Sign in Subscribe
8 min read

Who is WorldLeaks? The Ransomware Group Behind Nike Breach

Worldleaks Cybercrime group and Nike Breach
Worldleaks Cybercrime group and Nike Breach - Photo by Craig Lovelidge / Unsplash

WorldLeaks is a cybercrime group that has claimed over 116 victims since January 2025, including Nike, Dell, and UBS. Unlike traditional ransomware, they don't encrypt files. They steal data and threaten to publish it unless you pay.

The group emerged as a rebrand of Hunters International, abandoning file encryption entirely in favour of pure data extortion. For security teams, this shift changes the defensive calculus: your backup strategy no longer protects against the exposure of secrets.

Get articles like this delivered to your inbox. Subscribe to CyberDesserts for practical security insights, no fluff.

WorldLeaks Origin: From Hunters International to Data Extortion

WorldLeaks launched on 1 January 2025 as a direct rebrand of Hunters International, a ransomware gang that operated from late 2023 until mid-2025. Hunters International itself was flagged as a possible successor to Hive ransomware, which law enforcement dismantled in 2023.

In November 2024, Hunters International administrators told affiliates the project was shutting down. The reasoning was blunt: ransomware had become "too risky and unprofitable" due to increased law enforcement pressure and declining ransom payments.

The group officially launched WorldLeaks on 1 January 2025. The core change was simple but significant: no more encryption. Instead of locking files and demanding payment for decryption keys, WorldLeaks steals data and threatens to publish it unless victims pay.

Chainanalysis data supports this strategic pivot. Ransomware payments dropped 35% year-over-year, from $1.25 billion in 2023 to $813 million in 2024. When fewer victims pay for decryptors, the economics favour pure extortion.

How WorldLeaks Attacks Work: Data Theft Without Encryption

WorldLeaks functions as an Extortion-as-a-Service (EaaS) platform, providing affiliates with custom exfiltration tools to automate data theft. The operation maintains a four-platform infrastructure:

  • Data leak site for publishing stolen files
  • Victim negotiation portal with live chat
  • Affiliate management panel
  • Insider journalist portal granting media 24-hour advance access to leaks

The journalist portal is a notable innovation. By giving media early access to stolen data, WorldLeaks amplifies pressure on victims before full publication, leveraging reputational damage as a negotiation tool.

Group-IB confirmed the group has partnered with Secp0, another ransomware operation, sharing leak site infrastructure. This suggests WorldLeaks is positioning itself as shared extortion infrastructure for multiple threat groups.

WorldLeaks Nike Breach: What Happened in January 2026

On 23 January 2026, WorldLeaks listed Nike on its leak site, claiming to have stolen 1.4TB of data comprising 188,347 files. The leaked file structure pointed to product development and manufacturing workflows rather than customer databases.

Directory names in the dump included "Women's Sportswear", "Men's Sportswear", "Training Resource - Factory", and "Garment Making Process". The focus appears to be design files, production documentation, and factory training materials.

Nike confirmed it is investigating a potential cybersecurity incident: "We always take consumer privacy and data security very seriously. We are investigating a potential cyber security incident and are actively assessing the situation."

WorldLeaks removed the Nike entry from its leak site shortly after publishing samples. This typically indicates either active negotiations or ransom payment. Nike has not confirmed whether any ransom was paid.

The timing is significant. Nike's breach comes weeks after Under Armour disclosed a separate attack by the Everest ransomware gang, which exposed 72.7 million customer records. Fashion and sportswear firms, with their complex global supply chains and constant design file transfers, appear to be attractive targets.

WorldLeaks Victims: Dell, UBS, and Other Major Breaches

WorldLeaks has targeted organisations across multiple sectors since January 2025. Several breaches stand out for their scale and downstream impact.

Dell Technologies (July 2025): Attackers claimed 1.3TB of internal data from Dell's Customer Solution Center, a demonstration platform. Dell confirmed the breach but emphasised the environment contained primarily synthetic data used for product demos. Customer and partner systems were not affected.

Chain IQ / UBS (June 2025): This breach had significant downstream impact. Chain IQ, a Swiss procurement services firm spun off from UBS, was attacked on 12 June 2025. The attackers stole 1.9 million files totalling 910GB.

Because Chain IQ serves as a vendor to multiple financial institutions, the breach exposed data on 130,000 UBS employees. Stolen data included names, email addresses, phone numbers, job titles, and office locations. UBS CEO Sergio Ermotti's internal phone number was reportedly included. Other affected companies included Pictet, Swiss Life, Axa, FedEx, IBM, and Swisscom.

L3Harris Technologies (August 2025): WorldLeaks listed this US defence contractor, though specific details of the breach have not been publicly confirmed.

The group has also targeted healthcare organisations extensively, including Kentfield Hospital, Madison Healthcare Services, and Northwest Medical Specialties.

WorldLeaks Attack Vectors: How They Get In

WorldLeaks affiliates have been linked to sophisticated technical operations beyond basic data theft. Google's Threat Intelligence Group (GTIG) identified a threat cluster tracked as UNC6148 targeting SonicWall Secure Mobile Access (SMA) 100 series appliances with a previously unknown rootkit called OVERSTEP.

The connection to WorldLeaks was established when an organisation targeted by UNC6148 in May 2025 appeared on the WorldLeaks leak site the following month.

OVERSTEP is a user-mode rootkit designed specifically for SonicWall appliances. It provides persistent access by modifying the device's boot process, steals credentials and OTP seeds, and hides its presence by selectively deleting log entries. The malware persists across firmware updates and device reboots.

UNC6148 exploited credentials stolen in previous intrusions, allowing them to regain access even after organisations applied security patches. Google assessed with high confidence that the group may have also exploited an unknown zero-day vulnerability to deploy OVERSTEP.

SonicWall responded by accelerating the end-of-support date for SMA 100 series devices to December 2025 and releasing firmware updates to detect and remove the rootkit.

This level of technical sophistication suggests WorldLeaks affiliates have capabilities beyond opportunistic attacks. Edge network devices that lack traditional endpoint protection are proving to be valuable footholds. For more on attacker tooling and techniques, see our Threat Actor Tools guide.

How to Detect a WorldLeaks Attack

Defending against pure extortion operations requires different priorities than traditional ransomware defence. Your backup strategy, however robust, does not prevent data publication. Detection and prevention of exfiltration become the primary objectives.

WorldLeaks affiliates use custom exfiltration tools designed to automate large-scale data theft. The Nike breach involved 1.4TB across 188,000 files. The Chain IQ attack extracted 910GB. These volumes take time to move.

Network-level indicators of compromise:

  • Sustained outbound connections to cloud storage services (Mega, Dropbox, anonymous file hosts)
  • Unusual data transfer volumes, particularly outside business hours
  • Connections to Tor exit nodes or known proxy services
  • Significant deviations from baseline egress patterns

Endpoint indicators:

  • Archive creation in unusual locations (7zip, WinRAR activity in temp directories)
  • Staging behaviour where files are collected before transfer
  • Process injection into legitimate applications to evade detection

Many organisations detect ransomware through encryption activity but miss exfiltration because outbound transfers blend with legitimate traffic. Tune your DLP and SIEM rules for volume and destination, not just content. If you are building out detection capabilities, our ELK Stack Security Monitoring Tutorial covers setting up centralised logging for threat detection.

How to Protect Against WorldLeaks and Data Extortion

Prevention requires reducing what attackers can steal and hardening the infrastructure they target.

Subscribe for Updates

Segment and Minimise Sensitive Data

The Nike breach targeted design and manufacturing workflows. The UBS exposure came from a vendor with broad access to employee directories. Limit what attackers can reach if they gain access.

  • Separate production IP, design files, and financial records from general corporate networks
  • Apply need-to-know access controls; most employees do not require access to manufacturing specifications
  • Encrypt data at rest with keys managed separately from the systems storing the data
  • Retention policies should have teeth; data that no longer serves a business purpose is pure liability

The Chain IQ breach exposed data on 400+ contractual partners, some historical. Question whether that data needed to exist.

Harden VPN and Edge Devices

The OVERSTEP rootkit campaign exploited SonicWall SMA appliances that were fully patched but end-of-life. Google's analysis showed attackers used credentials stolen in prior intrusions, persisting even after security updates.

Immediate actions:

  • Inventory all edge devices and identify any past end-of-life or end-of-support dates
  • Replace, do not just patch, devices that have reached EOL
  • Rotate all credentials (admin, local, directory users) for any device that may have been compromised
  • Rotate OTP seeds and require users to re-enrol MFA tokens

Detection for compromised appliances:

  • OVERSTEP modified boot processes and used the /etc/ld.so.preload file for persistence
  • Attackers selectively deleted log entries; monitor for gaps in httpd.log, http_request.log, and inotify.log
  • Capture disk images for forensic analysis; rootkit anti-forensic capabilities can hide artefacts from live system inspection

If your organisation uses SonicWall SMA 100 series devices, review GTIG's detailed indicators of compromise and follow SonicWall's firmware update guidance (version 10.2.2.2-92sv includes rootkit removal capabilities).

Manage Third-Party Vendor Risk

The Chain IQ breach affected UBS, Pictet, Swiss Life, Axa, FedEx, IBM, Swisscom, and others through a single vendor compromise. Third-party risk is not theoretical. Gartner predicted 45% of organisations would face supply chain attacks by 2025, and the reality exceeded even that projection.

Assess vendor data access:

  • Which vendors hold employee PII, customer data, or sensitive business information?
  • What is the minimum data set they actually need to perform their function?
  • Can access be restricted to specific systems rather than broad network access?

Contractual requirements:

  • Mandate breach notification within defined timeframes (24-72 hours)
  • Require evidence of security controls (SOC 2 reports, penetration test results)
  • Include audit rights for critical vendors

Monitor for downstream exposure:

  • Subscribe to breach notification services that track vendor compromises
  • When a vendor discloses a breach, immediately assess what data they held on your organisation
  • Have a playbook for notifying affected employees before data appears on leak sites

What to Do If You're Hit by WorldLeaks

WorldLeaks' average time between initial attack and public claim is approximately 60 days. Some incidents show gaps of six months or more between initial access and data publication. Attackers are patient, and response must account for this.

Immediate steps:

  • Isolate affected systems while preserving forensic evidence
  • Capture disk images before remediation; OVERSTEP's rootkit features require disk imaging to avoid interference from anti-forensic capabilities
  • Engage incident response providers; establish these relationships before you need them

Log retention and threat hunting:

  • Retain security logs for at least 90 days, preferably longer for critical systems
  • Centralise logs to prevent attackers from deleting evidence on compromised hosts
  • Hunt for persistence mechanisms (scheduled tasks, startup items, modified boot processes)
  • Review administrative actions on edge devices and domain controllers

For a structured approach to continuous security validation, see our guide to Continuous Threat Exposure Management (CTEM). CTEM's five-stage cycle provides a framework for the ongoing vigilance that extortion defence requires.

Reporting requirements:

Depending on your jurisdiction and the data involved, you may have legal obligations to report the incident. In the US, contact the FBI's Internet Crime Complaint Center (IC3) or your local FBI field office. The CISA Stop Ransomware website provides additional reporting guidance and resources.

Will WorldLeaks Attacks Continue?

WorldLeaks' model appears to be working. The group has maintained a steady operational tempo throughout 2025, claiming over 116 victims across multiple sectors and geographies.

Expect more extortion-focused groups to adopt similar tactics. When ransomware payments decline, threat actors adapt. Its been on the cards for a longtime and I remember conversations over a decade ago that pure extortion of valuable data is much more damaging than encrypting and holding data for ransom. The shift from encryption to theft eliminates the need for complex decryption infrastructure while maintaining the core revenue model: pay us or we publish.

For organisations, the uncomfortable reality is that preventing data theft is harder than recovering from encryption. Detection, segmentation, and third-party risk management deserve renewed focus.

Subscribe for Updates

Last updated: January 2026

References and Sources

  1. BleepingComputer. (January 2026). Nike investigates data breach after extortion gang leaks files.
  2. The Register. (January 2026). Data thieves claim they stole 1.4TB from Nike.
  3. Group-IB. (July 2025). Hunters International rebrands as World Leaks.
  4. Chainanalysis. (2025). Ransomware payments decline 35% year-over-year.
  5. Google Threat Intelligence Group. (July 2025). Ongoing SonicWall SMA Exploitation Campaign using the OVERSTEP Backdoor.
  6. Finews. (August 2025). UBS Hit by Darknet Data Leak Affecting 130,000 Staff.
  7. Hackread. (July 2025). World Leaks Claims Dell Data Breach, Leaks 1.3TB of Files.
  8. Infosecurity Magazine. (October 2025). Hunters International Ransomware Is Not Shutting Down, It's Rebranding.

Member discussion