Skip to main content
Darkfield

Ransomware victim disclosure

All victims

Law Offices of Rakesh Mehrotra

listed as Immigration Online · Claimed by TRIPLE X · listed 3 days ago

1.5 TB
Data size
24900 passport files records
2d
Age
since listed · listed for ransom

Status timeline

  1. ListedJun 11, 2026

Current state: Listed for ransom

At a glance

Group
TRIPLE X
Status
Listed for ransom
Sector
Legal / Immigration Law
Listed on leak site
Jun 11, 2026
Data size
1.5 TB
Records
24900 passport files

About the victim

AI dossier — public-source company profile

Law Offices of Rakesh Mehrotra is a specialized immigration law firm based in the United States (phone: 703-230-6800, Virginia area code) with over 30 years of practice. The firm represents small to large corporations and individuals in immigration, visa, and green card matters across multiple industries including IT, banking, and healthcare.

Industry
Legal Services / Immigration Law
Founded
1994

Attack summary

Severity: critical — Confirmed exfiltration of large-scale personally identifiable information (1.5 TB) including Social Security numbers, passport data, financial records, and attorney-client privileged communications. Immigration law firm clients are inherently sensitive population (visa applicants, corporate immigration matters). Scale and data sensitivity meet critical threshold.

TRIPLE X claims to have exfiltrated 1.5 TB of data from the firm due to server vulnerabilities and lack of security updates. The group alleges encryption of systems and threatens to publish sensitive client information including court documents, financial records, and personal data.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • passport files (24,900 stated)
  • tax forms
  • ID cards and driver's licenses
  • Social Security numbers
  • home addresses and contact information
  • banking and financial account details
  • client confidential correspondence and emails
  • court case details and legal documents
  • intellectual property documents
  • employee and colleague tax records

What the group claims

1.5 terabytes of data from an immigration law firm exposed due to server overload and lack of updates. Contains sensitive personal information including full names, home addresses, Social Security numbers, banking details, and contact information. Includes confidential court cases, financial and banking information, intellectual property documents, and private correspondence.

The leak post

captured from the group's site
https://immigrationonline.com/ 1.5 terabytes of people's data in a immigrationonline law firm. Server overload and lack of updates have caused important data to be exposed to potential leaks. At the same time, many of these financial and tax documents also contain sensitive personal information, including full names, home addresses, Social Security numbers, banking details, and contact information. what will leak ? Confidential court cases : Details of lawsuits, complaints, or defenses that have not yet been filed in court. Financial and banking information : Sensitive client accounts, contracts, or transactions. Intellectual property documents : Such as patents, designs, or business contracts that have not yet been made public. Private correspondence and emails : Communications between the attorney and the client that should remain strictly confidential. what data will leak ? 24,900 passport files Tax forms of employees and colleagues ID cards and driver’s licenses few sample pics: This is probably the right moment to point out that, at a certain stage, virtually any data breach is still a reversible situation. Companies are usually given an opportunity to contain the damage and r…

Data the group says was taken

  • passport files
  • tax forms
  • ID cards
  • driver's licenses
  • court case documents
  • financial and banking information
  • intellectual property documents
  • private correspondence and emails
  • Social Security numbers
  • home addresses
  • contact information

Screenshot of the leak post

Leak screenshot for Immigration Online

Sources

Source

Indexed 3 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About TRIPLE X

TRIPLE X is a ransomware group first observed in May 2026 with an apparently financially motivated operational focus, though its limited activity to date makes comprehensive characterization difficult. Based on available data, the group has claimed or confirmed at least one victim, with targeting concentrated in Indonesia and within the financial sector, suggesting either a regionally focused threat actor or an early-stage operation still establishing its scope. No detailed technical analysis of TRIPLE X has been publicly documented by CISA, the FBI, Mandiant, or other major threat intelligence providers at this time, meaning its initial access vectors, encryption methodology, extortion tactics, and tooling remain unattributed or unconfirmed in open sources. No notable high-profile campaigns, record ransom demands, or law enforcement actions involving this group have been publicly reported. Given its very recent emergence and single known victim, TRIPLE X should be considered an emerging or nascent threat actor whose operational patterns, affiliations, and capabilities warrant continued monitoring but cannot be fully assessed with the intelligence currently available in the public domain. The group has been linked to 4 public disclosures across our corpus. First observed on a leak site on May 27, 2026; most recent post June 13, 2026. The operation is currently active.

Timeline of this disclosure

  • June 11, 2026Immigration Online listed by TRIPLE Xon the group's public leak site
Data size
1.5 TB
Records
24900 passport files

Other recent disclosures by TRIPLE X

TRIPLE X has been linked to 4 public victims on Darkfield. A sample of the most recent:

See the full TRIPLE X dossier →

Sector and geography

This disclosure adds to ransomware activity in the Legal / Immigration Law sector.

If your organisation is affected

A listing by TRIPLE X means Immigration Online appeared on a ransomware extortion site and is being pressured to pay before any publication. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Monitor for the data appearing on TRIPLE X's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.