Executive Summary
DragonForce has evolved from a volume-focused ransomware operation into the dominant cartel infrastructure of the 2025–2026 cycle. Affiliate enrolment is now open to public registration. The platform encompasses locker tooling for Windows, ESXi, BSD, and NAS environments; an integrated access broker marketplace; a commercialised data analysis service; and the capacity to host other ransomware operations under its infrastructure. Since the collapse of RansomHub in April 2025, DragonForce has positioned itself as the primary continuity option for displaced affiliates — the closest thing the ransomware economy currently has to a consolidated service platform. This profile covers the group’s structure, platform model, and two named incidents that illustrate how that structure operates in practice.
Threat Actor Profile: Who is DragonForce?
DragonForce represents a rare case of “hacktivist graduation.” Originally identified in 2021 as DragonForce Malaysia, the collective initially focused on ideologically motivated defacements and DDoS attacks.
The Professional Transformation
By mid-2023, the group underwent a tactical pivot, transitioning from hacktivism to a profit-driven Ransomware-as-a-Service (RaaS) model. This evolution culminated in the March 2025 announcement of the DragonForce Ransomware Cartel.
Much like the collaborative “supergroups” (e.g., ShinySp1d3r, comprising elements of ShinyHunters, Scattered Spider, and LAPSUS$), DragonForce was engineered to fill the market gap left by the disruption of legacy groups like LockBit. Their current success is predicated on an exfiltration-first infrastructure rather than simple encryption.
The Intelligence Pipeline: OSINT as a Business
DragonForce does not rely on random scanning. Their model is built on targeted reconnaissance, where OSINT is used to map the organisational hierarchy before a single packet is sent.
Executive Mapping
Affiliates use professional networks (LinkedIn), corporate filings, and media appearances to identify the pressure points — C-suite, legal counsel, and Data Protection Officers — along with personal exposure data (home addresses, private emails) that can be used to increase leverage, and communication patterns that inform convincing spear-phishing or vishing scripts.
The Data Analysis Service
The most significant innovation in the 2025/2026 model is the Data Analysis Service (DAS). This dedicated back-end utility allows affiliates to exploit exfiltrated data through pattern recognition — scanning stolen datasets for non-obvious strategic value such as satellite imagery of sensitive locations or proprietary manufacturing processes — and dossier generation: tailored call scripts for helpdesk deception, formal demand letters to CEOs, and specific risk summaries detailing the legal consequences of the breach.
The DAS has since been formalised as a commercialised service, contracted through a partner and operating on a tiered commission structure. Three tiers apply depending on timing:
- 0% commission — pre-attack analysis delivered as a report embedded in the ransom notice, or a direct letter to senior leadership if locker integration is not feasible.
- 13% commission — data-only case where no encryption occurred; the analyst constructs the extortion argument from exfiltrated files alone.
- 23% commission — applied to historical incidents where the attack concluded before DAS involvement.
A published example involved a gold mining operation whose breach included satellite imagery identifying future extraction sites, three-dimensional ore-body models, geophysical drilling data, geostatistical reserve files, AutoCAD engineering drawings, and GIS boundary data. The resulting analysis documented what each file category revealed to a competitor, a regulator, or a hostile acquirer — transforming a file theft into a structured argument about the specific commercial, legal, and geopolitical consequences of non-payment. The DAS does not require the affiliate to understand the data; it requires only that the data has been exfiltrated.
Human-Centric Exploitation: Vishing & Social Engineering
The group’s collaboration with the Scattered Spider collective has professionalised their voice-based attacks. Two documented techniques characterise this layer.
Helpdesk deception: Attackers call IT helpdesks impersonating executives or regional managers to request password resets or MFA push approvals. The call requires no technical access — only a convincing pretext and a target who does not verify caller identity through a second channel.
MFA fatigue: OSINT-gathered phone numbers are used to generate repeated authentication push notifications until an executive approves access to the SSO portal, often attributing the prompts to a technical error.
Both techniques exploit the gap between what a security control is designed to prevent and what a well-briefed caller can request over the phone. For a detailed analysis of how timing and personal data shape these interactions, see Social Engineering and the Timing Problem.
Core Extortion Model: The Graduated Pipeline
DragonForce transforms extortion from a binary event into a time-based pressure system. Data is staged, indexed, and analysed using the DAS before any encryption occurs. High-value files are prioritised. The victim is then onboarded into a dedicated negotiation panel with structured timers and proof-of-compromise samples.
If negotiations stall, the victim is listed in an “Upcoming Leaks” section that publishes metadata — organisation name, sector, data volume — before any files are released. Partial data dumps follow incrementally, validating threat credibility and increasing internal urgency. Full searchable datasets are released and mirrored as a final stage.
Each stage is designed to increase pressure while providing the victim the appearance of a closing window they can still act inside. The structure exploits the natural tendency to delay disclosure in the hope of a resolution that does not require it.
Technical Infrastructure: The RansomBay Platform
The group’s reach rests on the operational convenience of the RansomBay platform, which frames criminal infrastructure as a product.
The Productised Cartel
DragonForce provides a suite of services allowing affiliates to deploy attacks without building their own tooling: separate administrative, victim negotiation, and affiliate management panels; automated work processes; anti-DDoS protection; NTLM and Kerberos hash decryption; and adjustable encryption modes across locker variants. The 80/20 revenue split — with 80% going to the affiliate — is structured to attract volume. White-label payload capability allows affiliates to operate under their own branding using DragonForce infrastructure.
Platform Strategy: Infrastructure as a Service
The defining strategic shift since the March 2025 cartel announcement has been DragonForce’s move from operating as a ransomware group to positioning itself as infrastructure provider for the wider ransomware ecosystem.
The RansomHub Episode
On 1 April 2025, RansomHub — which had been among the highest-volume operations globally since its emergence in February 2024 — went dark. Affiliate access panels became unreachable. Ongoing ransom negotiations were interrupted. The last victim posts appeared on 29 March and 1 April; the infrastructure did not return.
DragonForce moved quickly to frame the disruption as a cartel recruitment moment. On the RAMP criminal forum they announced that RansomHub had decided to move to DragonForce infrastructure, and published working onion addresses for a hosted RansomHub blog and client panel running on the DragonForce platform — presenting this as a live demonstration of their “projects” system: the ability to absorb another group’s branding and operational footprint onto a shared underlying infrastructure.
The claim was contested. RansomHub’s representative publicly accused DragonForce of sabotage. Independent analysis by GuidePoint Security suggested DragonForce may have been capitalising on the disruption rather than orchestrating it. In practice, affiliate activity dispersed across multiple groups: Qilin recorded the largest measurable intake, with victim disclosures approximately doubling in April 2025. RansomHub has not re-emerged as an independent operation.
Regardless of how the transition occurred, the episode established DragonForce’s positioning: when a major RaaS operation collapses, the cartel presents itself as the continuity option. That framing is now a structural feature of how they recruit.
Open Enrolment and the Suppliers Marketplace
As of mid-2026, DragonForce operates public affiliate registration. Entry requires a Tox ID, account credentials, and a $500 verification payment in XMR or BTC, refundable after a first confirmed payout. Registered affiliates receive access to locker build tools across all supported platforms, a multi-tenant management panel, and an 80% revenue share paid directly to a specified BTC address.
Alongside open enrolment, the cartel operates a Suppliers programme: a structured marketplace for initial access brokers to sell or provision network access directly through the DragonForce platform, with payment processed via the affiliate programme. Only verified teams participate. The practical result is that a prospective affiliate with no independent access-finding capability can purchase an initial foothold in a target network and execute a full attack using tooling, infrastructure, and negotiation support supplied entirely by the cartel from a single panel.
The combination — open enrolment, integrated access brokerage, multi-platform lockers, and a commissioned data analysis service — means the technical barrier to a ransomware deployment has been deliberately reduced to a capital outlay and a decision.
Named Incidents
SINBON Electronics (Taiwan, December 2025–January 2026)
In December 2025, DragonForce conducted a multi-week intrusion into the network of SINBON Electronics, a Taiwan Stock Exchange-listed manufacturer of electronic connectors and components with operations in Taiwan and the United States, and a documented supply relationship with ASML Holding N.V. A notice subsequently appeared on the Taiwan Stock Exchange stating the attack had been quickly detected and contained, and that no data had been taken.
On 2 January 2026, DragonForce published 847 GB of exfiltrated data — approximately 650,000 files — directly contradicting the exchange disclosure. The published set included financial records, client data, internal correspondence, documentation of the ASML supply relationship, production data, and product defect reports.
The sequence illustrates a specific risk for listed companies. Where breach disclosure obligations attach to material data loss, the window between a public denial and a published dataset that refutes it now compresses to days. The gap between what was filed with the exchange and what was published becomes a secondary regulatory exposure in its own right. For organisations whose supply-chain relationships are documented in internal systems, the exposure extends to the partners named in that documentation.
Co-op UK (April 2025)
In April 2025, DragonForce affiliates breached The Co-operative Group using a social engineering vector consistent with the group’s documented helpdesk deception model: a fake IT helpdesk call to a Co-op staff member triggered a password reset, providing initial network access. From that position, attackers extracted the Windows NTDS.dit Active Directory database, which contains password hashes for all domain accounts.
Co-op initially stated that customer data had not been accessed. The company subsequently confirmed that the personal data of all 6.5 million Co-op members had been stolen — names, dates of birth, email addresses, telephone numbers, and home addresses. Payment card details and transaction history were not held in the affected system.
The National Cyber Security Centre and the National Crime Agency jointly assisted the response. In July 2025, the NCA arrested four individuals — three teenagers and a 20-year-old — in coordinated operations across the West Midlands and London. The same campaign is attributed to concurrent attacks on Marks & Spencer and Harrods during the same period.
The incident is the most publicly documented example of the helpdesk social engineering methodology described in Section 4. The entry vector was a telephone call. The NTDS.dit extraction — and the access it provided to every domain account — followed from the access that single interaction granted. Organisations that invest in perimeter controls and endpoint detection without equivalent investment in identity hygiene and helpdesk verification procedures are addressing a different threat model than the one this campaign presented. See also From Gamble to Calculation for a detailed account of how credential exposure enables this class of attack.
If your organisation holds sensitive supply-chain documentation, client records, or regulated data, a Corporate Audit identifies the specific exposure vectors a group like this would prioritise before initiating contact.
Talk to an AnalystInvestigator Insight
DragonForce is growing because it has removed friction at every stage of the attack chain — not because it is noisy. Open affiliate enrolment means the barrier to entry is capital, not technical skill. The Suppliers marketplace means the attacker does not need to source their own access. The Data Analysis Service means that data without obvious immediate value can be converted into a structured extortion argument by a specialist working on commission.
The structural question for defenders is not which of these components to address first. It is whether the organisation’s security investment is calibrated to the threat model DragonForce affiliates are actually presenting — which starts with a phone call, not a CVE. For a broader analysis of the market that supports operations like these, see The Silent Market and RaaS Inc.: The Business Plan Nobody Asked For. For companion threat-actor profiles, see Qilin and The Gentlemen.