The notorious Hunters International ransomware group has reportedly ceased operations, but cybersecurity experts warn that this is not a genuine shutdown. Instead, the group appears to have undergone a strategic rebranding, re-emerging as “World Leaks” with a renewed focus on pure data extortion rather than traditional file encryption. This shift signals a significant adaptation in the evolving landscape of cybercrime, driven by increased pressure from law enforcement and a desire to maximize profitability.
Hunters International, which launched in late 2023 as a suspected rebrand of the now-defunct Hive ransomware, announced its closure on its dark web leak site on July 3, promising to release free decryption keys for past victims. While a “gesture of goodwill” might seem uncharacteristic for a group linked to over 300 attacks, including those against major entities like India’s Tata Technologies and the US Marshals Service, analysts are highly skeptical.
Threat intelligence firms, including Group-IB, had been tracking the group’s intentions to pivot towards an extortion-only model since early 2025. Internal communications within the cybercrime underground had already revealed discussions about the launch of a new project, “World Leaks,” advising Hunters International affiliates to transition. This new platform, active since May 2025, mirrors Hunters International’s design and functionality, with a distinct emphasis on publishing stolen data if ransom demands are not met.
The move away from encryption-based ransomware, a hallmark of Hunters International’s previous operations, is a calculated response to the escalating efforts of global law enforcement. As governments intensify their crackdown on ransomware infrastructure and pursue individual perpetrators, cybercriminal groups are seeking methods that are perceived as less risky and more profitable. Data exfiltration and extortion, without the complexities of encryption and the potential for decryptor failures, offer a streamlined attack vector.
However, despite claims of being purely extortion-based, reports indicate that some World Leaks victims have still experienced ransomware deployment on their networks, suggesting a mixed approach or a lingering element of their old tactics. This rebranding effort underscores the fluid nature of the cyber threat landscape, where criminal organizations constantly adapt their strategies to evade detection, maintain anonymity, and continue their illicit operations. For organizations, the emergence of “World Leaks” means a continued vigilance against data theft and the potential public exposure of sensitive information, even in the absence of traditional ransomware attacks.
