Skip to content
The Nexus
Underground88 active groups1557 claimed victims in 30 days

Underground

Public ransomware leak-site postings, aggregated and stripped of attacker infrastructure. Tracks which groups are active, what sectors they hit, and where claimed victims are based. Useful as an early signal, not a breach confirmation.

By the numbers: the ransomware report →
This week in UndergroundWeek of 2026-07-04

Qilin defined the week, posting 50 claimed victims, up 30 from the prior week and more than any other group by a wide margin. Krybit's jump from near-zero to 25 claimed postings adds a second sharp spike, and the two entries for "the gentlemen" (23 and 20 respectively) point to sustained output from that operation as well. Total claimed postings across the leak-site ecosystem rose to 324 from 299, with 45 groups active, but the week's shape is concentration at the top rather than broad growth: the four leading groups alone account for well over a third of all claimed activity.

Business Services led sector claims with 26 postings, followed by Manufacturing at 19 and Consumer Services at 18, while Healthcare (16) and Technology (14) kept pace just behind. Geographically the week stayed anchored to the US, which was named in 43 postings, more than double any other country; Germany followed at 17, lifted in part by a claimed Deutsche Bank posting from the group calling itself "unsafe," a notable target given the sector's usual low profile on leak sites.

Beyond the top tier, smaller or newer names such as Pure Extraction And Ransom and Blackfield surfaced with multiple claimed postings apiece, spreading activity across a long tail of less-established operations. The week's overall pattern is one of intensity at the top rather than diversification: a handful of groups, led decisively by Qilin, drove the increase in total volume.

By The Nexus · refreshed weekly · Jul 4 · 14:32 UTC
349
Last 7 days
1557
Last 30 days
88
Active groups (30d)
2170
Tracked total
Sister trackerKEV. CISA Known Exploited Vulnerabilities

The vulnerabilities attackers are using right now. Where Underground shows who got hit, KEV shows what they came in through.

Open →
Weekly volume · top groupsLast 10 weeks
Active groups (30d)All groups →
Top sectors (30d)
Top countries (30d)
Recent claimed victimsShowing 25 of 2170
AKIRAJul 8 · 15:54 UTC

Wade's Dairy

AKIRAAgriculture and Food ProductionUnited KingdomJul 8 · 13:21 UTC

Wade's Dairy

CHAOSBusiness ServicesUnited StatesJul 8 · 07:22 UTC

opportune.com

www.zoominfo.com/c/opportune-llp/147440067
CHAOSHealthcareUnited StatesJul 8 · 07:22 UTC

corepharma.com

www.zoominfo.com/c/corepharma-llc/30217761
DATALEAKJul 8 · 06:50 UTC

<h2 id="about">ABOUT</h2> <p>Nissin Foods Do Brasil Ltda is a company that operates in the

DATALEAKJul 8 · 06:50 UTC

<h2 id="about">ABOUT</h2> <p>The RKW Group is an independent private company headquartered

DATALEAKJul 8 · 06:50 UTC

<h2 id="about">ABOUT</h2> <ul> <li></li> </ul> <h2 id="target">TARGET</h2> <p>ni*usa.com</

DATALEAKJul 8 · 06:50 UTC

<h2 id="about">ABOUT</h2> <p>SCHERDELWiesauplast ist ein international tätiger Hersteller

DATALEAKJul 8 · 06:50 UTC

<h2 id="about">ABOUT</h2> <p>The Beacon Insurance Company Limited is ranked as the fourth