Skip to main content
Darkfield

Ransomware victim disclosure

All victims

Law Offices of Rakesh Mehrotra

listed as Law Offices US immigrationonline.com · Claimed by Triple X · listed 6 hours ago

Today
Age
since listed · data leaked

Status timeline

  1. ListedJun 13, 2026
  2. Data leakeddate unknown

At a glance

Group
Triple X
Status
Data leaked
Country
United States
Sector
Business Services
Listed on leak site
Jun 13, 2026

About the victim

AI dossier — public-source company profile

Law Offices of Rakesh Mehrotra is a US-based immigration law firm specializing in visa petitions, green card processing, and nationality law. Operating for over 30 years, the firm represents small to large corporations and individuals across diverse industries including technology, finance, and healthcare throughout the United States and internationally.

Industry
Immigration Law Services
Founded
1993

Attack summary

Severity: critical — Confirmed exfiltration of massive scale (1.5 TB) of highly regulated sensitive data: passports, SSNs, banking details, and attorney-client privileged communications. Data involves both clients and employees across multiple jurisdictions. Public sample proof provided.

Triple X claims to have exfiltrated approximately 1.5 terabytes of client data from the firm's servers, citing server overload and lack of security updates. The group alleges exposure of confidential court documents, financial records, client communications, and personal identification documents including passports, tax forms, and driver's licenses belonging to clients and employees.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • Passport files (24,900 claimed)
  • Tax forms
  • ID cards and driver's licenses
  • Banking and financial account details
  • Social Security numbers
  • Full names and home addresses
  • Contact information
  • Confidential court cases and legal filings
  • Client contracts and intellectual property
  • Attorney-client correspondence and emails

The group's post references roughly 5 proof files.

What the group claims

https://immigrationonline.com/ 1.5 terabytes of people's data in a immigrationonline law firm. Server overload and lack of updates have caused important data to be exposed to potential leaks. At the same time, many of these financial and tax documents also contain sensitive personal information, including full names, home addresses, Social Security numbers, banking details, and contact information. what will leak ? Confidential court cases : Details of lawsuits, complaints, or defenses that have not yet been filed in court. Financial and banking information : Sensitive client accounts, contracts, or transactions. Intellectual property documents : Such as patents, designs, or business contracts that have not yet been made public. Private correspondence and emails : Communications between the attorney and the client that should remain strictly confidential. what data will leak ? 24,900 passport files sample Tax forms of employees and colleagues sample ID cards and driver’s licenses sample few sample pics: pic 1 pic 2 pic 3 pic 4 pic 5 This is probably the right moment to point out that, at a certain stage, virtually any data breach is still a reversible situation. Companies are usually given an opportunity to contain the damage and resolve the issue albeit at a price. But despite knowing exactly what was happening, and fully understanding that it was putting the security and privacy of its own employees at risk, the company made a calculated decision to let it happen. And now the company will tell its employees: “Sorry, we’ve experienced a data breach, and your passports are now publicly available online.” But they will never say: “We were offered a chance to pay to prevent your passports from being published, but we decided it wasn’t worth it so now they’re on the internet. Sorry.” download data link : http://6qqz6m3b6htudohg2mlf5gdcalonxy3sh5g4dix4mpyirjcgelqqufad.onion/immigrationonline.com/

Sources

Source

Indexed 6 hours ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About TRIPLE X

TRIPLE X is a ransomware group first observed in May 2026 with an apparently financially motivated operational focus, though its limited activity to date makes comprehensive characterization difficult. Based on available data, the group has claimed or confirmed at least one victim, with targeting concentrated in Indonesia and within the financial sector, suggesting either a regionally focused threat actor or an early-stage operation still establishing its scope. No detailed technical analysis of TRIPLE X has been publicly documented by CISA, the FBI, Mandiant, or other major threat intelligence providers at this time, meaning its initial access vectors, encryption methodology, extortion tactics, and tooling remain unattributed or unconfirmed in open sources. No notable high-profile campaigns, record ransom demands, or law enforcement actions involving this group have been publicly reported. Given its very recent emergence and single known victim, TRIPLE X should be considered an emerging or nascent threat actor whose operational patterns, affiliations, and capabilities warrant continued monitoring but cannot be fully assessed with the intelligence currently available in the public domain. The group has been linked to 4 public disclosures across our corpus. First observed on a leak site on May 27, 2026; most recent post June 13, 2026. The operation is currently active.

Timeline of this disclosure

  • June 13, 2026Law Offices US immigrationonline.com listed by TRIPLE Xon the group's public leak site

Other recent disclosures by TRIPLE X

TRIPLE X has been linked to 4 public victims on Darkfield. A sample of the most recent:

See the full TRIPLE X dossier →

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 2,643 disclosures indexed across all operators we track. Geographically, Law Offices US immigrationonline.com is reported in United States, a country with 2,714 ransomware disclosures in our corpus.

If your organisation is affected

A listing by TRIPLE X means Law Offices US immigrationonline.com appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Monitor for the data appearing on TRIPLE X's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.