Xinglocker is a relatively minor ransomware group that emerged in April 2021, operating with apparent financial motivations and targeting a limited number of victims across multiple countries. Based on publicly available information, the group's origin and affiliations remain largely undocumented by major threat intelligence organizations, with no confirmed details about their country of operation, RaaS model usage, or connections to other cybercriminal entities. The group's attack methodology and technical capabilities are not well-documented in public reporting from CISA, FBI, or established security researchers, though their targeting appears focused on critical infrastructure sectors. Xinglocker has reportedly compromised 21 known victims, with particular focus on healthcare and transportation sectors primarily in the United States, Germany, and Norway, though specific high-profile incidents or notable campaigns have not been extensively documented in public threat intelligence reporting. Current intelligence suggests limited recent activity, though the group's operational status remains unclear due to sparse public documentation from authoritative sources. The group has been linked to 21 public disclosures across our corpus. First observed on a leak site on April 29, 2021; most recent post October 26, 2021. The operation is currently inactive.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
