, United Kingdom, and Canada, with additional activity observed in Germany and Japan, while their sector targeting shows a preference for healthcare, technology, manufacturing, and consumer services organizations. Due to the group's recent emergence and limited public documentation by established threat intelligence sources, specific details about their attack methodologies, encryption techniques, extortion tactics, and notable campaigns have not yet been comprehensively analyzed or reported by organizations such as CISA, FBI, or major cybersecurity research firms. The group appears to remain active as of the most recent observations, though comprehensive threat intelligence profiling awaits further analysis and documentation by established cybersecurity authorities.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/worldleaks

Timeline

11 months

2025-05-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 US

🇬🇧 GB

🇩🇪 DE

🇨🇦 CA

🇯🇵 JP

🇧🇷 BR

🇮🇳 IN

🇫🇷 FR

US dossier →GB dossier →DE dossier →CA dossier →

Top sectors

Not Found

Healthcare

Technology

Manufacturing

Consumer Services

Business Services

Education

Hospitality and Tourism

Not Found dossier →Healthcare dossier →Technology dossier →Manufacturing dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://3jguvp6xhyypdjgxhxweu4zklse66v3awjj2zljpftcjyeoimepnwtyd.onion
http://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion

Source

Updated 8 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.