Who Is WorldLeaks? The Ransomware Group Behind the Nike and Tata Electronics Breaches
July 2026
WorldLeaks is a data extortion group that has claimed well over 150 victims since January 2025, including Nike, Dell, UBS, and Apple supplier Tata Electronics. It steals data and threatens to publish it unless the victim pays, and it has largely abandoned the file encryption that defines traditional ransomware.
The group emerged as a rebrand of Hunters International, pivoting from encryption towards pure data extortion. For security teams, that shift changes the defensive calculus: your backup strategy protects against the disruption of encryption, but it does nothing to protect against the exposure of stolen secrets. Encryption has re-appeared in isolated incidents (Darktrace, 2026), but exposure is the pressure that carries the model.
Get articles like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.
WorldLeaks Origin: From Hunters International to Data Extortion
WorldLeaks launched on 1 January 2025 as a direct rebrand of Hunters International, a ransomware gang that operated from late 2023 until mid-2025. Hunters International itself was flagged as a possible successor to Hive ransomware, which law enforcement dismantled in 2023.
In November 2024, Hunters International administrators told affiliates the project was shutting down. The reasoning was blunt: ransomware had become "too risky and unprofitable" due to increased law enforcement pressure and declining ransom payments.
The group officially launched WorldLeaks on 1 January 2025. The core change was a shift in the business model: away from locking files and demanding payment for decryption keys, and towards stealing data and threatening to publish it. Encryption was not fully retired, as later incidents would show, but it stopped being the point.
Chainalysis data supports this strategic pivot. Ransomware payments dropped 35% year-over-year, from $1.25 billion in 2023 to $813 million in 2024. When fewer victims pay for decryptors, the economics favour pure extortion.
Do WorldLeaks Actually Encrypt Files?
Mostly no, but not never. In January 2026, Darktrace investigated a healthcare compromise it attributed to WorldLeaks where the attackers deployed a ransomware payload and encrypted customer data, contradicting the group's extortion-only reputation (Darktrace, 2026). Initial access came through a Fortigate appliance with a dwell time of roughly three months, and command and control ran over Cloudflare Tunnel. The lesson for defenders is not to assume the extortion-only label holds in every incident. Plan for exfiltration as the primary risk, but do not retire encryption from your threat model.
How WorldLeaks Attacks Work: Data Theft Without Encryption
WorldLeaks functions as an Extortion-as-a-Service (EaaS) platform, providing affiliates with custom exfiltration tools to automate data theft. The operation maintains a four-platform infrastructure:
- Data leak site for publishing stolen files
- Victim negotiation portal with live chat
- Affiliate management panel
- Insider journalist portal granting media 24-hour advance access to leaks
The journalist portal is a notable innovation. By giving media early access to stolen data, WorldLeaks amplifies pressure on victims before full publication, leveraging reputational damage as a negotiation tool.
Group-IB confirmed the group has partnered with Secp0, another ransomware operation, sharing leak site infrastructure. This suggests WorldLeaks is positioning itself as shared extortion infrastructure for multiple threat groups.
WorldLeaks Tata Electronics Breach: The Apple and Tesla Supplier Leak
On 12 June 2026, WorldLeaks claimed Tata Electronics, one of Apple's key iPhone manufacturing partners in India, publishing 204,341 files totalling 630.4GB on its leak site (Reuters, 2026). Tata Electronics confirmed the incident, telling Reuters it had identified a cybersecurity incident affecting some of its systems.
The leaked files reached far beyond Tata. Researchers who reviewed the dump for Reuters found manufacturing documents mapping iPhone 18 Pro components to their suppliers, a 52-page iPhone circuit board quality inspection standard, Tesla Model 3 engineering drawings stamped "TRADE SECRET", cryptographic certificates, and employee passport copies including those of foreign nationals.
This is the breach that shows why the extortion model is structurally different from encryption ransomware. The data was already public by the time the ransom demand landed. No payment Tata could make would recall 204,341 files that had been downloadable since 10 June. Apple and Tesla now have to treat those specifications as permanently exposed and plan accordingly, rotating cryptographic credentials and auditing downstream supplier access.
It is also the third Tata Group subsidiary hit by this criminal ecosystem in eighteen months. Hunters International, WorldLeaks' own predecessor, leaked 1.4TB from Tata Technologies in March 2025. The repetition raises a supplier-risk question Apple and Tesla will have to answer: what security standards do they require of tier-one suppliers, and how are those standards audited?
WorldLeaks Nike Breach: What Happened in January 2026
On 23 January 2026, WorldLeaks listed Nike on its leak site, claiming to have stolen 1.4TB of data comprising 188,347 files. The leaked file structure pointed to product development and manufacturing workflows rather than customer databases.
Directory names in the dump included "Women's Sportswear", "Men's Sportswear", "Training Resource - Factory", and "Garment Making Process". The focus appears to be design files, production documentation, and factory training materials.
Nike confirmed it is investigating a potential cybersecurity incident: "We always take consumer privacy and data security very seriously. We are investigating a potential cyber security incident and are actively assessing the situation."
WorldLeaks removed the Nike entry from its leak site shortly after publishing samples. This typically indicates either active negotiations or ransom payment. Nike has not confirmed whether any ransom was paid.
WorldLeaks Victims: Dell, UBS, and Other Major Breaches
WorldLeaks has targeted organisations across multiple sectors since January 2025. Several breaches stand out for their scale and downstream impact.
Dell Technologies (July 2025) : Attackers claimed 1.3TB of internal data from Dell's Customer Solution Center, a demonstration platform. Dell confirmed the breach but emphasised the environment contained primarily synthetic data used for product demos. Customer and partner systems were not affected.
Chain IQ / UBS (June 2025) : This breach had significant downstream impact. Chain IQ, a Swiss procurement services firm spun off from UBS, was attacked on 12 June 2025. The attackers stole 1.9 million files totalling 910GB.
Because Chain IQ serves as a vendor to multiple financial institutions, the breach exposed data on 130,000 UBS employees. Stolen data included names, email addresses, phone numbers, job titles, and office locations. UBS CEO Sergio Ermotti's internal phone number was reportedly included. Other affected companies included Pictet, Swiss Life, Axa, FedEx, IBM, and Swisscom.
L3Harris Technologies (August 2025) : WorldLeaks listed this US defence contractor, though specific details of the breach have not been publicly confirmed.
The group has also targeted healthcare organisations extensively, including Kentfield Hospital, Madison Healthcare Services, and Northwest Medical Specialties.
WorldLeaks Attack Vectors: How They Get In
WorldLeaks affiliates have been linked to sophisticated technical operations beyond basic data theft. Google's Threat Intelligence Group (GTIG) identified a threat cluster tracked as UNC6148 targeting SonicWall Secure Mobile Access (SMA) 100 series appliances with a previously unknown rootkit called OVERSTEP.
The connection to WorldLeaks was established when an organisation targeted by UNC6148 in May 2025 appeared on the WorldLeaks leak site the following month.
OVERSTEP is a user-mode rootkit designed specifically for SonicWall appliances. It provides persistent access by modifying the device's boot process, steals credentials and OTP seeds, and hides its presence by selectively deleting log entries. The malware persists across firmware updates and device reboots.
UNC6148 exploited credentials stolen in previous intrusions, allowing them to regain access even after organisations applied security patches. Stolen credentials increasingly originate in the infostealer marketplace, where access to a compromised network is bought rather than earned. Google assessed with high confidence that the group may have also exploited an unknown zero-day vulnerability to deploy OVERSTEP.
SonicWall responded by accelerating the end-of-support date for SMA 100 series devices to December 2025 and releasing firmware updates to detect and remove the rootkit.
This level of technical sophistication suggests WorldLeaks affiliates have capabilities beyond opportunistic attacks. Edge network devices that lack traditional endpoint protection are proving to be valuable footholds. For more on attacker tooling and techniques, see our Threat Actor Tools guide.
How to Detect a WorldLeaks Attack
Defending against pure extortion operations requires different priorities than traditional ransomware defence. Your backup strategy, however robust, does not prevent data publication. Detection and prevention of exfiltration become the primary objectives.
WorldLeaks affiliates use custom exfiltration tools designed to automate large-scale data theft. The Nike breach involved 1.4TB across 188,347 files. The Chain IQ attack extracted 910GB. These volumes take time to move.
Network-level indicators of compromise:
- Sustained outbound connections to cloud storage services (Mega, Dropbox, anonymous file hosts)
- Unusual data transfer volumes, particularly outside business hours
- Connections to Tor exit nodes or known proxy services
- Significant deviations from baseline egress patterns
Endpoint indicators:
- Archive creation in unusual locations (7zip, WinRAR activity in temp directories)
- Staging behaviour where files are collected before transfer
- Process injection into legitimate applications to evade detection
Many organisations detect ransomware through encryption activity but miss exfiltration because outbound transfers blend with legitimate traffic. Tune your DLP and SIEM rules for volume and destination, not just content. If you are building out detection capabilities, our ELK Stack Security Monitoring Tutorial covers setting up centralised logging for threat detection.
How to Protect Against WorldLeaks and Data Extortion
Prevention requires reducing what attackers can steal and hardening the infrastructure they target.
Subscribe for Updates
Segment and Minimise Sensitive Data
The Nike breach targeted design and manufacturing workflows. The UBS exposure came from a vendor with broad access to employee directories. Limit what attackers can reach if they gain access.
- Separate production IP, design files, and financial records from general corporate networks
- Apply need-to-know access controls; most employees do not require access to manufacturing specifications
- Encrypt data at rest with keys managed separately from the systems storing the data
- Retention policies should have teeth; data that no longer serves a business purpose is pure liability
The Chain IQ breach exposed data on 400+ contractual partners, some historical. Question whether that data needed to exist.
Harden VPN and Edge Devices
The OVERSTEP rootkit campaign exploited SonicWall SMA appliances that were fully patched but end-of-life. This fits a broader pattern of ransomware crews exploiting firewall and VPN appliances as their initial foothold. Google's analysis showed attackers used credentials stolen in prior intrusions, persisting even after security updates.
Immediate actions:
- Inventory all edge devices and identify any past end-of-life or end-of-support dates
- Replace, do not just patch, devices that have reached EOL
- Rotate all credentials (admin, local, directory users) for any device that may have been compromised
- Rotate OTP seeds and require users to re-enrol MFA tokens
Detection for compromised appliances:
- OVERSTEP modified boot processes and used the /etc/ld.so.preload file for persistence
- Attackers selectively deleted log entries; monitor for gaps in httpd.log, http_request.log, and inotify.log
- Capture disk images for forensic analysis; rootkit anti-forensic capabilities can hide artefacts from live system inspection
If your organisation uses SonicWall SMA 100 series devices, review GTIG's detailed indicators of compromise and follow SonicWall's firmware update guidance (version 10.2.2.2-92sv includes rootkit removal capabilities).
Manage Third-Party Vendor Risk
The Chain IQ breach affected UBS, Pictet, Swiss Life, Axa, FedEx, IBM, Swisscom, and others through a single vendor compromise. Third-party risk is not theoretical. Gartner predicted 45% of organisations would face supply chain attacks by 2025 (Gartner, 2021). The reality overshot the forecast: a BlackBerry survey found 75% had already been hit (BlackBerry, 2024), a pattern we documented in full in our Gartner 2025 retrospective.
Assess vendor data access:
- Which vendors hold employee PII, customer data, or sensitive business information?
- What is the minimum data set they actually need to perform their function?
- Can access be restricted to specific systems rather than broad network access?
Contractual requirements:
- Mandate breach notification within defined timeframes (24-72 hours)
- Require evidence of security controls (SOC 2 reports, penetration test results)
- Include audit rights for critical vendors
Monitor for downstream exposure:
- Subscribe to breach notification services that track vendor compromises
- When a vendor discloses a breach, immediately assess what data they held on your organisation
- Have a playbook for notifying affected employees before data appears on leak sites
What to Do If You're Hit by WorldLeaks
WorldLeaks' average time between initial attack and public claim is approximately 60 days. Some incidents show gaps of six months or more between initial access and data publication. Attackers are patient, and response must account for this.
Immediate steps:
- Isolate affected systems while preserving forensic evidence
- Capture disk images before remediation; OVERSTEP's rootkit features require disk imaging to avoid interference from anti-forensic capabilities
- Engage incident response providers; establish these relationships before you need them
Log retention and threat hunting:
- Retain security logs for at least 90 days, preferably longer for critical systems
- Centralise logs to prevent attackers from deleting evidence on compromised hosts
- Hunt for persistence mechanisms (scheduled tasks, startup items, modified boot processes)
- Review administrative actions on edge devices and domain controllers
For a structured approach to continuous security validation, see our guide to Continuous Threat Exposure Management (CTEM). CTEM's five-stage cycle provides a framework for the ongoing vigilance that extortion defence requires.
Reporting requirements:
Depending on your jurisdiction and the data involved, you may have legal obligations to report the incident. In the US, contact the FBI's Internet Crime Complaint Center (IC3) or your local FBI field office. The CISA Stop Ransomware website provides additional reporting guidance and resources.
Will WorldLeaks Attacks Continue?
WorldLeaks' model appears to be working. The group has maintained a steady operational tempo through 2025 and into 2026, with a run of claims in mid-2026 including Tata Electronics, Reliance Group, and Hungarian media group Mediaworks, whose 8.5TB leak is among the largest the group has posted.
Expect more extortion-focused groups to adopt similar tactics. When ransomware payments decline, threat actors adapt. It's been on the cards for a long time. I remember conversations over a decade ago about how pure extortion of valuable data does more damage than encrypting it and holding it for ransom. The shift from encryption to theft eliminates the need for complex decryption infrastructure while maintaining the core revenue model: pay us or we publish.
For organisations, the uncomfortable reality is that preventing data theft is harder than recovering from encryption. Detection, segmentation, and third-party risk management deserve renewed focus.
Subscribe for Updates
References and Sources
- BleepingComputer. (January 2026). Nike investigates data breach after extortion gang leaks files.
- The Register. (January 2026). Data thieves claim they stole 1.4TB from Nike.
- Group-IB. (July 2025). Hunters International rebrands as World Leaks.
- Chainalysis. (2025). Ransomware payments decline 35% year-over-year.
- Google Threat Intelligence Group. (July 2025). Ongoing SonicWall SMA Exploitation Campaign using the OVERSTEP Backdoor.
- Finews. (August 2025). UBS Hit by Darknet Data Leak Affecting 130,000 Staff.
- Hackread. (July 2025). World Leaks Claims Dell Data Breach, Leaks 1.3TB of Files.
- Infosecurity Magazine. (October 2025). Hunters International Ransomware Is Not Shutting Down, It's Rebranding.
- Reuters (June 2026, Tata Electronics)
- Darktrace (2026, World Leaks encryption incident)
- BlackFog (2026, Mediaworks)
Discussion in the ATmosphere