FunkSec data leak site
Cybersecurity researchers have unveiled details about a new hacking group, FunkSec, which specializes in developing AI-driven ransomware. Emerging in late 2024, the group has already claimed over 85 victims.
FunkSec employs a double extortion tactic, combining data theft with encryption to pressure victims into paying ransoms. According to Check Point, the group’s ransom demands have sometimes been as low as $10,000—relatively modest by ransomware standards—while stolen data is sold to third parties at discounted rates.
In December 2024, FunkSec launched its own data leak site, serving as a centralized platform for its operations. In addition to breach announcements, the site offers tools for conducting DDoS attacks and proprietary software as part of its ransomware-as-a-service (RaaS) model.
Most of FunkSec’s victims are located in the United States, India, Italy, Brazil, Israel, Spain, and Mongolia. Analysis suggests that the group likely consists of newcomers seeking notoriety by repurposing data from hacktivist-linked breaches. Some members have prior experience in hacktivism, highlighting the blurred lines between hacktivist activity and cybercrime.
The group has declared its targeting of the U.S. and India while expressing support for the “Free Palestine” movement, attempting to associate itself with defunct hacktivist groups such as Ghost Algeria and Cyb3r Fl00d. Key members of FunkSec include:
- Scorpion (DesertStorm): An alleged member from Algeria, promoting the group on forums like Breached.
- El_farado: The group’s main representative following DesertStorm’s account ban.
- XTN: A member responsible for “data sorting” services.
- Blako: Referenced by DesertStorm and El_farado.
- Bjorka: A well-known Indonesian hacktivist whose name has been used to publish leaks on behalf of FunkSec.
The group’s hacktivist involvement is evidenced by its arsenal of tools for DDoS attacks, remote desktop control (JQRAXY_HVNC), and password generation (funkgenerate).
FunkSec’s tools, including its ransomware, are believed to have been developed with the help of artificial intelligence, enabling rapid refinement despite the developers’ limited technical expertise. The latest version, FunkSec V1.5, written in Rust, was uploaded to VirusTotal from Algeria.
The ransomware encrypts files on victims’ devices after disabling security mechanisms, deleting backups, and terminating specific processes.
Experts note that 2024 was a prolific year for ransomware groups, with global conflicts fueling hacktivist activity. By combining political motives with financial incentives, FunkSec leverages AI and older data leaks to build its brand. However, the actual success of its operations remains uncertain.
