RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
DragonForce
Ransomware Cartel  •  Double Extortion  •  White-Label RaaS
High Threat Fully Operational RaaS Cartel Model
First Observed
Late 2023
First victims Dec 2023
Claimed Victims LIVE
363+
DLS listings via ransomware.live
Countries Targeted LIVE
30+
Via ransomware.live
UK Retail Impact
£440M
M&S + Co-op, Apr 2025
Affiliate Split
80/20
80% affiliate, 20% core
LE Actions
4 Arrests
NCA, July 2025
01

Executive Summary and Group Overview

DragonForce is a profit-motivated ransomware operation that emerged in late 2023 and rapidly evolved from a standard Ransomware-as-a-Service program into what it publicly styles as a "ransomware cartel." As of mid-2026 it remains fully operational, with over 363 claimed victims across retail, logistics, technology, industrial, and government sectors. Its defining feature is a white-label affiliate model: partners can operate entirely independent brands and extortion portals on DragonForce's backend infrastructure, enabling operational resilience against law enforcement disruption of any single brand.

The group attracted global attention in April-May 2025 when affiliates, operating in conjunction with social-engineering actors assessed as linked to the Scattered Spider cluster (UNC3944), breached three major UK retailers. The combined financial impact of the Marks & Spencer and Co-op attacks was classified as a single combined cyber event with assessed impact of £270 million to £440 million ($363M to $592M). The UK National Crime Agency arrested four individuals in July 2025 in connection with these incidents, though no charges against DragonForce core operators have been filed.

AttributeDetail
Common nameDragonForce; DragonForce Ransomware Cartel (DFRC)
AliasesDragonForce Ransomware, DFRC; distinct from DragonForce Malaysia (hacktivist collective)
Vendor tracking designationsWater Tambanakua (Trend Micro); by name only: Group-IB, Fortinet, WatchGuard, Sophos, Barracuda, Broadcom/Symantec, SentinelOne, Blackpoint Cyber, Intel 471, Darktrace; CrowdStrike, Secureworks, Microsoft, Mandiant, Unit 42: no separate named cluster designation confirmed in open sources as of May 2026
Operational modelRaaS (2023-early 2025); white-label cartel model (March 2025 onward)
Extortion mechanicDouble extortion (encryption + data publication threat)
Revenue split80% affiliate / 20% core operator
Assessed jurisdictionUnknown; possible CIS nexus (CREDIBLE LOW; see Section 08)
Code lineageLockBit 3.0 and Conti v3 builders (opportunistic reuse; no personnel continuity implied)
LE disruption status4 arrests (NCA, July 2025); no infrastructure seizure; no OFAC sanctions as of May 2026
Decryptor availabilityNo public universal decryptor available
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Emergence Timeline

DragonForce Ransomware first appeared publicly in late 2023, with the Ohio Lottery (December 2023) and Yakult Australia among its earliest documented victims. A dedicated leak site ("DragonLeaks") and formal RaaS affiliate program followed in early 2024. By June 2024 the group was actively recruiting affiliates via the RAMP underground forum. In March 2025 the operators publicly announced a shift to a "cartel" model. The operation has been continuously active since its emergence.

Code Lineage: LockBit 3.0 and Conti
Confirmed

Multiple independent technical analyses confirm that DragonForce's ransomware payloads draw on leaked builder code from LockBit 3.0 and Conti v3. Early samples were closely copied from the LockBit 3.0/Black builder family; later samples shifted toward a Conti v3 derived code base. Crypto stacks are generally AES + RSA, with some ChaCha8 variants documented for speed optimization. This reflects opportunistic reuse of publicly available leaked builders and does not imply organizational continuity with LockBit or Conti leadership structures. Confidence in code overlap: CONFIRMED (Group-IB, Trend Micro, Loginsoft, Barracuda, SOCRadar, Resecurity, Barracuda independently report this).

The practical implication for attribution: the vendor designations Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) describe the parent Conti organization. Neither designation applies to DragonForce. DragonForce is not a Conti successor in the personnel-continuity sense; it is a separate operation that weaponized leaked Conti tooling. Trend Micro's designation Water Tambanakua is specific to DragonForce.

DragonForce Malaysia Origin Hypothesis
Credible Low
Supporting Evidence
Shared Name and Timing Overlap
Both groups use the "DragonForce" name. DragonForce Malaysia (DFM) publicly discussed building ransomware in 2023. Some researchers note possible Malaysia-region infrastructure links and ideological target overlap in early DragonForce Ransomware activity.
Counter-Evidence
Explicit Denial and Distinct Infrastructure
DFM officially denied on its Telegram channel any connection to, or responsibility for, the ransomware group. DragonForce Ransomware's infrastructure, TTPs, and target selection differ materially from DFM's hacktivist model. No payment infrastructure, credential access, or data exfiltration has been linked to DFM operations.
Assessment: The Malaysia origin hypothesis is contested. Available evidence rests on naming overlap and timing coincidence rather than technical attribution. SentinelOne notes no verified Malaysian victims and no identified CIS rule exceptions for Malaysia. Confidence: CREDIBLE LOW. Analysts should flag both the hypothesis and the denial for tracking without treating either as settled.
Cartel Evolution: Three Operational Phases
1
Standard RaaS (Late 2023 to Early 2024)
Core operator team develops and maintains infrastructure; affiliates conduct intrusions under the DragonForce brand. Single leak site. Centralized management.
2
Formal RaaS Program (Early 2024 to February 2025)
Formal affiliate advertising on RAMP and underground forums. 80/20 revenue split publicly advertised. 93 claimed victims by end of 2024. Victim count grows from 82 (Aug 2024, Group-IB) to 136 by March 2025 (Sophos).
3
Cartel / White-Label Model (March 2025 Onward)
March 19, 2025: DragonForce publicly announces cartel structure. Affiliates can operate fully independent brands ("RansomBay" documented as first known sub-brand). Backend infrastructure, tooling, file hosting, and DLS platform shared. Within 24 hours of announcement, DragonForce defaced BlackLock and Mamona competitor sites. April 2025: DragonForce claims RansomHub after its infrastructure goes dark April 1. Sub-brand portals created for displaced RansomHub affiliates.
03

Operational Model

Cartel Structure and White-Label Services

DragonForce operates as a criminal service platform rather than a single operational unit. The core team provides infrastructure, while affiliated operators and sub-brands conduct intrusions. This model is designed explicitly to decouple the tooling from any individual brand, reducing law enforcement leverage against the central operation.

Services provided to cartel members include: administration and client management panels; encryption payload builders with configurable parameters; ransom note generators; negotiation tooling and victim communication portals; file storage and hosting for exfiltrated data; Tor-based DLS infrastructure with custom .onion domains; and dedicated technical support and negotiation assistance for affiliates.

Affiliate Recruitment and Revenue Structure
  • Revenue split: 80% to affiliates, 20% retained by core operators. Publicly advertised on underground forums including RAMP.
  • Recruitment channels: RAMP (Russian-language dark web forum), Telegram-adjacent channels, and direct outreach to displaced affiliates from disrupted groups (e.g., RansomHub, BlackLock).
  • Entry requirements: Prior intrusion experience and ability to obtain initial access. Targeting rules include a stated prohibition on attacks within Russia and other former Soviet Union states (CIS) and a self-reported avoidance of healthcare organizations. Enforcement of these rules across all affiliates is not independently verified.
  • White-label option: Partners may operate entirely under a different brand name with separate DLS portals on DragonForce infrastructure. The "RansomBay" sub-brand is the first documented example, incorporating elements of the DragonForce logo while operating under a distinct identity.
Negotiation Behavior and Extortion Tactics

DragonForce employs double extortion as its core pressure mechanism: data is exfiltrated prior to encryption, creating two independent leverage points. Payment deadlines are enforced with countdown timers on the DLS. Ransom demands for large enterprises have been reported in the multi-million dollar range, with negotiation reductions of 30-60% reported across multiple incidents.

In high-profile campaigns, the group has escalated beyond victim communications to direct outreach to executives (M&S CEO) and media engagement (BBC). Data auction threats and harassment of victim customers or partners have also been documented. Victim communication takes place through Tor-accessible chat portals linked via unique IDs in ransom notes.

For victims with functional backups, DragonForce's primary remaining leverage is the data publication threat. The group advertises that paying the ransom prevents onward sale or publication of exfiltrated data, though no mechanism enforces this commitment.

04

Technical Capabilities

Initial Access Vectors

DragonForce and its affiliates use a range of initial access methods. Phishing with malicious attachments or links is a documented baseline approach. Exploitation of public-facing vulnerabilities has been confirmed across multiple incidents:

CVEProductTypeConfidence
CVE-2021-44228Apache Log4j (Log4Shell)Remote Code ExecutionConfirmed
CVE-2023-46805Ivanti Connect SecureAuthentication BypassConfirmed
CVE-2024-21887Ivanti Connect SecureCommand InjectionCredible
CVE-2024-21893Ivanti Connect SecurePath Traversal (SSRF)Credible
CVE-2024-21412Microsoft Windows SmartScreenSecurity Feature BypassCredible

Affiliates also leverage stolen or cracked credentials and valid account access. In the UK retail incidents, initial access was obtained via social engineering against IT helpdesk services (voice phishing/vishing targeting service desk contractors), consistent with Scattered Spider/UNC3944 TTPs rather than DragonForce-specific tooling.

Post-Exploitation and Lateral Movement
  • Backdoor and C2: SystemBC for persistent backdoor access; SimpleHelp RMM software exploited for remote control; Cobalt Strike-compatible beacons for C2 communications.
  • Credential access: Mimikatz for credential harvesting; NTDS.dit (Active Directory database) theft to enable quiet authenticated lateral movement at scale.
  • Defense evasion: Bring-Your-Own-Vulnerable-Driver (BYOVD) techniques to disable EDR and security tooling; XDR/EDR bypass capabilities advertised in RaaS recruitment materials.
  • Deployment: Domain controllers and scripts used for mass deployment of encryptors across networks; administrator account creation for persistence.
  • Exfiltration: Data exfiltration precedes encryption; exfiltrated material stored on DragonForce-controlled file hosting infrastructure.
Encryption Implementation

DragonForce implements hybrid encryption: AES symmetric encryption per file with asymmetric RSA key wrapping as the primary scheme; ChaCha8 variants have been observed in some samples for increased throughput speed. Multi-threaded encryption is supported to maximize speed on target systems. Volume shadow copies are deleted to impede recovery. File extensions are modified post-encryption.

No public decryptor available. As of May 2026, no universal decryptor for DragonForce has been released on No More Ransom or via any vendor publication. Victims without viable backups or ransomed keys are effectively locked out. The implementation is described by multiple analysts as adequately secure in practice despite borrowing from known codebases.
Platform Coverage and Variants

DragonForce targets Windows environments as its baseline. Cross-platform capabilities derived from the LockBit and Conti leaked code expand coverage to Linux, VMware ESXi (confirmed in M&S attack: virtual machines encrypted), BSD platforms, and some NAS devices. The VMware ESXi targeting variant was specifically weaponized in the April 2025 UK retail campaign to encrypt virtual machines supporting e-commerce and payment processing at scale.

CIS Exclusion Behavior
Credible

DragonForce's affiliate rules, documented by The Register and Barracuda, explicitly prohibit attacks on Russia and other former Soviet Union states (CIS). Whether this constraint is implemented at the binary level (keyboard/locale check) or enforced only through affiliate rules is not confirmed in available technical analyses. The Perplexity research document notes that public binary analyses do not consistently document explicit CIS keyboard checks; however, the affiliate-rule prohibition is separately confirmed. The combination of RAMP advertising (Russian-language forum), CIS exclusion rules, and use of tools common in Russian-speaking criminal ecosystems collectively constitute a credible (though not confirmed) CIS nexus indicator. Confidence: CREDIBLE.

05

Financial Infrastructure

Payment Model

DragonForce demands ransoms in Bitcoin as the primary payment channel. Scattered references to privacy coin support exist in open sources but are not consistently documented. Bitcoin's traceability makes on-chain forensics possible in principle; however, as noted below, no major blockchain analytics firm has published a detailed DragonForce-specific analysis.

Affiliate Share
80%
Of each ransom payment
Core Operator Share
20%
Retained by DragonForce core
UK Retail Impact
£270-440M
M&S + Co-op, single event classification
OFAC Sanctions
None
As of May 2026
On-Chain Analysis and Laundering
Analyst Inference

TRM Labs, Chainalysis, and Elliptic have not published dedicated DragonForce blockchain forensics in open sources as of May 2026. This is a material intelligence gap. In the absence of published on-chain analysis, generic RaaS laundering patterns are the relevant reference: multi-stage wallet hopping, use of mixing or coin-swap services, and eventual cash-out through less regulated exchanges. These patterns are inferred from the broader RaaS ecosystem; they are not specifically documented for DragonForce.

The high-profile nature of the UK retail attacks (£270M-£440M classified as a single combined event) increases the probability that on-chain analysis is ongoing at law enforcement level and may not be publicly disclosed until indictments or forfeiture proceedings materialize.

Sanctions and Regulatory Status

As of May 2026, no OFAC designations, UK OFSI sanctions, or EU asset freeze designations have been publicly announced targeting DragonForce, its core operators, or named wallet addresses. The July 2025 NCA arrests have not yet resulted in publicly disclosed forfeiture orders. Any organization considering ransom payment should treat DragonForce as high-risk from a sanctions-compliance standpoint notwithstanding the absence of a formal designation, given the UK charges and ongoing NCA investigation.

06

Victim Profile and Targeting

Victim Count Growth Curve
Aug 2023 to Aug 2024
82
Group-IB (CONFIRMED)
March 2025
136
Sophos DLS count (CONFIRMED)
Mid-2025
170+
Bridewell estimate (CREDIBLE)
Late 2025
363+
GBHackers DLS count (CREDIBLE)
Note: DLS victim counts represent only victims publicly listed. In the cartel model, affiliates operating under sub-brands may publish to separate portals; the true total victim count across all DragonForce infrastructure is likely higher than DLS figures indicate.
Sector and Geography Breakdown
SectorNotable VictimsConfidence
RetailMarks & Spencer (UK), Co-op Group (UK), Harrods (UK)CONFIRMED
Lottery / Government-adjacentOhio Lottery (USA); Palau governmentCONFIRMED
Food and beverageYakult AustraliaCONFIRMED
Industrial / OT15+ industrial targets Q1 2025 per DragosCREDIBLE
Logistics / ShippingUnnamed; documented in Group-IB and Bridewell reportingCREDIBLE
Technology / MSPMSP via SimpleHelp RMM exploitationCONFIRMED
Luxury retailBelk (USA) claimed on DLSCREDIBLE

Geographic distribution: Origins concentrated in the Asia-Pacific and Middle East region (consistent with DFM overlap theory); subsequent expansion into the United Kingdom, Continental Europe, and North America. The UK retail campaign (April-May 2025) and confirmed US targeting suggest active geographic expansion. Dragos and Mandiant both note threat actor interest in expanding the UK retail campaign model to US retail targets.

Targeting Criteria and Stated Exclusions

DragonForce publicly claims avoidance of healthcare targets. The group's BleepingComputer statement: "We don't attack cancer patients or anything heart related, we'd rather send them money and help them." This is a self-reported constraint and remains unverified across all affiliate activity. Analysts should treat healthcare avoidance as a soft, non-verified constraint that may not hold under the cartel/white-label model where affiliate enforcement is decentralized.

Affiliate rules prohibit attacks on Russia and former Soviet Union states (CIS). No prohibition on attacks against Malaysian entities has been identified (SentinelOne, Barracuda). Organizations in the retail, logistics, technology, and industrial sectors in the UK, US, and Australia should treat DragonForce as an active threat as of May 2026.

UK Retail Campaign: High-Profile Case Study

The April-May 2025 UK retail campaign is DragonForce's most consequential documented operation to date. Marks & Spencer's network was penetrated as early as February 2025; encryptors targeting VMware ESXi hosts were deployed in April 2025. Co-op confirmed exposure of over 10,000 members' personal data. Harrods restricted internet access after a claimed breach. The combined M&S and Co-op incidents were classified by the Cyber Monitoring Centre as a single combined cyber event with financial impact of £270M to £440M.

M&S confirmed to a UK Parliamentary committee on July 8, 2025 that the attack was DragonForce ransomware, deployed by actors "loosely aligned" with Scattered Spider. Initial access was obtained via social engineering against TCS (Tata Consultancy Services), the contractor running M&S's IT helpdesk. The Scattered Spider/DragonForce combination reflects the cartel's value proposition: access specialists (Scattered Spider) can partner with DragonForce infrastructure for payload delivery and extortion management.

07

Law Enforcement and Regulatory Response

NCA Arrests: July 10, 2025
Confirmed

The UK National Crime Agency (NCA) announced on July 10, 2025 the arrest of four individuals in connection with the cyberattacks on Marks & Spencer, Co-op, and Harrods. The arrests were made in West Midlands and London. Suspects were arrested on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. Electronic devices were seized for forensic analysis. The NCA did not publicly name the "organized crime group," but reporting links the suspects to Scattered Spider / The Com rather than to DragonForce core operators.

DetailInformationSource
Arrest dateJuly 10, 2025NCA (CONFIRMED)
Number arrested4NCA (CONFIRMED)
Ages / demographicsTwo aged 19, one aged 17, one woman aged 20NCA (CONFIRMED)
Named suspects (Krebs reporting)Owen David Flowers (aliases: bo764, Holy, Nazi); Thalha Jubair (aliases: Earth2Star, Operator) — both 19-year-olds; Jubair also alleged former LAPSUS$ core member and Doxbin administratorKrebs on Security (CREDIBLE, single source)
ChargesComputer Misuse Act offenses, blackmail, money laundering, organized crime participationNCA (CONFIRMED)
Infrastructure seizedNone; DragonForce DLS and operations continueCONFIRMED
Analytical note: The July 2025 arrests targeted individuals assessed as Scattered Spider / The Com members who used DragonForce infrastructure, not DragonForce's core operators. No arrests of DragonForce operators, developers, or cartel leadership have been publicly reported as of May 2026. The infrastructure disruption risk from these arrests is low; the operational impact falls on the Scattered Spider intrusion cluster, not on DragonForce's cartel model.
Additional LE and Regulatory Actions

There are no publicly disclosed indictments, US or EU court documents, or OFAC/OFSI sanctions dedicated to DragonForce core operators as of May 2026. No FBI/CISA joint advisory, UK NCSC dedicated advisory, or Europol action targeting DragonForce specifically has been issued. DragonForce has not received the "Tier-1" law enforcement focus that LockBit or REvil attracted prior to their disruptions.

Approximately a dozen total Scattered Spider members have been arrested in the eighteen months preceding May 2026 across multiple law enforcement operations. This pressure on the Scattered Spider access layer may affect DragonForce's most capable affiliate channel but leaves the cartel infrastructure intact.

08

Attribution and State Nexus

Primary Motivation
Confirmed

DragonForce's ransomware operations are unambiguously profit-motivated. Ransom monetization is the operational center of gravity. No pattern of politically motivated targeting, ideological messaging aligned with state interests, or gratuitous destruction inconsistent with financial incentives has been documented.

CIS / Russia Nexus Assessment
Credible Low

No confirmed organizational relationship between DragonForce and Russian intelligence services (FSB, SVR, GRU) exists in open sources. However, several indicators constitute a credible (low-confidence) CIS nexus signal:

Indicator 1 — Credible
CIS Exclusion in Affiliate Rules
Affiliate rules explicitly prohibit attacks on Russia and former Soviet states. This pattern is characteristic of CIS-based criminal operations seeking informal safe harbor. Source: The Register, Barracuda.
Indicator 2 — Credible
RAMP Forum Advertising
DragonForce actively advertised on RAMP, a Russian-language dark web forum. The majority of RAMP users communicate in Russian. Active recruitment on Russian-language criminal infrastructure is consistent with CIS operator base.
Indicator 3 — Credible
Tool Overlap with Russian Ecosystem
Use of SystemBC, Mimikatz, and Cobalt Strike. These tools are widely used across the CIS cybercrime ecosystem but are not exclusive to it. Code base drawn from LockBit 3.0 and Conti, both Russian-nexus operations.
Accusation — Single Source, Low Confidence
RansomHub FSB Accusation
RansomHub spokesperson "Koley" accused DragonForce of working as an agent of Russia's FSB, posting "You use feds to steal and shutdown others. We know." This is a self-interested accusation from a rival criminal group with no corroboration. Some industry analysts support the hypothesis. Confidence: ANALYST INFERENCE only.
Overall assessment: DragonForce should be treated as a financially motivated cybercriminal cartel with a possible CIS nexus that has not been confirmed. The Malaysia origin hypothesis and a Russia/CIS hypothesis are not mutually exclusive; the group may have founders or operators in multiple jurisdictions. Mandiant (Google) has not formally attributed DragonForce to any state-sponsored cluster. Analysts should watch for future law enforcement disclosures or on-chain attribution that could resolve the jurisdictional question. Current confidence in any specific attribution: CREDIBLE LOW.
UNC3944 / Scattered Spider Nexus
Credible

Mandiant (Google Threat Intelligence Group) reported that threat actors used TTPs consistent with UNC3944 (Scattered Spider) in the UK retail attacks, deploying DragonForce ransomware. This is a use relationship (Scattered Spider affiliates using DragonForce infrastructure), not an organizational merger. Mandiant has not formally attributed the UK retail intrusions to Scattered Spider; the characterization is "tactics consistent with." CrowdStrike, Microsoft, and Fenix24 reportedly assessed Scattered Spider involvement based on the M&S investigation; Google TIG stated it had not independently confirmed Scattered Spider attribution.

Practically: Scattered Spider's social engineering capabilities and native English fluency complement DragonForce's infrastructure and payload delivery, creating a potent combined capability against Western enterprises. The cartel model explicitly facilitates this type of partnership without requiring formal membership.

09

Trajectory Assessment

Connected Group Cluster

The following cluster relationships are assessed with two-tier confidence (anchor relationship / extension claims):

GroupRelationshipAnchor ConfidenceExtension ConfidenceVendor Coverage
Scattered Spider / UNC3944 Access affiliate; used DragonForce payloads in UK retail campaign CREDIBLE (Mandiant, CrowdStrike, M&S Parliamentary testimony) CREDIBLE (ongoing use relationship plausible given cartel model) Mandiant, Bridewell, Acronis, Realize Security; Google TIG does not formally confirm attribution
RansomHub DragonForce claimed RansomHub April 2025 after RansomHub went dark April 1; sub-brand portal created CONFIRMED (The Hacker News, Barracuda, GuidePoint, Sophos) CREDIBLE (displaced affiliates migrating to DFRC sub-brands) Sophos, Barracuda, GuidePoint, CyberExpress; RansomHub "Koley" disputes hostile takeover framing
RansomBay First documented white-label sub-brand; former RansomHub affiliate operating on DragonForce infrastructure CONFIRMED (Barracuda, RansomLook) N/A (sub-brand, not separate group) Barracuda, RansomLook
BlackLock Rival defaced within 24 hours of DFRC cartel announcement (March 2025) CONFIRMED (Secureworks, The Hacker News) ANALYST INFERENCE (hostile relationship; BlackLock affiliation with DFRC not assessed) Secureworks, Sophos, The Hacker News; Mandiant, Recorded Future have not published formal assessment
DragonForce Malaysia Possible founding relationship or shared personnel; contested CREDIBLE LOW (naming overlap, timing, some targeting overlap) CREDIBLE LOW (DFM denies; no technical link established) WatchGuard, Barracuda, SOCRadar note the linkage hypothesis; SentinelOne, Barracuda note counter-evidence
Rebranding and Exit Signals

The structural change in March 2025 was an expansion, not a rebrand or exit. DragonForce has not gone dark, changed names, or shown infrastructure shutdown signals. The cartel model actively absorbs displaced affiliates from disrupted groups (RansomHub, BlackLock), which strengthens rather than weakens the operation over time. The March 2025 pivot is explicitly designed to be resilient to the kind of single-brand takedowns that disrupted LockBit and ALPHV.

Trajectory Indicators
  • Victim growth trajectory: 82 (Aug 2024) to 363+ (late 2025) represents more than a fourfold increase in approximately fifteen months. The growth rate accelerated post-cartel announcement.
  • Capability evolution: Multi-platform payload coverage (Windows, Linux, ESXi, BSD, NAS), cross-industry targeting including OT/ICS environments, and documented social engineering partnerships indicate ongoing capability development.
  • Model innovation as resilience: White-label cartel structure specifically decouples the operational brand from infrastructure, reducing the enforcement leverage that dismantled LockBit. This is an adaptive response to the LE disruption model.
  • LE pressure level: Four arrests (July 2025) targeting peripheral actors (Scattered Spider affiliates), not core operators. Infrastructure intact. Current LE pressure level: moderate (elevated investigation, no takedown).
  • Competitive dynamics: DragonForce's aggressive rival targeting (BlackLock defacement, RansomHub absorption) reflects an intent to consolidate market share. If successful, this concentrates more ransomware affiliate activity under a single infrastructure, increasing overall attack volume.
Intelligence gaps: (1) No published blockchain forensics from TRM Labs, Chainalysis, or Elliptic; wallet clustering and financial flows unknown. (2) Core operator identities unconfirmed; no named individuals from DragonForce's central team. (3) Jurisdictional question unresolved; Malaysia vs. Russia/CIS vs. mixed origin. (4) Full scope of sub-brands operating on DragonForce infrastructure is not publicly mapped. (5) No CISA/FBI or NCSC joint advisory dedicated to DragonForce as of May 2026.

Recent Reporting LIVE

Open-source reporting from monitored threat intelligence sources. Refreshed automatically every 8 hours via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…
10

Sources

Primary Research and Technical Analysis
Cartel Model and Ecosystem
UK Retail Campaign and Scattered Spider
Law Enforcement and Arrests
Victim Tracking and General Reference