RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile: Last updated June 2026
World Leaks
Data Extortion (Extortion-as-a-Service)  •  formerly Hunters International  •  Hive lineage
High Threat Active Data Extortion / EaaS
World Leaks Launch
Jan 2025
First victims posted Apr 2025
WL Leak-Site Victims LIVE
~167
As of June 2026
Hunters Intl Victims
~280–300
Oct 2023 – Jul 2025
Confirmed Revenue
Undisclosed
No vendor on-chain figure
LE Disruptions (WL)
Zero
Hive parent seized Jan 2023
Extortion Model
Data-only
Encryption mostly dropped
Lineage
Hive
Hive → Hunters → World Leaks
01

Overview

World Leaks is a data-extortion operation that launched on or about 1 January 2025 as the rebrand of the Hunters International ransomware-as-a-service (RaaS) program. Hunters International itself emerged in October 2023 and is assessed with moderate confidence by Group-IB as a rebrand or direct successor of the Hive RaaS operation, which was infiltrated and seized by an FBI-led international operation in January 2023. World Leaks markets itself as extortion-only: affiliates steal data and threaten publication rather than encrypting systems, although a minority of incidents have still involved encryption (CONFIRMED, Darktrace).

The operation is distinguished by a four-platform infrastructure, including an "Insider" journalist portal that grants registered media outlets roughly 24-hour advance access to stolen data, a deliberate reputational-pressure mechanism that frames extortion as "disclosure." Group-IB is the principal vendor tracking the group under the names "Hunters International" and "World Leaks." No major vendor (CrowdStrike, Microsoft, Mandiant, Secureworks, Unit 42) has published a formal branded designation for World Leaks as of June 2026 (CONFIRMED, open-source negative).

AttributeDetail
Current brandWorld Leaks (also written "WorldLeaks" / "World Leaks"); launched ~1 Jan 2025
Former brandHunters International (Oct 2023 – shutdown announced 4 Jul 2025)
Upstream originHive ransomware (Jun 2021 – Jan 2023 takedown), assessed predecessor (CREDIBLE / Group-IB moderate confidence)
Tracking designationsGroup-IB: "Hunters International" and "World Leaks". No formal CrowdStrike / Microsoft / Mandiant / Secureworks / Unit 42 branded alias published as of Jun 2026. GTIG tracks an associated SonicWall access actor separately as UNC6148 (an access enabler, not the group itself).
Operational modelAffiliate-based data extortion, marketed as Extortion-as-a-Service (EaaS); proprietary "Storage Software" exfiltration tool
Extortion mechanicSingle (data-theft) extortion plus multi-audience pressure via journalist "Insider" portal; some incidents still deploy encryption
Assessed jurisdictionRussian-speaking ecosystem; CIS / Russia safe-harbor dynamics (CREDIBLE). No confirmed state-tasking nexus.
LE disruption statusNone against World Leaks or Hunters International. Hive (assessed parent) seized Jan 2023.
Halcyon threat score6.1 / 10 (vendor index, updated Jan 2026)
Data Leak Site & Branding
02

Origin & Lineage

Three-Generation Lineage

The operation is best understood as a three-stage cluster: Hive (June 2021 – January 2023) → Hunters International (October 2023 – July 2025) → World Leaks (January 2025 – present). World Leaks and Hunters International ran in parallel for roughly six months in 2025 before Hunters announced its formal closure on 4 July 2025.

Hive → Hunters International: Evidence Assessment
Credible, Group-IB moderate confidence; actor denies, claims source-code purchase
Pillar 1, Credible
Code Overlap
Researchers (rivitna, Will Thomas / BushidoToken) found the Hunters International encryptor matched more than 60% of Hive's code and retained "maintained Hive strings"; rivitna assessed it as Hive ransomware version 6, rebuilt in Rust with string obfuscation (obfstr crate). Caveat: code reuse alone is consistent with a purchase, not only personnel continuity.
Pillar 2, Credible
Administrative Identity
Group-IB reported that ransomware actors were contacted by the Hunters International administrator using the same instant-messaging account previously associated with Hive. Underground-forum users routinely referred to Hunters as "хайв" (Hive).
Pillar 3, Credible
Infrastructure & Web App
Hunters International reused Hive's web application and older Golang/C code base. The operators publicly stated: "All of the Hive source codes were sold including the website and old Golang and C versions and we are those who purchased them."
Pillar 4, Analyst Inference
Source-Purchase Cover Story
The Record assessed that the "purchased the source code" claim may itself be a deliberate attempt by former Hive operators to distance the new brand from the seized predecessor. ANALYST INFERENCE: continuity of personnel is more likely than an arm's-length code sale, though not conclusively evidenced.
Overall assessment: Group-IB assesses with moderate confidence that Hunters International is a rebrand of Hive. The operators deny this and claim a source-code purchase. No vendor has published a higher-than-moderate confidence judgment, and no individual has been publicly tied across both brands. Treat the Hive anchor as CREDIBLE, not CONFIRMED.
Hunters International → World Leaks: Evidence Assessment
Confirmed, same operators; Group-IB documented the planned rebrand
  • Insider communications: Group-IB reported that Hunters International told its own affiliates in November 2024 that the project was closing and that a rebrand to an extortion-only service called "World Leaks" was underway.
  • Timing: World Leaks launched its Tor leak site on or about 1 January 2025, with first victims posted in late April 2025 after early infrastructure instability.
  • Site design and architecture: The Record and others note that the World Leaks leak site shares the same design as Hunters International, and infrastructure, victim-notification methodology, and negotiation-portal architecture are common to both.
  • Managed handover: Hunters International's 4 July 2025 closure (with an offer of free decryptors to past victims) coincided with World Leaks' established operation, consistent with a seamless transition rather than a genuine disbandment.
Vendor Designation: Disambiguation

Group-IB is the primary tracker, using the operational names "Hunters International" and "World Leaks" directly. Unlike Conti-lineage groups, this cluster has not been assigned vendor "totem" designations (no Spider, Storm, Scorpius, or Gold alias is published as of June 2026).

Importantly, UNC6148 (Google Threat Intelligence Group) is not a designation for World Leaks. It is a separate, financially motivated access actor exploiting end-of-life SonicWall SMA 100 appliances whose victims have appeared on the World Leaks DLS. The relationship is access-broker-to-extortion-platform, established by temporal correlation rather than definitive technical attribution (CREDIBLE, GTIG moderate confidence). Do not conflate UNC6148 with the World Leaks operating entity.

03

Operational Model

From RaaS to Extortion-as-a-Service

Hunters International operated as a classic RaaS program: affiliates conducted intrusions, deployed a multi-platform locker, and exfiltrated data. World Leaks reframes the same affiliate model as Extortion-as-a-Service (EaaS): affiliates receive a proprietary "Storage Software" exfiltration tool (Windows and Linux; x86/x64) rather than a locker builder, and the central platform handles publication and negotiation (CONFIRMED, Group-IB / Halcyon).

Group-IB's analysis of the affiliate panel shows a deliberately business-like workflow: target registration (company name, revenue, stock), exfiltration via Storage Software, classified "Disclosures" (Source Code, Financial, PII), a "Mailing List" function for notifying a victim's partners and clients, and a victim live-chat negotiation portal.

Affiliate Economics
Confirmed, 80% affiliate share visible in Hunters International panel

The Hunters International affiliate panel displayed an 80% payout to the affiliate on the company-overview screen after target registration (Group-IB). This is consistent with the modern RaaS standard (80/20). No revised split has been published for the World Leaks EaaS model; treat the 80/20 figure as Hunters-era CONFIRMED and World Leaks-era ANALYST INFERENCE.

Four-Platform Extortion Infrastructure
ComponentFunction
Main data leak site (DLS)Public victim listings with countdown timers; Tor hidden service
Victim negotiation portalTor portal with company financials, browsable file explorer of stolen data, Bitcoin payment tab, and live chat with operators
Affiliate management panelTarget creation, Storage Software distribution, disclosures, mailing list, payment processing
"Insider" journalist portalGrants registered media outlets ~24-hour advance access to stolen data before public release; homepage displays mastheads of international newspapers and invites journalists to register for "early access to insights and disclosures"
Analytical note: The journalist "Insider" portal is the operation's signature innovation. By manufacturing media interest, World Leaks converts a single data-theft event into multi-audience pressure (reputational, regulatory, competitive), approximating multi-layer extortion without deploying a locker.
Connected Operations

Halcyon reports a confirmed partnership in which the Secp0 ransomware group published victims through World Leaks' shared leak-site infrastructure (CREDIBLE, single-vendor). Separately, Group-IB observed that the Hunters International clear-net domain (huntersinternational[.]su) resided on the same bulletproof host (AS214822) as the INC and Lynx blog domains, but could not establish a link (INCONCLUSIVE / intelligence gap).

04

Technical Profile

Initial Access
  • Compromised VPN credentials without MFA (primary vector per incident-response reporting).
  • End-of-life SonicWall SMA 100 exploitation via the UNC6148 campaign, deploying the OVERSTEP user-mode rootkit (boot-process modification, LD_PRELOAD abuse, credential and OTP-seed theft). Victims subsequently appeared on the World Leaks DLS.
  • Infostealer-sourced credentials (~35% of World Leaks victims show associated domain infostealer indicators per ransomware.live), RDP brute-forcing, and targeted phishing.
CVEs Associated with the UNC6148 / World Leaks Access Chain
Attribution caveat: These CVEs are tied to the UNC6148 SonicWall campaign whose victims surfaced on the World Leaks DLS, not to a World Leaks-branded exploit toolkit. CVSS values verified against NVD.
CVEProductCVSSType
CVE-2024-38475Apache HTTP Server (mod_rewrite)9.1Path traversal (enabled SonicWall SMA DB exfiltration)
CVE-2021-20038SonicWall SMA 1009.8Unauthenticated RCE (memory corruption)
CVE-2021-20035SonicWall SMA 1007.2 / 9.8 (revised)Authenticated RCE (command injection)
CVE-2021-20039SonicWall SMA 1007.2Authenticated RCE (command injection)
CVE-2025-32819SonicWall SMA 1008.8Authenticated file deletion / credential reset
Exfiltration Tooling

World Leaks' custom "Storage Software" indexes file metadata and transmits it over TLS to a Tor onion service (default host observed by Group-IB: hunters55…[.]onion), using a SOCKSv5 proxy. Critically, exfiltrated files remain on the affiliate-controlled host; only metadata is sent to the platform, reducing central forensic exposure. Cloud storage (notably MEGA) is also used. Terabyte-scale theft is documented (the Nike incident: ~1.4 TB / ~189,000 files).

Encryption (Legacy / Selective)

The Hunters International locker was multi-platform (Windows, Linux, FreeBSD, SunOS, ESXi; x64/x86/ARM), used AES-128 with a per-file random key (key appended to the file), and deleted Volume Shadow Copies. Early variants appended .LOCKED and dropped a Contact Us.txt note; later versions dropped no ransom note and appended no extension (a design choice shared with LockBit 4 and Lynx).

CONFIRMED, encryption not fully retired: Darktrace documented a World Leaks-linked compromise that culminated in data encryption, demonstrating that some affiliates or toolchains still deploy lockers under the World Leaks banner despite the "extortion-only" marketing.
CIS / Geographic Exclusion Behavior
Credible, explicit prohibition published; enforcement inconsistent

On 2 February 2024, Hunters International published a statement (in Russian) prohibiting attacks on Israel, Turkey, the entire Far East, and CIS nations. Group-IB noted the group nonetheless listed victims from China, Turkey, Singapore, and Japan, indicating the policy was loosely enforced. No Russia/CIS victims are documented in open-source databases, consistent with a Russian-language safe-harbor posture (ANALYST INFERENCE for the underlying motive).

05

Targeting

Sector Distribution (World Leaks, ransomware.live, mid-2026)
SectorApprox. VictimsNotes
Healthcare~31Largest single sector; consistent with 2024 ecosystem shift toward healthcare
Manufacturing~24
Business Services~21
Technology, Consumer Services, Energy/UtilitiesSignificantDemonstrated capability vs defense contractors and Fortune 500 entities (Halcyon)

Figures are approximate and reflect leak-site claims aggregated by ransomware.live; they are not independently confirmed victim counts.

Geographic Distribution (World Leaks)
CountryApprox. Victims
United States~90 (majority)
United Kingdom~10
Germany~8
Canada, Belgium, India, othersRemainder

No CIS-region victims are documented. United States entities dominate the victim set, consistent with Hunters International's prior global-but-Western-weighted footprint.

Selection Model

Primarily opportunistic, driven by available initial access (exposed VPN/RDP, end-of-life SonicWall appliances, infostealer logs) rather than deliberate sector pre-selection. Targets storing regulated data (GDPR, HIPAA, state breach laws) are favored because regulatory exposure increases willingness to pay (ANALYST INFERENCE supported by Halcyon target-selection analysis).

06

Victim Data

World Leaks Leak-Site Victims
~167
ransomware.live, June 2026
Hunters Intl Victims
~280–300
Oct 2023 – Jul 2025
Nike Breach Volume
~1.4 TB
~189,000 files (Jan 2026 claim)
Infostealer Indicator Rate
~35%
WL victims w/ domain infostealer indicators
Notable Victims
VictimBrandSectorDateNotes
NikeWorld LeaksConsumer / ApparelJan 2026 claim~1.4 TB / ~189,000 files (design, manufacturing, pricing, factory audits); no customer PII identified as of Feb 2026. Nike had not confirmed scope.
DellWorld LeaksTechnologyJul 2025Data-theft claim attributed to World Leaks
Fred Hutchinson Cancer CenterHunters IntlHealthcare2023–2024Prominent Seattle cancer center; weaponized patient data
U.S. Marshals ServiceHunters IntlGovernment2024Claimed on Hunters International DLS
Data-handling note: Leak-site "victim" claims include organizations that may have experienced data theft only (no encryption) and, in some cases, disputed or unverified claims. Victim counts should be read as claimed listings, not confirmed compromises.
07

Financial Profile

Payment Model

World Leaks demands payment in Bitcoin, using a freshly generated wallet address per victim with no prior transaction history, displayed in the victim negotiation portal alongside a live chat. Demands are framed as payment to prevent data publication rather than for decryption. No published average-demand range, discount statistics, or payment deadlines exist for World Leaks or Hunters International in open source (intelligence gap).

On-Chain Analysis: Intelligence Gap
Analyst Inference, no vendor on-chain deep-dive published for World Leaks

As of June 2026, no dedicated TRM Labs, Chainalysis, or Elliptic on-chain report focused on World Leaks or Hunters International was identified. No wallet-cluster, laundering-phase, or revenue figure has been published for this cluster, in sharp contrast to peers such as Akira and LockBit. The Hive predecessor was assessed by DOJ as having attempted to extort over $130 million and to have collected an estimated ~$100 million before the January 2023 takedown.

Leverage implication: The per-victim fresh-wallet model and the absence of published cash-out mapping reduce current on-chain visibility. This is itself a collection priority: World Leaks is under-mapped relative to its activity level, and a vendor on-chain study would materially improve disruption options.
Sanctions Posture

No OFAC designation names Hunters International or World Leaks as of June 2026 (CONFIRMED, open-source negative). Some reporting links the November 2024 closure decision to anticipated sanctions and law-enforcement pressure on Russian ransomware operations, but no specific designation is documented.

08

Attribution & Nexus

Assessed Jurisdiction
Credible, Russian-speaking ecosystem; CIS / Russia safe-harbor dynamics

Evidence basis: Russian-language affiliate-panel posts and operator statements (Group-IB); underground-forum references to the group as "хайв" (Hive); the published prohibition on attacking CIS nations; and the absence of CIS-region victims. The Hive predecessor operated within the Russian-language RaaS ecosystem. No contradicting evidence appears in open source.

Russian Intelligence Services Nexus
Analyst Inference, no confirmed direct RIS tasking or control

No publicly available evidence indicates that Hive, Hunters International, or World Leaks operate under the tasking or control of the FSB, SVR, or GRU. The operation is most consistent with financially motivated cybercrime adapting tactics to reduce law-enforcement exposure, operating under informal Russian/CIS safe-harbor expectations rather than as a state-directed unit. Any claimed intelligence ties should be treated as speculative pending source-level intelligence.

Arrests and Named Individuals
As of June 2026: No indictments, OFAC sanctions, or criminal charges have been publicly filed against any named member of Hunters International or World Leaks. Core operators have maintained anonymity across three organizational identities (Hive, Hunters International, World Leaks) despite the FBI's 2022 infiltration of the Hive predecessor.
09

Disruption History & Known Vulnerabilities

Hive Takedown (January 2023)

The principal law-enforcement milestone underpinning this lineage. The FBI covertly infiltrated Hive's infrastructure in July 2022 and, over roughly six months, captured and distributed more than 1,300 decryption keys to victims, thwarting an estimated $130 million in ransom demands. On 26 January 2023, DOJ and international partners seized Hive's Tor payment and leak sites (including two Los Angeles servers). Hive had breached more than 1,300–1,500 organizations across 80+ countries and operated with roughly 250 affiliates. The takedown did not result in arrests of the core operators, who are assessed to have re-emerged as Hunters International.

Hunters International "Shutdown" & Free Decryptors (July 2025)

Hunters International announced closure on 4 July 2025 and offered free decryption software to past victims, framed as goodwill. Recorded Future News reported that incident responders generally regard the decryptor as poorly designed, and the offer's practical value is unclear. The group had first announced closure in November 2024 but did not follow through, instead standing up World Leaks. The "shutdown" is best read as a managed rebrand, not a disbandment.

Decryptor status: No verified, broadly usable Hunters International / Hive-successor decryptor is catalogued on No More Ransom for current variants as of June 2026. World Leaks' data-only model makes decryptors largely irrelevant; mitigation centers on incident response, breach management, and containment.
No Action Against World Leaks
Confirmed, zero law-enforcement disruption events against World Leaks as of June 2026

No infrastructure seizure, indictment, or sanction has targeted the World Leaks platform. Reported downtime has been attributed to technical bugs and early infrastructure instability rather than to law-enforcement action.

Operational Vulnerabilities
  • Access dependency: Heavy reliance on end-of-life SonicWall SMA 100 appliances (UNC6148) and unpatched VPNs creates a defensible choke point; patching and decommissioning EOL appliances directly degrades the access pipeline.
  • Affiliate-hosted data: The Storage Software model keeps exfiltrated data on affiliate-controlled hosts, creating distributed, individually seizable evidence rather than a single central store.
  • Under-mapped finances: The absence of vendor on-chain analysis is a gap that, if closed, would expose cash-out infrastructure and enable financial-pressure options.
10

Status & Trajectory

Active. World Leaks continued posting victims into mid-2026 (recent listings May–June 2026 per Halcyon and ransomware.live), including the high-profile Nike claim (January 2026). The Hunters International brand is dormant following its July 2025 closure.
WL Leak-Site Victims
~167
June 2026
Operational Tempo
Moderate
Outside Halcyon top-29 most active
Model Shift
Data-only
Encryption selectively retained
Rebrand Count
3
Hive, Hunters, World Leaks
Trajectory Assessment
Analyst Inference, continued data-extortion operations; further rebranding plausible

The cluster has repeatedly survived law-enforcement pressure by rebranding (Hive → Hunters International → World Leaks) rather than disbanding. The shift to data-only extortion, the journalist "Insider" portal, and the per-victim fresh-wallet model collectively reduce both encryption-related legal exposure and on-chain visibility. Expect continued operation under the World Leaks brand, with a credible possibility of a future rebrand if pressure increases.

CREDIBLE, Secp0 partnership: Halcyon reports Secp0 published victims via World Leaks' shared infrastructure (single-vendor, not corroborated by a second vendor).
ANALYST INFERENCE, INC / Lynx infrastructure adjacency: Group-IB observed the Hunters clear-net domain on the same bulletproof AS (AS214822) as INC and Lynx blog domains but explicitly could not establish a link. Treat as unconfirmed co-location, not a group relationship. Neither Mandiant nor Recorded Future has published a formal cluster assessment.

Recent Reporting LIVE

Open-source reporting from monitored threat intelligence sources. Refreshed automatically via ransomware.live and major TI blog feeds. Authored analysis above is unaffected by this feed.

Loading recent reporting…

Sources

Primary Vendor & Government Sources
[1]Group-IB, "The beginning of the end: the story of Hunters International", group-ib.com
[2]U.S. DOJ, "U.S. Department of Justice Disrupts Hive Ransomware Variant" (Jan 2023), justice.gov
[3]FBI, Director Wray remarks on the disruption of the Hive ransomware group, fbi.gov
[4]Google Threat Intelligence Group, "Ongoing SonicWall SMA Exploitation Campaign using the OVERSTEP Backdoor" (UNC6148, Jul 2025), cloud.google.com
Threat Intelligence & Reporting
[5]The Record (Recorded Future News), "Hunters International ransomware group claims to be shutting down", therecord.media
[6]BleepingComputer, "New Hunters International ransomware possible rebrand of Hive" (Oct 2023), bleepingcomputer.com
[7]SecurityWeek, "Hunters International Shuts Down, Offers Free Decryptors as It Morphs Into World Leaks", securityweek.com
[8]Halcyon Ransomware Research Center, "World Leaks" threat actor profile, halcyon.ai
[9]Darktrace, "When Reality Diverges from the Playbook: Darktrace Identifies Encryption in a World Leaks Ransomware Attack", darktrace.com
[10]Acronis TRU, "Hunters International: New ransomware based on Hive source code", acronis.com
[11]The Register, "Hunters International said ransomware now 'too risky'" (Apr 2025), theregister.com
[12]ICSSTRIVE, "World Leaks, formerly Hunters International", icsstrive.com
Incident-Specific & Victim Data
[13]Hackread, "Nike Data Breach Claims Surface as WorldLeaks Leaks 1.4TB of Files Online", hackread.com
[14]The Register, "Data thieves claim they stole 1.4 TB from Nike" (Jan 2026), theregister.com
[15]SecurityAffairs, "Hunters International ransomware gang shuts down and offers free decryption keys", securityaffairs.com
[16]ransomware.live, World Leaks group tracker (accessed Jun 2026), ransomware.live
[17]NVD, CVE-2024-38475, CVE-2021-20038, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819 (CVSS verified), nvd.nist.gov