Hunters International: Ransomware Out, Data Theft In

The ransomware group Hunters International has announced the cessation of its operations in their previous form. According to cybersecurity firm Group-IB, members of the syndicate deemed the data encryption model unprofitable, high-risk, and largely ineffective. Instead, they are shifting to a new scheme—extortion based solely on data theft.

Experts believe that the group’s key operatives are already preparing a spinoff focused exclusively on blackmail without the use of encryption malware. An internal message circulated within the group in November declared the project’s closure and the beginning of a rebranding effort under the name World Leaks. A new World Leaks website appeared on the dark web on January 1, with its primary aim being the exfiltration of sensitive information for maximum gain—from both victims and interested third parties.

Hunters International had previously targeted prominent entities such as Tata Technologies, the London branch of ICBC, and a cosmetic surgery clinic in Beverly Hills. However, the shift in tactics is driven not only by diminishing profits. In a message to affiliates, the group emphasized that states are increasingly treating ransomware-based extortion as a form of terrorism, and countries failing to act against such crimes risk being labeled as sponsors of terrorism.

Despite the formal declaration of dissolution, contradictory reports emerged weeks later suggesting that Hunters International may still be operational. This has sparked speculation about internal fragmentation or deliberate misinformation. Nevertheless, the launch of the World Leaks site and the technical documentation of its new toolkit reinforce the group’s transition to a different operational model.

World Leaks invites affiliates to use custom software for data theft, which connects to a management panel via proxy servers. The malicious payloads are distributed by the group’s partners, and the proceeds are split between the affiliates and the developers overseeing the infrastructure.

If the abandonment of ransomware indeed materializes, Hunters International will join the ranks of groups like Karakurt and BianLian, which have already transitioned to pure extortion. This shift indicates that global efforts to combat ransomware are gradually bearing fruit.

Although the overall number of such transitions remains modest, the trend is unmistakable. New groups are emerging with a native focus on data theft alone, such as Mad Liberator. Still, it would be premature to declare ransomware obsolete as a revenue stream.

Nonetheless, increasing law enforcement scrutiny and the introduction of new legislation are making traditional ransomware tactics increasingly perilous. As a result, more cybercriminals are seeking subtler—but equally lucrative—methods of profiting from stolen data.