🏴☠️ WorldLeaks¶
Threat-actor battle card · maintained from public sources · last updated 2026-06-24 · also known as World Leaks, Hunters International (predecessor brand)
Overview¶
WorldLeaks (styled World Leaks) launched January 1, 2026 as the successor brand to Hunters International, which itself ran from late 2023 and wound down through 2025 (offering free decryptors to past victims). The defining strategic shift was abandoning encryption entirely for a pure data-theft extortion model — the operators publicly judged file-encrypting ransomware "too risky and no longer profitable." Victims are named on the World Leaks data-leak site and pressured to pay to prevent publication. The group runs an affiliate / extortion-as-a-service model.
Tradecraft¶
- No encryption — exfiltration-only. The operation steals data and extorts on the threat of publication; there is no encryptor payload, which lowers operational risk and removes the recovery-via-backup leverage defenders rely on.
- RustyRocket — a custom Rust-based exfiltration/proxy tool (named by Accenture) for Windows and Linux. Uses heavily obfuscated, multi-layered encrypted tunnels and a pre-encrypted runtime config as an execution guardrail; distributed to affiliates as a maintained platform with multiple operating modes and persistence recipes.
- Initial access: phishing, valid/compromised credentials, exposed services; RDP brute-forcing with company-specific wordlists (implying pre-attack recon) and exploitation of VPNs lacking MFA. Also linked to exploitation of end-of-life SonicWall SMA 100 appliances with the OVERSTEP rootkit.
- Post-access tooling: Cobalt Strike beacons injected into PowerShell process memory, SoftPerfect Network Scanner,
privacy.sexyto disable security controls, and malware masqueraded as a fake "Microsoft Edge Update" installer. - Exfiltration over port 443 spread across ~6,900 unique Cloudflare/residential-grade proxy IPs to blend with legitimate HTTPS traffic.
- Extortion: personalised WARNING_DATA_LEAK.txt notes addressed to individual employees (separate templates for leadership vs. staff); Tor negotiation portal with chat logs and screen recordings.
Notable victims¶
- Tata Electronics (Jun 2026) — 630 GB / 204,341 files claimed, including alleged Apple manufacturing specs, Tesla engineering drawings, and employee passport scans; DLS listing June 10, Tata confirmed the breach June 23. Cybernews
- Nike (Jan 2026) — claimed 1.4 TB / 188,347 files (R&D, tech packs, BOMs, supply-chain data); listing later removed, suggesting negotiation/payment. Infosecurity
- Dell (Jul 2025) — claimed 1.3 TB; Dell characterised it as a product-demo platform with outdated contact data only. BleepingComputer
- Also claimed: Tata Technologies, Hoya, AutoCanada, Austal USA, City of Los Angeles, Legacy Health, Sagent Pharmaceuticals.
Assessment¶
WorldLeaks is a leading example of the encryption-free extortion model now spreading across the post-RaaS landscape: by dropping the encryptor it cuts operational risk, sidesteps the backup-recovery defence, and reframes the entire incident as a confidentiality (not availability) crisis. Tracking databases put total claimed victims at roughly 142–169 across ~28 countries by mid-2026, US-heavy, with manufacturing and healthcare prominent. The Tata Electronics hit shows the crew will pursue high-value IP (Apple/Tesla supply-chain data) where the reputational and competitive leverage is greatest, not just regulated PII. Because there is no malware-encryption event to trip, defence shifts left to identity and egress: enforce MFA on every VPN/RDP path, hunt for anomalous bulk HTTPS egress to residential proxy ranges, and decommission end-of-life edge appliances (SonicWall SMA 100) that the group is known to exploit.
Sources¶
- Group-IB — World Leaks / Hunters International successor analysis
- Accenture — RustyRocket exfiltration tooling
- Cybernews — Tata Electronics data breach claimed by World Leaks
- BleepingComputer — Hunters International rebrands to World Leaks, drops encryption
- ransomware.live — World Leaks group profile
🗂️ Attacks & victims¶
All disclosed victims attributed to this actor, newest first.
June 2026