WorldLeaks is a cybercriminal extortion group that emerged in early 2025 as a direct rebrand of the Hunters International ransomware operation. Unlike its predecessor, which combined ransomware encryption with data theft (double extortion), WorldLeaks has shifted its focus exclusively to data theft and extortion, abandoning the use of file-encrypting ransomware.
Background and Evolution
• Origins: Hunters International was a prominent Ransomware-as-a-Service (RaaS) group active since late 2023, known for high-profile attacks and suspected links to the earlier Hive ransomware group.
• Rebranding: In November 2024, Hunters International announced its closure, citing increased law enforcement pressure and declining profitability. However, by January 2025, the group resurfaced as WorldLeaks, pivoting to an extortion-only model.
• Motivation: The change was driven by the growing risks and reduced rewards of traditional ransomware, prompting a move to pure data theft and blackmail.
Operations and Tactics
• Extortion-as-a-Service: WorldLeaks provides affiliates with a custom exfiltration tool designed to automate data theft from victim networks. This tool is an improved version of the software previously used by Hunters International, now central to the group’s operations.
• Platforms: WorldLeaks operates four main platforms:
• A public data leak site showcasing stolen data (“trophy wall”)
• A negotiation site for ransom payments
• An “Insider” platform for journalists, offering early access to breach information
• An affiliate panel for collaborating threat actors
• Victim Targeting: The group has targeted organizations across Europe, including Romania, France, and Belgium, with victims spanning manufacturing, hospitality, and services sectors. In several cases, massive data leaks (hundreds of gigabytes) have been made publicly available.
• Collaboration: WorldLeaks has been linked to the Secp0 ransomware group, indicating possible partnerships with other cybercriminal actors.