INTEL

Qilin Ransomware: The Most Active Threat Group of 2025-2026

May 2026  ·  27 min read

Privacy Insight Solutions OSINT & Executive Privacy Analysts

In any given week of 2026, Qilin posts more new victims to its leak site than any other ransomware operation in the world. In the thirty days before this article was written, Qilin claimed 141 organisations across at least 25 countries. The next-most-active group, Akira, posted 64 in the same window. The gap is not a fluke. It is the structural outcome of an affiliate revenue split that pays operators up to 85% of the ransom, a clearnet leak site that puts victim data inside Google's index rather than behind Tor, and three years of disciplined absorption of affiliates left stranded by the disruption of LockBit, ALPHV/BlackCat, and RansomHub.

This is a profile of Qilin: who they are, how they work, the named incidents that define their operating style, the September 2025 cartel announcement with LockBit and DragonForce, and the question every defender and policy team should be asking by mid-2026: what does it take to disrupt a group whose successors are already integrated into the same model?

For the broader threat-group landscape, see also our companion profile on ShinyHunters: Inside the Threat Group, the credential-theft and extortion group that runs a different operating model on the same downstream economy.

Origins: 2022 Onward

Qilin emerged in July 2022 under the original name "Agenda", a Go-language ransomware operation marketed on the Russian-speaking dark web forum RAMP (Ransom Anon Market Place). The operator handle "Haise" registered on RAMP on 29 May 2022 and began advertising the operation on 13 February 2023, after the first rewrites.

The timing of Agenda's emergence was not coincidental. In February 2022, an internal disagreement at the Conti ransomware operation produced ContiLeaks, a sympathiser-dumped corpus of Conti's full internal Jabber chats, source code, and operating playbooks. The leak effectively ended Conti as a coherent operation by May 2022. The downstream effect was a sudden surplus of experienced ransomware affiliates with established tradecraft, no platform, and reputational scars that made the surviving alternatives (LockBit, REvil, BlackCat) imperfect homes. Several new operations emerged into this vacuum. Agenda was one of them.

The first detailed technical analysis of Agenda was published by Trend Micro in August 2022. The early payloads were Go-language, with limited evasion capabilities and a target profile concentrated on healthcare, education, and small-manufacturing victims. Trend Micro's analysts described the operation as "customised per victim", with payloads compiled with hard-coded ransom amounts, file extension preferences, and execution windows tailored to each environment. The bespoke compilation pattern was unusual at the time. Most contemporary operations used templated payloads with affiliate-side parameter injection. The bespoke approach was inefficient at scale, but read as deliberate craft to the affiliate audience the operators were trying to recruit.

By April 2023, the Go codebase had been replaced with a Rust implementation. The rewrite was not cosmetic. Rust brought three operationally significant changes: cross-platform compilation that allowed Windows, Linux, and ESXi targets from the same source tree; faster execution profiles that reduced the encryption window before detection; and substantially harder reverse-engineering for incident responders trying to identify the variant in the field. The rebranded Qilin name appeared alongside the technical rewrite.

The transition from Agenda to Qilin tracked a broader maturation: from a small operation with hand-tuned payloads and a limited affiliate base, to a Rust-rewritten platform marketed publicly on RAMP with industrialised affiliate recruitment. The April 2023 Rust rewrite, the rebrand, and the formal RAMP advertising in February 2023 together signal the shift from craft-shop operation into a fully-fledged ransomware-as-a-service platform competing against the post-Conti generation.

The name itself is misdirection. Qilin is a mythological hooved chimera from Chinese folklore, sometimes rendered "Kirin" in Japanese. The branding implies an East Asian origin. The operators are Russian-speaking, recruit through Russian-speaking forums, and follow the standard CIS-victim prohibition observed across the post-Conti generation of ransomware-as-a-service operations. The name change from Agenda to Qilin happened during the Rust rewrite, and the new identity gave the operation a clean public surface uncoupled from earlier Agenda-attributed incidents.

How They Operate

Qilin is a ransomware-as-a-service platform. The core operators maintain the codebase, the negotiation infrastructure, the leak site, and the payment-routing layer. Affiliates, independent operators recruited through RAMP, run the actual intrusions. The split is uneven by design: most of the public Qilin "activity" is affiliate work attributed to the platform.

The standard attack chain across documented incidents:

  1. Initial access. Spear-phishing remains the most common vector, often distributing trojanised IT-administration tools such as RVTools, ScreenConnect, and AnyDesk installers. Where phishing fails, affiliates buy access from initial-access brokers in the same forum ecosystem, or exploit edge devices directly. CVE-2024-21762 and CVE-2024-55591 (Fortinet FortiGate authentication bypass), CVE-2024-27198 (JetBrains TeamCity admin access), and CVE-2023-27532 (Veeam Backup and Replication credential exposure) have all been used in attributed Qilin intrusions.
  2. Persistence and lateral movement. Legitimate IT-administration tooling is hijacked rather than dropped. ScreenConnect and AnyDesk are extended for persistent remote access. Lateral movement uses standard Windows administrative protocols (PsExec, WinRM, SMB, RDP) which avoid behavioural detection rules that flag custom remote-access malware. Active Directory enumeration is performed before any encryption begins.
  3. Defense evasion. Bring-your-own-vulnerable-driver (BYOVD) techniques abuse signed but vulnerable drivers, TPwSav.sys being the publicly documented case, to disable endpoint detection from kernel space. Volume Shadow Copies are deleted via vssadmin.exe. Windows event logs are cleared via PowerShell GlobalSession.ClearLog and wevtutil.exe. Some intrusions end with a reboot into Safe Mode to bypass any defenses that load only in full boot.
  4. Exfiltration. Data is staged and exfiltrated before encryption fires. Volumes claimed in extortion negotiations range from tens of gigabytes for small targets to 500 GB or more for enterprises, with one widely-reported claim of 31.2 petabytes across all victims (likely inflated by a single manufacturing victim per Barracuda's reporting; the figure should be treated as unverified self-reporting).
  5. Encryption. The Rust payload uses a combination of AES-256 and RSA-2048. Encrypted files receive one of three extensions (.qilin, .qln, or .agenda) and a ransom note is dropped in each affected directory.
  6. Extortion. Victims are added to Qilin's leak site with a countdown clock. The leak site exists both as a Tor service and, since May 2024, as a clearnet site at wikileaks2.com. Failure to pay results in incremental release of the exfiltrated data. In the case of high-pressure attacks against critical infrastructure, the release has included names of patients with cancer diagnoses or sexually transmitted infections.
The Qilin attack chain — six steps from initial access through extortion

What Qilin does not do is also worth noting. There is no evidence in public reporting of zero-day exploit development. There is no custom command-and-control framework. There is no sophisticated initial access tradecraft that distinguishes the platform from a half-dozen peer operations. The technical floor is competent but unremarkable. The structural innovations are in the business model.

The Affiliate Model: 80/85% Split

In March 2023, researchers at Group-IB published the first detailed analysis of Qilin's affiliate economics. The split was, and remains, the highest in the public ransomware-as-a-service market: affiliates receive up to 80% of any ransom up to three million US dollars, and up to 85% above that threshold. The operator handle "Haise" advertised these terms on RAMP directly, alongside a roughly five-hundred-dollar account fee for forum access.

Payment routing is unusual. In most ransomware-as-a-service operations, victim payments flow first to operator wallets, with affiliate splits paid out afterward. In Qilin's stated model, cryptocurrency payments arrive at the affiliate wallet first, and the affiliate forwards the operator's smaller share. The mechanism is structurally favourable to affiliates because it eliminates the credit risk of an operator absconding with funds before the split. It also tells affiliates that the platform is confident enough in its retention strategy to expose itself to that credit risk.

Documented affiliate handles operating against Qilin's infrastructure include:

  • DEV-0237/FIN12. Long-active financially motivated group historically associated with healthcare-sector targeting.
  • Octo Tempest / Scattered Spider. The social-engineering specialists also overlapping with ShinyHunters in the SLSH cluster, primarily English-speaking.
  • Moonstone Sleet. A North Korean state-aligned operator that Microsoft identified as a Qilin affiliate in March 2025, marking one of the first publicly documented overlaps between a DPRK-aligned group and a Russian-speaking ransomware-as-a-service.
  • Devman. Self-identified affiliate active from April 2025, observed making smaller ransom demands in the $60,000 range, suggesting a lower-tier affiliate cohort below the high-value enterprise operators.
  • Arkana Security. A March 2025 emergent affiliate that publicly associated with the "Qilin Network" branding.

The composition matters. Qilin is not a single operating team. It is a marketplace under one brand, with affiliate competence ranging from coordinated enterprise intrusion teams to opportunistic small-volume operators, with at least one state-aligned actor in the mix. This is exactly the structure that makes the platform resilient to law-enforcement disruption: removing any single affiliate removes one revenue stream, not the operation.

The numbers behind the affiliate splits explain why competitors struggle to retain talent. At Qilin's current operational tempo of 141 leak-site listings in a trailing thirty-day window, even conservative assumptions on payment rates produce significant revenue. Sophos's 2024 State of Ransomware survey reported that 56% of organisations hit by ransomware ultimately paid; the rate is meaningfully lower for state-and-local-government victims and meaningfully higher for healthcare and professional-services targets. If even 30% of 141 monthly listed victims pay an average ransom of $1.5 million (well below the publicly documented enterprise tier for Qilin's recent posts), the platform generates approximately $63 million in monthly revenue. Affiliates retain roughly $50 million of that. The operators take the remainder.

For the broader unit economics of ransomware as a market, including the cost structures that separate the operators generating tens of millions from the eighty-five competitor groups that claimed fewer than ten victims each in 2025, see our companion analysis: RaaS Inc.: The Business Plan Nobody Asked For.

The WikiLeaksV2 Clearnet Site

In May 2024, Qilin added a clearnet leak site at wikileaks2.com alongside their existing Tor-based extortion portal. Clearnet leak surfaces are not unique to Qilin. INC Ransom maintains a clearnet page. Egregor operated one before its 2021 disruption. APT73 (also tracked as eraleign) runs a clearnet page. Karakurt maintains a clearnet leak portal. RobinHood used a Tumblr blog as their leak surface during their active period. CMD Organization operates clearnet auctions of stolen databases across three known sites, two of which remain operational.

What distinguishes Qilin is the consistency. The wikileaks2.com site has remained up since May 2024 with regular new postings, and Qilin's higher posting volume makes the clearnet surface materially more visible than peer operations' equivalents. At 141 listings in the trailing thirty days, wikileaks2.com receives more new content per week than most peer clearnet sites publish in a quarter.

The strategic logic is shared across the operations that have made this move. Tor-based leak sites are reliable for the operators but inconvenient for the audience. Journalists, researchers, and clients of victim organisations need to install Tor Browser, accept variable latency, and tolerate the occasional infrastructure seizure that takes a site offline for days. A clearnet site removes all of that friction. It also surfaces in mainstream search results, which means a victim's customers and counterparties can encounter the leak via ordinary Google searches.

This matters because the leak is the pressure mechanism. The threat of public exposure is only as effective as the reach of the exposure itself. Putting the leak on a clearnet domain (with the name "WikiLeaksV2" deliberately echoing a well-known disclosure brand) multiplies the public surface of the threat at near-zero operational cost. It also forces victim organisations into a faster crisis-communications posture: when a ransom deadline expires and the leak goes live, the data is searchable inside hours rather than discoverable only by users who know how to navigate Tor.

Privacy Insight Solutions tracks both surfaces. The Tor site and the clearnet mirror carry the same data, and the clearnet surface is now where most third-party trackers and journalists do their primary observation. Where Qilin distinguishes itself from other clearnet-equipped operations is volume and tempo, not the architectural decision itself.

Named Incidents 2023-2026

Five incidents define the public record of Qilin's operating style. They are not the largest in pure volume terms (many of the 1,851 cumulative leak site listings are small businesses with no public disclosure obligation), but they are the cases where third-party reporting allows verification of attribution, timeline, and outcome.

Court Services Victoria (Australia, December 2023)

On 21 December 2023, Court Services Victoria detected an intrusion in its audio-visual archive that hosted hearing recordings for the Supreme Court, the County Court, the Magistrates' Court, the Children's Court, and the Coroners Court. The initial breach date was later established as 8 December 2023.

The scope of compromise was extensive. Supreme Court hearings from 1 to 21 December were accessed, with some regional hearings extending into November 2023. County Court, Magistrates' Court, and Coroners Court recordings from 1 November to 21 December were affected. Children's Court was limited to one October 2023 hearing. Subsequent forensic analysis identified some recordings dating back as far as 2016.

Attribution to Qilin came through Robert Potter, co-founder of the Australian cybersecurity firm Internet 2.0, who reviewed the attacker communications and identified the ransom note as matching Qilin's then-current infrastructure. Court Services Victoria did not appear on Qilin's public leak site at the time of public reporting, suggesting either a quiet negotiation arc or an unposted holding pattern. The Victorian Attorney-General disclosed the incident publicly on 2 January 2024. Court operations continued through the disruption.

The Court Services Victoria incident matters as an early-stage demonstration of Qilin's willingness to target judicial infrastructure, a category most ransomware operations historically avoided because of the predictable law-enforcement attention.

Synnovis NHS Pathology (United Kingdom, June 2024)

On 3 June 2024, Qilin encrypted the systems of Synnovis, a pathology-services joint venture between SYNLAB and two London NHS Foundation Trusts (King's College Hospital and Guy's and St Thomas'). The attack made Synnovis unable to process blood tests for the hospitals it served.

The clinical impact was severe. In the first thirteen days following the attack, NHS Trusts cancelled 1,134 planned operations and 2,194 outpatient appointments. More than 10,000 appointments were ultimately cancelled. The blood-testing disruption created a shortage of O-negative blood that lasted months, with stocks depleted across the United Kingdom because the affected hospitals drew disproportionately on emergency reserves.

On 20 June 2024, Qilin began publishing exfiltrated data on its leak site. The release was deliberately calibrated to maximise patient distress: published categories included names of patients with cancer diagnoses, patients with sexually transmitted infections, and pathology and histology forms used to share patient information between departments. Security researcher CaseMatrix estimated that data on more than 900,000 NHS patients was leaked. Synnovis has neither confirmed nor disputed the figure.

In a joint decision with NHS Trust partners, Synnovis did not pay the ransom. The decision was framed publicly as an ethical commitment. The operational consequence was that the full dataset entered permanent public circulation.

In June 2025, King's College Hospital NHS Foundation Trust confirmed that delays in blood-test results from the attack were among the contributing factors in a patient death. The Synnovis incident is, on public record, the first ransomware attack against a healthcare provider in the United Kingdom for which a fatality has been formally attributed.

The Synnovis forensic investigation ran for eighteen months. On 13 November 2025, Synnovis concluded its review and began notifying affected NHS organisations. Individual patient notification followed in late November 2025. Investigators were never able to determine how Qilin gained initial access to the Synnovis network. The attribution to Qilin was confirmed by former National Cyber Security Centre chief executive Ciaran Martin.

Lee Enterprises (United States, February 2025)

On 3 February 2025, Lee Enterprises, the publisher of more than seventy US newspapers and digital publications, was hit by a Qilin intrusion that encrypted critical applications and exfiltrated company files. Distribution of print publications was delayed, billing and collections systems were disrupted, and online operations were partially limited.

Lee Enterprises disclosed the incident in an SEC Form 8-K filed on 12 February 2025. By that date the company stated that all core products were being distributed normally, though weekly and ancillary products had not been restored. On 27 February 2025, Qilin listed Lee Enterprises on its leak site and claimed exfiltration of 120,000 files totaling 350 GB, including financial spreadsheets, scans of passports and driver's licenses, non-disclosure agreements, business contracts, and investor records. The ransom deadline was set for 5 March 2025.

The Lee Enterprises incident is the cleanest public example of Qilin's negotiation cadence: encryption first, then an SEC-mandated disclosure window, then a leak site listing with a published deadline that creates regulatory pressure on the disclosed counterparties (banks, investors, business partners whose materials are in the exfiltrated set).

The Korean Leaks Campaign (South Korea, September-October 2025)

Between 14 September and 4 October 2025, Qilin executed a coordinated campaign against South Korean financial-services firms that the operators publicly framed as political activism rather than ordinary extortion. The campaign was branded "Korean Leak" in leak site posts.

Wave 1 (14 September) posted ten financial-management-sector victims simultaneously with messaging accusing the targets of "stock market manipulation" and framing the disclosures as a public service against "one network of fraudsters". Wave 2 (17-19 September) added nine victims with escalated rhetoric framing the leaks as systemic-risk warnings to the South Korean stock market. Wave 3 (28 September - 4 October) added nine more.

The campaign cited a pre-existing victim post from 20 August 2025 that included an explicit North Korean reference: "A report on what was found in these documents is already being prepared for Comrade Kim Jong-un." After the third wave, the political framing was dropped and standard financial-extortion messaging resumed. A 22 October 2025 post matching the financial-services profile lacked any "Korean Leak" branding and was removed within a day.

Total: 33 claimed victims, 28 publicly posted, 32 in financial or asset management and one construction firm. More than 1 million files and over 2 TB of data confirmed exfiltrated; actual scope likely larger.

Two attribution layers operate here. The primary attacker is Qilin (the platform). The suspected affiliate is Moonstone Sleet, the North Korean state-affiliated group Microsoft identified as a Qilin partner in early 2025. The attack vector, compromise of a domestic South Korean IT service provider managing systems for multiple asset managers, is consistent with affiliate operations rather than direct platform operator work. Bitdefender's research published in October 2025 traced the chain.

The Korean Leaks campaign is the clearest case to date of a ransomware-as-a-service platform serving as cover for state-aligned activity disguised as financially-motivated crime.

Cushman & Wakefield (United States, May 2026, Double Breach)

On 4 May 2026, Cushman & Wakefield, the global commercial real-estate services firm, was listed on Qilin's leak site in the Real Estate sector. As of 21 May 2026, the Qilin listing remains active with approximately 9,354 recorded page views and zero data samples published. The absence of leaked previews suggests either an ongoing negotiation or a holding posture designed to maximise payment pressure before any data sees daylight.

What makes the Cushman & Wakefield incident structurally unusual is the second listing. On 7 May 2026, three days after Qilin's posting, ShinyHunters separately listed Cushman & Wakefield on their own leak site with a different scope claim:

"Over 500k Salesforce records containing PII and other internal corporate data have been compromised. The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care."

Volume claimed by ShinyHunters: 500,000+ records, 50 GB compressed. The 7 May update indicates ShinyHunters has already attempted negotiation and considers it failed, which is consistent with the leak-site framing typical of the SLSH-cluster groups.

The double breach matters for two reasons. First, it confirms what threat-intelligence analysts have suspected since the 2025 cartel announcement: the operational boundaries between Russian-speaking RaaS platforms (Qilin) and the SLSH-cluster credential-theft operations (ShinyHunters and adjacent actors) are increasingly permeable. Both groups hit the same target inside three days with what appear to be different data subsets, suggesting either separate affiliate intrusions, sequential compromise after the first breach exposed the path for a second, or coordinated multi-platform extortion. Second, it changes the calculus for the victim organisation. Cushman & Wakefield is now negotiating, simultaneously, with two operations whose disclosure timelines and payment-routing infrastructures are entirely independent. The legal and crisis-communications complexity multiplies; the reputational risk doubles.

Cushman & Wakefield's client base includes major commercial landlords, occupiers, and investors across critical-infrastructure sectors. The exfiltrated data, depending on actual scope, exposes lease structures, transaction pipelines, and tenant identities that downstream actors monetise through targeted social engineering rather than direct extortion. The 500,000 Salesforce records claimed by ShinyHunters point to a customer-relationship-management compromise; the Qilin listing's silence on scope leaves the second axis open.

The Cartel: LockBit + Qilin + DragonForce, September 2025

In early September 2025, DragonForce posted an announcement on a Russian-speaking forum proposing a coalition with the newly returned LockBit and with Qilin. The announcement, in DragonForce's framing: "Create equal competition conditions, no conflicts and no public insults. This way we can all increase our income and dictate market conditions." LockBit replied publicly: "I completely agree with you. I don't wish you anything bad. As people are to me, so I am to people."

The cartel was reported by Hayden Evans, threat intelligence researcher at ReliaQuest, in a Q3 2025 threat report. Subsequent coverage in DarkReading, CSO Online, Cybernews, Quorum Cyber, Security Affairs, and Acronis TRU treated the alliance as a confirmed announcement.

What the cartel is, on public record:

  • A rhetorical commitment by three of the top-five most-active ransomware-as-a-service platforms to share techniques, infrastructure, and affiliates.
  • An explicit goal of "dictating market conditions", meaning influencing ransom levels, negotiation norms, and affiliate retention across the three operations.
  • An open invitation for other groups to join.

What the cartel is not, also on public record:

  • An operational fusion. ReliaQuest's tracking through publication noted that no joint attacks have been observed, no combined leak site exists, and each group continues to publish victims separately under its own brand.
  • A new payload, infrastructure, or affiliate-recruitment surface. Each group maintains its own platform.

The honest reading: the cartel is a posture, not a structure. Three operators that already share recruitment forums, affiliate handles, and absorbed-from-LockBit/ALPHV/RansomHub talent agreed in writing not to undercut each other. The strategic value is in deterring the next wave of disruption: if any one of the three is taken offline, the survivors absorb its affiliates faster than they otherwise would.

The cartel announcement is also a signal of operator confidence. Three groups with a combined leak site footprint of more than 2,500 victims in the year prior published a joint statement on a public forum. They did not expect law-enforcement reprisal to follow. As of publication, none has.

The operational tempo across cartel members in the days before this article shipped supports the operator-confidence reading. LockBit5 (the post-Operation-Cronos LockBit revival) posted fifteen new victims in the seventy-two hours ending 21 May 2026. DragonForce posted thirty-two victims over the same trailing thirty-day window that covers Qilin's 141. The three groups are individually active and collectively dominate the recent leak-site landscape. The absence of joint operations does not reflect inactivity; it reflects each operating its own platform under its own brand, exactly as the cartel announcement framed.

The 30-Day Tempo: April to May 2026

Between 21 April and 21 May 2026, Qilin posted 141 organisations to its leak site. The prior thirty days (22 March to 21 April 2026) saw 92 listings. The increase represents a 53.3% acceleration during a single month.

The next-most-active operations in the same April-to-May window:

  • Akira: 64 listings
  • LockBit5 (the post-disruption LockBit revival): 32
  • DragonForce: 32
  • The Gentlemen: 79 (separately tracked; broadly disputed attribution)
  • All other operations: under 30 each
Ransomware leak-site velocity 30 days April-May 2026 — Qilin 141 versus competitors

Qilin's posting velocity in this window is more than double the next-most-active platform. Over the trailing 90 days (20 February to 21 May 2026), Qilin posted 371 victims, against a prior-90-day baseline of 409. The longer arc shows a small (-9.3%) deceleration; the recent 30 days show the re-acceleration.

The total volume since 1 February 2026 (per Privacy Insight Solutions analysis of leak site listings): 452 named victims across 110 days, an average of 4.1 victims per day with the most recent 30 days running at 4.7 per day.

Geographic distribution across the four-month sample is global, with concentrations in the United States, the United Kingdom, France, Germany, Italy, Spain, Australia, and Japan, plus tail distribution across Latin America, Southeast Asia, the Middle East, and Sub-Saharan Africa. The platform's reach is unambiguous: 96 countries affected across its lifetime per public tracking.

Sector concentration during the recent period:

  • Construction and civil engineering
  • Industrial machinery and equipment
  • Law firms and legal services
  • Architecture, engineering, and design
  • Manufacturing
  • Business services
  • Healthcare services and ambulance services
  • Government (municipal, county, regional)

Most listings are small or mid-sized businesses without statutory disclosure obligations, meaning the public footprint understates the actual data-loss footprint substantially. The standout enterprise names from this window include Cushman & Wakefield (4 May 2026), Denso (24 April), AppDirect (11 May), Sysco (6 May), See's Candies (30 April), Manulife Wealth (23 April), Lexus (4 May), HBX Group (17 April), Salford City College (10 March), Malaysia Airlines (26 February), and Dow (30 March, just outside the window).

A note on tracking. Qilin's leak site shows an average 46.5 day lag between attack and listing. Many of the May 2026 listings reflect intrusions that occurred in March or early April. The current acceleration is therefore not a forecast. It is the surface of decisions made one to two months ago, made by affiliates whose subsequent intrusions will produce the June and July listings to come.

Why Qilin Has Outlasted LockBit and ALPHV

Several historically comparable ransomware operations have collapsed after a single critical-infrastructure incident. DarkSide ceased operations within days of the Colonial Pipeline attack. ALPHV/BlackCat dissolved after the Change Healthcare incident. Black Basta shut down following the attack on Ascension Health. The pattern is consistent: a single attack drew intense law-enforcement, regulatory, and political attention, and the operators concluded that continuing was no longer commercially viable.

Qilin has now attacked a UK NHS pathology provider with a death attribution (Synnovis), the Australian state judicial system (Court Services Victoria), a major US newspaper chain (Lee Enterprises), and the South Korean financial-services sector at scale (Korean Leaks). None of these incidents has triggered a collapse. Several structural reasons explain the difference:

Affiliate-friendly economics. The 80/85% split is the highest in the public ransomware-as-a-service market. When a Qilin affiliate considers whether to migrate to a competitor, the math favours staying. When a LockBit, RansomHub, or ALPHV affiliate looks for a new platform after disruption, Qilin is the highest-paying option still operating.

Diffuse target portfolio. Most of Qilin's victims are small or mid-sized organisations without the political profile that triggers law-enforcement priority targeting. The high-profile incidents (Synnovis, Court Services Victoria, Lee Enterprises, Korean Leaks) are concentrated enough to attract attention, but they are surrounded by hundreds of smaller intrusions that dilute the policy response.

Clearnet leak site. The WikiLeaksV2 site means even minor disruption of Tor infrastructure does not interrupt the extortion pipeline. Disrupting Qilin requires disrupting clearnet hosting plus Tor plus the operator infrastructure simultaneously, a substantially higher operational bar than for Tor-only operations.

Geographic posture. Operators in the Russian-speaking sphere with a disciplined CIS-victim exclusion policy continue to operate in the absence of a meaningful international enforcement mechanism. This is not unique to Qilin, but it is foundational to Qilin's resilience.

Cartel positioning. The September 2025 cartel with LockBit and DragonForce is, in part, a mutual-defence pact. If any single member is disrupted, the other two absorb affiliates faster than competitor groups would. This is a structural insurance policy against the kind of single-incident collapse that ended DarkSide and ALPHV.

Affiliate-pool consolidation. Across 2024 and 2025, Qilin systematically absorbed affiliates left without infrastructure after the disruption of LockBit (February 2024), ALPHV/BlackCat (March 2024), and the partial unraveling of RansomHub through Q2 2025. The platform's documented overtake of RansomHub in Q2 2025, going from 9% of MS-ISAC state-and-local-government incidents in Q1 to 24% in Q2, reflects the same pattern at the regional level.

A summary of MS-ISAC's Q2 2025 analysis is worth quoting in this context: between December 2023 and June 2025, 29 documented US state, local, tribal, and territorial ransomware incidents were attributed to Qilin. Fifty-five percent of those incidents occurred in Q2 2025. The pattern of acceleration is consistent across regional, sectoral, and global telemetry.

Beyond the Breach

The 452 leak site listings from February to May 2026 represent the visible surface of Qilin's data-exfiltration footprint. The underlying datasets, once published on a clearnet leak site, enter permanent circulation. They are downloaded by aggregators, indexed by intelligence platforms, traded on credential markets, and selectively monetised by downstream actors whose interests extend well beyond the original ransom.

For the individuals whose information appears in these datasets, the exposure does not end when the breach announcement is published:

Identity fraud at scale. Passports and driver's licenses scanned in the Lee Enterprises exfiltration, NHS identifiers and dates of birth in the Synnovis release, court hearing recordings exposing parties and witnesses in the Court Services Victoria incident: all of these enable identity reconstruction at a level that defeats most consumer-grade verification controls.

Targeted social engineering. The 500,000-plus Salesforce records claimed by ShinyHunters in the Cushman & Wakefield exfiltration constitute a primary-source CRM dataset of commercial real-estate counterparties: landlords, tenants, brokers, and investment principals indexed against transaction history. That structure is precisely what enables targeted social engineering against executives at counterparty firms, particularly those whose property dealings involve sensitive negotiation positions. The Synnovis pathology forms expose patient health conditions to actors running romance scams, sextortion, and pretext-based fraud against medically vulnerable individuals.

Doxxing and reputational harm. Court Services Victoria recordings, once published, would expose witness testimony, victim impact statements, and the procedural detail of cases that proceeded under fair-trial protections. The leak threat itself constitutes a separate harm even when not executed.

Sextortion and physical threats. The Synnovis category that included patients with sexually transmitted infections is the clearest documented case of a ransomware operation publishing health data calibrated to maximise individual distress. The downstream actors who acquire that data do not require sophisticated tooling to act on it.

State-aligned campaign cover. The Korean Leaks campaign demonstrated that Qilin's infrastructure can be used by state-aligned actors to disguise targeted economic and intelligence operations as ordinary financial-motive crime. The fact that the political framing was dropped after the third wave suggests the affiliate adjusted to public scrutiny, not that the underlying intent changed.

The downstream harms continue long after the original incident is closed, the forensic review is complete, and the public attention has moved on. For organisations that have been listed on Qilin's leak site, the operational question is not whether the data will be misused. It is which adversary will misuse it, and on what timeline.

If your organisation has been listed on a Qilin leak site, or you believe your supply chain includes a Qilin victim, a Corporate Audit maps the full identity-and-data exposure surface across executive principals, employees, and key counterparties — including what has already been published and what is downstream.

Talk to an Analyst

The Pattern Continues

Qilin's growth trajectory through mid-2026 shows no internal sign of deceleration. The affiliate split remains the most generous in the market. The technical floor is competent. The leak site infrastructure spans clearnet and Tor. The cartel posture with LockBit and DragonForce insulates against single-incident collapse. The diffuse target portfolio dilutes any single intrusion's policy-attention impact. The Russian-speaking operating sphere remains beyond the reach of enforcement.

What would change this trajectory? Three forces, none of them currently active at scale:

Direct disruption. The pattern that ended LockBit (Operation Cronos, February 2024) and ALPHV (a combination of FBI seizure and an exit-scam dynamic in March 2024) required sustained international coordination. No comparable operation against Qilin is publicly known. Until one occurs, the platform continues.

Geopolitical realignment. The CIS-protected operating posture depends on the absence of meaningful Russian cooperation with Western law-enforcement. A shift in that posture would not by itself end the operation, but would substantially raise the cost of operating from current jurisdictions.

Commercial collapse. Ransomware-as-a-service platforms ultimately depend on victim payment to sustain affiliate revenue. If the proportion of victims paying drops below a threshold that sustains affiliate retention, the platform's economics collapse from below. Synnovis chose not to pay, and the platform absorbed the reputational signal without operational impact. Whether enough subsequent victims will follow the Synnovis precedent to materially affect Qilin's revenue line remains an open question.

For defenders, the operating implication is straightforward. Qilin will continue to be the most active ransomware operation through 2026 absent disruption. The attack chain is well-documented, the access vectors are predictable (phishing of administrative staff, edge-device CVE exploitation, legitimate-tool hijack), and the defensive controls that matter most are also well-known (administrative-credential hardening, edge-device patching, EDR hardened against BYOVD, backup isolation that survives Safe Mode reboots).

What is harder to defend against is the downstream harm. Once an organisation is listed on a Qilin leak site, paid or not, disclosed or not, in the news or not, the data is in circulation. The work that follows is not ransomware defence. It is identity surveillance, executive exposure mapping, supply-chain risk assessment, and the patient cleanup of a footprint that will, for years, surface in unexpected places.

That work is what we do.

Sources

Primary platform and affiliate reporting:

Named incidents:

LockBit + Qilin + DragonForce cartel:

Cohort and tempo analysis:

  • Leak-site listings (Qilin), 1 February 2026 to 20 May 2026. 452 victims observed by Privacy Insight Solutions across cumulative tracking. Sector composition cross-referenced with ransomlook.io 30-day and 90-day trending data.
  • RansomLook 30-day and 90-day trending exports (21 April to 21 May 2026; 20 February to 21 May 2026). Comparative volume against Akira, LockBit5, DragonForce, and the broader operator field.

Companion reading from Privacy Insight Solutions:

If this is your situation

If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.

See Corporate Audit

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.