MOXFIVE Threat Actor Spotlight - World Leaks

Every month, we take a look at a current ransomware threat actor. If you would like to receive this via email each month, click below to subscribe to the MOXFIVE mailing list.

Additional Threat Actor Spotlights are available on our
Resources page >>

Subscribe
July 8, 2025

World Leaks

In January 2025, a new data extortion group known as World Leaks emerged, operating under a single-extortion model focused on data theft and public exposure, without the use of file encryption. The group is believed to be a rebrand of Hunters International, based on observed overlaps in infrastructure, tooling, and operational timing. The two leak sites share nearly identical layouts, file explorer interfaces, and news sections. Figure 1 shows the leak site currently used by World Leaks.

Hunters International first appeared in late 2023 and operated under a traditional Ransomware-as-a-Service (RaaS) model prior to announcing its shutdown in November 2024, citing increased law enforcement pressure and declining profitability. In July 2025, the group confirmed it had ceased operations and stated that they would provide free decryptors to past victims.

While most ransomware groups continue to deploy encryption during attacks, a small number have experimented with extortion-only operations. World Leaks reflects this approach, focusing solely on data theft and public exposure through an affiliate-based model.

Similar models have been used by groups like RansomHouse, which also operate extortion platforms without a consistent encryption component. By removing encryption from its operations, World Leaks lowers technical complexity and enables affiliates to move quickly against organizations with exposed entry points.  

Image showing the date leak website for World Leaks.

Figure 1: World Leaks data leak site.

World Leaks has maintained a steady cadence of activity in recent months. MOXFIVE was engaged in several instances involving the group and continues to monitor their operations.

Key Highlights

Industry Insights: Most victims posted to the World Leaks leak site fall within the Healthcare, Manufacturing & Production, and Retail & Hospitality sectors. Additional organizations from other industries have also been listed, likely reflecting opportunistic targeting by affiliates leveraging the extortion platform.

Global Insights: The victims impacted have spanned several countries, with approximately 50% located in the United States. Victims have also been reported in Canada and multiple countries across Europe. 

Extortion and Exfiltration: World Leaks operates under a single-extortion model that focuses exclusively on the theft and threatened exposure of sensitive data. Affiliates are provided with a custom-built exfiltration tool that automates the process of locating and extracting files from compromised environments.  The stolen data is used to pressure victims into ransom negotiations. In cases where victims refuse to pay, the group will escalate by publishing stolen data to their leak site.  

Graph showing the top 5 industries impacted by World Leaks - Healthcare, Manufacturing, Retail & Hospitality, Construction & Engineering, and Energy.

Initial Access: World Leaks activity has only recently emerged, and details surrounding initial access in confirmed cases remain limited in public and private reporting. Based on MOXFIVE observations, affiliates using the extortion-as-a-service platform are following current access trends seen across the broader threat landscape. The most common method observed involves the use of valid credentials to access VPN infrastructure, often in environments where multifactor authentication is misconfigured or not enforced.

If you would like to know more or need assistance with incident response efforts, please contact us at 833-568-6695 or email our team at incident@moxfive.com.