What Is World Leaks?

World Leaks is a cyber extortion operation that steals sensitive data from organizations and threatens to leak it via the dark web if a ransom is not paid.

Hang on - Isn't That Just Ransomware by Another Name?

Well, you can think of it like that if you want - but traditional ransomware attacks involve two things: stealing and encrypting your data, followed by demands for payments to be made to prevent the publication of the stolen information.

World Leaks, however, focuses exclusively on the theft and threat to expose sensitive data - without the use of encryption. It appears that the group has decided that pure extortion is more profitable (and less risky) than deploying traditional file-encrypting ransomware.

But Won't There be Less Incentive for Hacked Companies to Pay if They Can Still Access Their Data?

For some companies, it is undoubtedly the case that the pressure to pay is greater if their files are encrypted and their business is paralyzed.

If your systems are still running and your data remains accessible, the question really becomes just how damaging would publication actually be? The answer to that varies enormously, depending on what was stolen.

For healthcare providers, law firms, and financial institutions who may have had highly sensitive customer data stolen the consequences of a leak could be huge - especially when you consider the possible regulatory consequences and damage to reputation.

So How Long Has World Leaks Been Around, and How Does It Operate?

The group officially emerged in January 2025, reportedly splintering from the Hunters international ransomware operation after it declared the ransomware business "too risky and unprofitable".

World Leaks offers an "Extortion-as-a-Service" (EaaS) platform to its so-called "affiliates" who use a custom-built data exfiltration tool to steal from networks.

Data thefts are announced on a dark web leak site, while a negotiation portal for victims offers live chat facilities. 

 Meanwhile, World Leaks even appears to offer journalists their own "insider" platform for breaking news of hacks.

An "Insider" Platform for Journalists?

Yes, World Leaks seems to offer reporters early access to stolen data before victims have even had a chance to respond publicly to extortion demands.

It seems World Leaks views the threat of media coverage as a way of applying significantly more pressure on its victims during ransom negotiations.

Sheesh. So How Does World Leaks Break Into Corporate Networks?

The most commonly-observed method involves accessing VPN infrastructure via valid credentials - often when organizations have not enforced or not properly configured multi-factor authentication (MFA). The group has also exploited known vulnerabilities and used targeted phishing to gain initial access to corporate systems.

So How Big a Threat Is World Leaks? Who Has been Hit?

Since January 2025, World Leaks has claimed over 130 victims. These include Nike, UBS, and Dell. Most recently, World Leaks listed the City of Los Angeles as a victim, claiming it stole 160GB of data, including police interview transcripts and records.

What Should My Business Do to Protect Itself?

Here are some tips on what you can do to protect your organization from groups like World Leaks:

• Make sure you enforce MFA on all VPNs and remote access systems. You should use phishing-resistant MFA where possible (for instance FIDO2, passkeys)
• Keep all internet-facing systems fully patched, especially VPNs and remote access tools, and replace any out-of-date or no-longer-supported devices that could be exploited.
• Data loss prevention tools can spot unusually large data transfers.
• Segment your network so that if attackers do manage to get in, they will find it difficult to move around.
• Train staff to recognize and report suspicious communications and phishing emails

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.