Welcome to the ransomware underworld, where the only thing more volatile than the payloads are the egos. Over the past year, the ransomware landscape has devolved into a cybercrime soap opera: gang infighting, site hijackings, affiliate poaching, public doxing, courtroom drama, and enough backstabbing to make a reality show jealous.
While the threats remain real and dangerous to victims, the sheer level of drama among these criminal syndicates is starting to look more like a cybercrime TMZ highlight reel.
DragonForce Declares War on Everyone
Consider DragonForce, the self-styled “cartel” that made a name for itself not just by launching ransomware attacks, but by launching full-on digital offensives against other gangs. In March 2025, DragonForce hijacked the leak site of rival RansomHub, replacing its homepage with a tombstone graphic and the ominous message: “R.I.P 3/3/25.”
The following month DragonForce also defaced the infrastructure of ransomware groups BlackLock (formerly El Dorado) and Mamona. DragonForce took over their leak sites, plastered them with DragonForce branding, and dropped their internal chat logs and backend configurations. The message was clear: DragonForce was in the game to do more than encrypt files; they were here to dominate the entire ransomware-as-a-service (RaaS) ecosystem.
Researchers later confirmed that DragonForce exploited sloppy AI-generated backend code in rival infrastructure, allowing them to take over portals and leak sites. It turns out, cutting corners with tools like ChatGPT for dark web operations came with consequences for the targeted groups.
RansomHub Retaliates, But Affiliates Pay the Price
Days after DragonForce hijacked its site, RansomHub retaliated with its own defacements and warnings aimed at DragonForce, escalating tensions. Affiliates caught in the middle were unsure which side to align with.
Private forums lit up with paranoia as operators accused one another of betrayal, defection, and sabotage. Leaked messages hinted at backdoor deals, affiliate sniping, and ransom payment interference. The gloves were off.
This wasn’t just rivalry, it was open warfare. Affiliates knew that one misstep could result in their sensitive information or details being leaked, their data being torched, or their payout vanishing mid-operation. Many RansomHub affiliates fled to different groups, including Qilin.
BlackBasta Implodes via Internal Chat Leak
In February, a massive dump of BlackBasta internal chat logs hit the dark web, exposing technical details, ransom negotiations, internal bickering, and even plans for future campaigns. The source of the leak was never officially identified, but the fallout was immediate: operations paused, affiliates splintered, and leadership went dark.
The leak fractured trust across the entire affiliate network. Transcripts revealed petty infighting, sloppy opsec, and chaotic management that shattered any illusion of professionalism. Affiliates saw firsthand how disposable they really were: ignored, underpaid, or blamed when jobs went sideways.
Some logs hinted at failed payouts; others at turf encroachment by so-called partners. The leaks didn’t just expose chat logs; they exposed a hierarchy built on paranoia, greed, and internal decay. In the aftermath, multiple former affiliates defected or went silent, unwilling to stake their reputations on a brand that couldn’t keep its secrets or its people in line.
Conti and TrickBot Leaders Doxed One by One
The whistleblower group GangExposed began a public naming-and-shaming campaign in May 2025, publishing detailed profiles and internal chat logs exposing Conti and TrickBot operators, including big names like Stern, Professor, Mango, and Defender. Personal information, vacation videos, and ransom negotiation threads were included in the leak.
Affiliates and partners responded with fear. Former colleagues turned on each other. Once-feared names in ransomware circles quickly became radioactive. Internal channels exploded with denials, finger-pointing, and desperate attempts to scrub connections.
The leaked materials painted a vivid picture of operational arrogance and infighting at the top, complete with lavish lifestyles and careless slips that made them easy targets. Rival groups seized the moment, spreading the dox further to burn reputations and poach disillusioned affiliates.
What began as a reputational wound quickly became a full-blown hemorrhage, forcing anyone remotely connected to the exposed leadership to either disappear or switch allegiances overnight.
DevMan Exposed by GangExposed
The doxing wave continued in June when DevMan, a rising RaaS player linked to DragonForce, got hit with a very public identity leak courtesy of GangExposed. Screenshots, aliases, and asset trails were dumped online. The timing was pointed, coming just as DevMan had started poaching affiliates from other groups.
Exposure like this can destroy operational continuity and loyalty in the criminal underground. Affiliates pulled back fast, and dark web chatter suggested DevMan’s campaign momentum stalled. The leak cracked open DevMan’s internal structure, exposing how thinly veiled the operation’s security really was.
Forums buzzed with ridicule and suspicion. Some claimed DevMan was a liability; others accused them of being careless, or worse, compromised. The threat actor’s credibility evaporated almost overnight, and affiliates weighing lucrative offers suddenly ghosted, unwilling to risk their anonymity by associating with a brand that couldn’t keep its own team off the radar. In a world built on fear and reputation, DevMan had been stripped of both.
LockBit Gets Hacked and Humiliated
In May 2025, LockBit’s leak site was defaced with the mocking taunt: “Don’t do crime… from Prague.” The group’s internal data, including decryption keys and affiliate chats, was dumped in the open. It was brazen humiliation.
LockBit had long cultivated an image of resilience. This incident shattered that narrative and put their credibility in freefall. In a desperate bid to regain relevance, LockBitSupp falsely claimed responsibility for a breach at the U.S. Treasury, a boast that was quickly debunked by federal authorities and dismissed by the security community as hollow bluster.
Instead of restoring fear, the move came off as a transparent PR stunt from a group flailing to mask its own collapse. Internally, affiliate trust eroded. Recruitment slowed. Rivals circled like sharks, mocking LockBit’s fall from dominance and raiding their former talent pool.
For a group that once set the standard for RaaS professionalism, the public unraveling was a signal to the ecosystem: no group was untouchable.
REvil: Back from the Grave?
In June, four convicted members of the now-defunct REvil gang were quietly released from Russian custody after receiving five-year sentences. They walked free due to time already served in pretrial detention. Charges were for credit card fraud, not ransomware.
Their release raised an alarm. Would they resurface under new banners? Would their old tools be passed down or repackaged? Forums erupted with speculation, with some suggesting these veteran threat actors might be quietly advising or even returning under new names. With intact playbooks and high-value contacts, REvil’s return would likely create more instability across the cybercrime underground.
Hunters International: Exit Stage Left
In July, Hunters International abruptly shut down and began offering free decryptors to past victims. But the goodwill facade quickly cracked. Researchers tied the closure to a rebrand as “World Leaks,” a data-extortion-focused operation already ramping up campaigns.
Rivals mocked the group for the stunt, and affiliates scrambled to decide whether to follow the pivot or jump ship. Some called it a “panic pivot,” while others speculated it was a preemptive move to evade law enforcement heat.
Either way, the rebrand was clumsy. Victims weren’t fooled. Threat intel teams traced the infrastructure, syntax, and tactics right back to the same crew. In private forums, even loyal affiliates admitted the exit looked more like a marketing ploy than a retirement.
Meanwhile, competitors seized the moment by painting Hunters as weak, desperate, and compromised. For a group once considered a rising player in the RaaS space, the hasty rebrand reeked of damage control. It wasn’t a graceful exit. It was a brand in freefall trying to change clothes mid-sprint.
BlackCat /ALPHV, RansomHub, DragonForce and Scattered Spider: A Tangled Web
While less theatrical, the unraveling of the BlackCat /ALPHV and Scattered Spider alliance mattered. After ALPHV’s December 2023 takedown, Scattered Spider abandoned the brand. The group was later linked to campaigns under RansomHub and has since been observed aligning with DragonForce, suggesting their allegiances shift based on who holds the most leverage or visibility at the moment.
Affiliates splintered. New alliances formed. It was less turf war than quiet fragmentation. But in this ecosystem, dissolving a working partnership can expose deep strategic fractures.
Scattered Spider, prized for their social engineering precision, was suddenly an affiliate up for grabs. Multiple RaaS crews rushed to recruit the group, offering better cuts and more autonomy. Meanwhile, former BlackCat /ALPHV affiliates questioned the value of loyalty when leadership could disappear overnight.
What began as a silent split rippled outward, destabilizing multiple campaigns and flooding the underground with freelancers, burned insiders, and new competitors. There were no headlines, no public statements, just the cold efficiency of a fractured machine breaking into smaller, more dangerous pieces.
A New Kind of Ransomware Warfare
This past year, the ransomware game has shifted from profit-driven crime to brand-driven warfare. Gangs aren’t just chasing ransom payments anymore; they’re battling for dominance, ego, and control of the narrative. For defenders, this fractured landscape brings heightened unpredictability and increasingly impactful consequences.
Multi-extortion tactics are evolving. Threat actors are not only exfiltrating sensitive data and threatening public leaks, but also launching DDoS attacks, harassing executives, or targeting customers, employees, and third-party partners to amplify pressure.
Critically, exfiltrated data often doesn’t stay contained to the original incident. Even if a victim pays or believes the data was deleted, it can resurface weeks or months later to be sold, traded, or re-leveraged by a different crew entirely.
In this chaotic landscape of collapsing alliances and constant rebrands, attribution is murkier than ever, ransom demands are less predictable, and the boundary between extortion and sabotage continues to dissolve.
With technical sabotage, doxing campaigns, affiliate poaching, infrastructure hijacks, and public shaming now standard tactics, we expect to see continued infighting across an already unstable criminal ecosystem. Alliances are collapsing. Operators are flipping. Reputations are being torched in real time.
For defenders, this chaos means traditional methods of defense no longer apply. Organizations require timely, actionable intelligence, agile defenses, and more holistic visibility into a cybercrime world where today’s partners could become tomorrow’s enemies.
The drama isn’t just noise; it’s a warning of how fast the threat landscape can shift and evolve. The next implosion is already overdue. Stay tuned.
Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
