Overview
World Leaks is a data-extortion operation that launched on or about 1 January 2025 as the rebrand of the Hunters International ransomware-as-a-service (RaaS) program. Hunters International itself emerged in October 2023 and is assessed with moderate confidence by Group-IB as a rebrand or direct successor of the Hive RaaS operation, which was infiltrated and seized by an FBI-led international operation in January 2023. World Leaks markets itself as extortion-only: affiliates steal data and threaten publication rather than encrypting systems, although a minority of incidents have still involved encryption (CONFIRMED, Darktrace).
The operation is distinguished by a four-platform infrastructure, including an "Insider" journalist portal that grants registered media outlets roughly 24-hour advance access to stolen data, a deliberate reputational-pressure mechanism that frames extortion as "disclosure." Group-IB is the principal vendor tracking the group under the names "Hunters International" and "World Leaks." No major vendor (CrowdStrike, Microsoft, Mandiant, Secureworks, Unit 42) has published a formal branded designation for World Leaks as of June 2026 (CONFIRMED, open-source negative).
| Attribute | Detail |
|---|---|
| Current brand | World Leaks (also written "WorldLeaks" / "World Leaks"); launched ~1 Jan 2025 |
| Former brand | Hunters International (Oct 2023 – shutdown announced 4 Jul 2025) |
| Upstream origin | Hive ransomware (Jun 2021 – Jan 2023 takedown), assessed predecessor (CREDIBLE / Group-IB moderate confidence) |
| Tracking designations | Group-IB: "Hunters International" and "World Leaks". No formal CrowdStrike / Microsoft / Mandiant / Secureworks / Unit 42 branded alias published as of Jun 2026. GTIG tracks an associated SonicWall access actor separately as UNC6148 (an access enabler, not the group itself). |
| Operational model | Affiliate-based data extortion, marketed as Extortion-as-a-Service (EaaS); proprietary "Storage Software" exfiltration tool |
| Extortion mechanic | Single (data-theft) extortion plus multi-audience pressure via journalist "Insider" portal; some incidents still deploy encryption |
| Assessed jurisdiction | Russian-speaking ecosystem; CIS / Russia safe-harbor dynamics (CREDIBLE). No confirmed state-tasking nexus. |
| LE disruption status | None against World Leaks or Hunters International. Hive (assessed parent) seized Jan 2023. |
| Halcyon threat score | 6.1 / 10 (vendor index, updated Jan 2026) |
Origin & Lineage
The operation is best understood as a three-stage cluster: Hive (June 2021 – January 2023) → Hunters International (October 2023 – July 2025) → World Leaks (January 2025 – present). World Leaks and Hunters International ran in parallel for roughly six months in 2025 before Hunters announced its formal closure on 4 July 2025.
- Insider communications: Group-IB reported that Hunters International told its own affiliates in November 2024 that the project was closing and that a rebrand to an extortion-only service called "World Leaks" was underway.
- Timing: World Leaks launched its Tor leak site on or about 1 January 2025, with first victims posted in late April 2025 after early infrastructure instability.
- Site design and architecture: The Record and others note that the World Leaks leak site shares the same design as Hunters International, and infrastructure, victim-notification methodology, and negotiation-portal architecture are common to both.
- Managed handover: Hunters International's 4 July 2025 closure (with an offer of free decryptors to past victims) coincided with World Leaks' established operation, consistent with a seamless transition rather than a genuine disbandment.
Group-IB is the primary tracker, using the operational names "Hunters International" and "World Leaks" directly. Unlike Conti-lineage groups, this cluster has not been assigned vendor "totem" designations (no Spider, Storm, Scorpius, or Gold alias is published as of June 2026).
Importantly, UNC6148 (Google Threat Intelligence Group) is not a designation for World Leaks. It is a separate, financially motivated access actor exploiting end-of-life SonicWall SMA 100 appliances whose victims have appeared on the World Leaks DLS. The relationship is access-broker-to-extortion-platform, established by temporal correlation rather than definitive technical attribution (CREDIBLE, GTIG moderate confidence). Do not conflate UNC6148 with the World Leaks operating entity.
Operational Model
Hunters International operated as a classic RaaS program: affiliates conducted intrusions, deployed a multi-platform locker, and exfiltrated data. World Leaks reframes the same affiliate model as Extortion-as-a-Service (EaaS): affiliates receive a proprietary "Storage Software" exfiltration tool (Windows and Linux; x86/x64) rather than a locker builder, and the central platform handles publication and negotiation (CONFIRMED, Group-IB / Halcyon).
Group-IB's analysis of the affiliate panel shows a deliberately business-like workflow: target registration (company name, revenue, stock), exfiltration via Storage Software, classified "Disclosures" (Source Code, Financial, PII), a "Mailing List" function for notifying a victim's partners and clients, and a victim live-chat negotiation portal.
The Hunters International affiliate panel displayed an 80% payout to the affiliate on the company-overview screen after target registration (Group-IB). This is consistent with the modern RaaS standard (80/20). No revised split has been published for the World Leaks EaaS model; treat the 80/20 figure as Hunters-era CONFIRMED and World Leaks-era ANALYST INFERENCE.
| Component | Function |
|---|---|
| Main data leak site (DLS) | Public victim listings with countdown timers; Tor hidden service |
| Victim negotiation portal | Tor portal with company financials, browsable file explorer of stolen data, Bitcoin payment tab, and live chat with operators |
| Affiliate management panel | Target creation, Storage Software distribution, disclosures, mailing list, payment processing |
| "Insider" journalist portal | Grants registered media outlets ~24-hour advance access to stolen data before public release; homepage displays mastheads of international newspapers and invites journalists to register for "early access to insights and disclosures" |
Halcyon reports a confirmed partnership in which the Secp0 ransomware group published victims through World Leaks' shared leak-site infrastructure (CREDIBLE, single-vendor). Separately, Group-IB observed that the Hunters International clear-net domain (huntersinternational[.]su) resided on the same bulletproof host (AS214822) as the INC and Lynx blog domains, but could not establish a link (INCONCLUSIVE / intelligence gap).
Technical Profile
- Compromised VPN credentials without MFA (primary vector per incident-response reporting).
- End-of-life SonicWall SMA 100 exploitation via the UNC6148 campaign, deploying the OVERSTEP user-mode rootkit (boot-process modification, LD_PRELOAD abuse, credential and OTP-seed theft). Victims subsequently appeared on the World Leaks DLS.
- Infostealer-sourced credentials (~35% of World Leaks victims show associated domain infostealer indicators per ransomware.live), RDP brute-forcing, and targeted phishing.
| CVE | Product | CVSS | Type |
|---|---|---|---|
| CVE-2024-38475 | Apache HTTP Server (mod_rewrite) | 9.1 | Path traversal (enabled SonicWall SMA DB exfiltration) |
| CVE-2021-20038 | SonicWall SMA 100 | 9.8 | Unauthenticated RCE (memory corruption) |
| CVE-2021-20035 | SonicWall SMA 100 | 7.2 / 9.8 (revised) | Authenticated RCE (command injection) |
| CVE-2021-20039 | SonicWall SMA 100 | 7.2 | Authenticated RCE (command injection) |
| CVE-2025-32819 | SonicWall SMA 100 | 8.8 | Authenticated file deletion / credential reset |
World Leaks' custom "Storage Software" indexes file metadata and transmits it over TLS to a Tor onion service (default host observed by Group-IB: hunters55…[.]onion), using a SOCKSv5 proxy. Critically, exfiltrated files remain on the affiliate-controlled host; only metadata is sent to the platform, reducing central forensic exposure. Cloud storage (notably MEGA) is also used. Terabyte-scale theft is documented (the Nike incident: ~1.4 TB / ~189,000 files).
The Hunters International locker was multi-platform (Windows, Linux, FreeBSD, SunOS, ESXi; x64/x86/ARM), used AES-128 with a per-file random key (key appended to the file), and deleted Volume Shadow Copies. Early variants appended .LOCKED and dropped a Contact Us.txt note; later versions dropped no ransom note and appended no extension (a design choice shared with LockBit 4 and Lynx).
On 2 February 2024, Hunters International published a statement (in Russian) prohibiting attacks on Israel, Turkey, the entire Far East, and CIS nations. Group-IB noted the group nonetheless listed victims from China, Turkey, Singapore, and Japan, indicating the policy was loosely enforced. No Russia/CIS victims are documented in open-source databases, consistent with a Russian-language safe-harbor posture (ANALYST INFERENCE for the underlying motive).
Targeting
| Sector | Approx. Victims | Notes |
|---|---|---|
| Healthcare | ~31 | Largest single sector; consistent with 2024 ecosystem shift toward healthcare |
| Manufacturing | ~24 | |
| Business Services | ~21 | |
| Technology, Consumer Services, Energy/Utilities | Significant | Demonstrated capability vs defense contractors and Fortune 500 entities (Halcyon) |
Figures are approximate and reflect leak-site claims aggregated by ransomware.live; they are not independently confirmed victim counts.
| Country | Approx. Victims |
|---|---|
| United States | ~90 (majority) |
| United Kingdom | ~10 |
| Germany | ~8 |
| Canada, Belgium, India, others | Remainder |
No CIS-region victims are documented. United States entities dominate the victim set, consistent with Hunters International's prior global-but-Western-weighted footprint.
Primarily opportunistic, driven by available initial access (exposed VPN/RDP, end-of-life SonicWall appliances, infostealer logs) rather than deliberate sector pre-selection. Targets storing regulated data (GDPR, HIPAA, state breach laws) are favored because regulatory exposure increases willingness to pay (ANALYST INFERENCE supported by Halcyon target-selection analysis).
Victim Data
| Victim | Brand | Sector | Date | Notes |
|---|---|---|---|---|
| Nike | World Leaks | Consumer / Apparel | Jan 2026 claim | ~1.4 TB / ~189,000 files (design, manufacturing, pricing, factory audits); no customer PII identified as of Feb 2026. Nike had not confirmed scope. |
| Dell | World Leaks | Technology | Jul 2025 | Data-theft claim attributed to World Leaks |
| Fred Hutchinson Cancer Center | Hunters Intl | Healthcare | 2023–2024 | Prominent Seattle cancer center; weaponized patient data |
| U.S. Marshals Service | Hunters Intl | Government | 2024 | Claimed on Hunters International DLS |
Financial Profile
World Leaks demands payment in Bitcoin, using a freshly generated wallet address per victim with no prior transaction history, displayed in the victim negotiation portal alongside a live chat. Demands are framed as payment to prevent data publication rather than for decryption. No published average-demand range, discount statistics, or payment deadlines exist for World Leaks or Hunters International in open source (intelligence gap).
As of June 2026, no dedicated TRM Labs, Chainalysis, or Elliptic on-chain report focused on World Leaks or Hunters International was identified. No wallet-cluster, laundering-phase, or revenue figure has been published for this cluster, in sharp contrast to peers such as Akira and LockBit. The Hive predecessor was assessed by DOJ as having attempted to extort over $130 million and to have collected an estimated ~$100 million before the January 2023 takedown.
No OFAC designation names Hunters International or World Leaks as of June 2026 (CONFIRMED, open-source negative). Some reporting links the November 2024 closure decision to anticipated sanctions and law-enforcement pressure on Russian ransomware operations, but no specific designation is documented.
Attribution & Nexus
Evidence basis: Russian-language affiliate-panel posts and operator statements (Group-IB); underground-forum references to the group as "хайв" (Hive); the published prohibition on attacking CIS nations; and the absence of CIS-region victims. The Hive predecessor operated within the Russian-language RaaS ecosystem. No contradicting evidence appears in open source.
No publicly available evidence indicates that Hive, Hunters International, or World Leaks operate under the tasking or control of the FSB, SVR, or GRU. The operation is most consistent with financially motivated cybercrime adapting tactics to reduce law-enforcement exposure, operating under informal Russian/CIS safe-harbor expectations rather than as a state-directed unit. Any claimed intelligence ties should be treated as speculative pending source-level intelligence.
Disruption History & Known Vulnerabilities
The principal law-enforcement milestone underpinning this lineage. The FBI covertly infiltrated Hive's infrastructure in July 2022 and, over roughly six months, captured and distributed more than 1,300 decryption keys to victims, thwarting an estimated $130 million in ransom demands. On 26 January 2023, DOJ and international partners seized Hive's Tor payment and leak sites (including two Los Angeles servers). Hive had breached more than 1,300–1,500 organizations across 80+ countries and operated with roughly 250 affiliates. The takedown did not result in arrests of the core operators, who are assessed to have re-emerged as Hunters International.
Hunters International announced closure on 4 July 2025 and offered free decryption software to past victims, framed as goodwill. Recorded Future News reported that incident responders generally regard the decryptor as poorly designed, and the offer's practical value is unclear. The group had first announced closure in November 2024 but did not follow through, instead standing up World Leaks. The "shutdown" is best read as a managed rebrand, not a disbandment.
No infrastructure seizure, indictment, or sanction has targeted the World Leaks platform. Reported downtime has been attributed to technical bugs and early infrastructure instability rather than to law-enforcement action.
- Access dependency: Heavy reliance on end-of-life SonicWall SMA 100 appliances (UNC6148) and unpatched VPNs creates a defensible choke point; patching and decommissioning EOL appliances directly degrades the access pipeline.
- Affiliate-hosted data: The Storage Software model keeps exfiltrated data on affiliate-controlled hosts, creating distributed, individually seizable evidence rather than a single central store.
- Under-mapped finances: The absence of vendor on-chain analysis is a gap that, if closed, would expose cash-out infrastructure and enable financial-pressure options.
Status & Trajectory
The cluster has repeatedly survived law-enforcement pressure by rebranding (Hive → Hunters International → World Leaks) rather than disbanding. The shift to data-only extortion, the journalist "Insider" portal, and the per-victim fresh-wallet model collectively reduce both encryption-related legal exposure and on-chain visibility. Expect continued operation under the World Leaks brand, with a credible possibility of a future rebrand if pressure increases.
Recent Reporting LIVE
Open-source reporting from monitored threat intelligence sources. Refreshed automatically via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.