Fast forward to 2025 — the Qilin ransomware group has come to unprecedentedly dominate the cybercrime landscape. They account for almost 29% of all ransomware attacks, per data from NCC Group. This group has recently gained a unique reputation for its opaque tactics. Just last month, they waged a destructive supply chain attack that directly took aim at South Korea’s financial sector. As a result of this breach, a devastating impact was felt. Qilin ransomware has already been used in attacks, and sensitive data has been exfiltrated from at least four victims.
The Qilin ransomware group greatly benefits from a classic affiliate model. This strategy allows them to hire millions of hackers to conduct sophisticated attacks. In exchange, these affiliates keep as much as 20% of the illegal payments produced by their operations. This operational structure has contributed to Qilin’s rapid growth, claiming over 180 victims within October 2025 alone.
The “Korean Leaks” campaign, a focal point of Qilin’s recent activities, illustrates the group’s aggressive tactics. The operation has resulted in the theft of more than a million files. Furthermore, it has leaked two terabytes of information from 28 other victims. This social media campaign rolled out in three waves, focusing first on the financial management industry, and then all other industries.
The Korean Leaks Campaign
Wave 1 The initial wave of the first round, dubbed “Wave 1,” consisted of ten victims from the financial management industry. Implementation guidance It was released on September 14, 2025. After that, “Wave 2” featured nine more victims, with information made public between September 17 and September 19, 2025. Lastly, “Wave 3” included nine other national IPV victims, with publishing dates between September 28-October 4, 2025.
Bitdefender is particularly concerned that this whole operation was pitched as a public-service mission to expose systemic corruption. The members promptly threatened their own release of files that would lay bare stock market manipulation. They even teased at outing elite politicians and business people from Korea. Qilin members have described themselves as “political activists” and “patriots of the country.” Likely, their roots go back to Russia, which is reason enough for them to avoid using sensitive data.
“The entire campaign was framed as a public-service effort to expose systemic corruption, exemplified by the threats to release files that could be ‘evidence of stock market manipulation’ and names of ‘well-known politicians and businessmen in Korea,’” – Bitdefender
Connections to State-Sponsored Actors
According to analysis from Google’s Threat Analysis Group, Qilin has ties with Moonstone Sleet, a North Korean state-sponsored hacker group skilled in cyber intelligence operations. In April 2024, anti-hero Moonstone Sleet released a custom ransomware variant called FakePenny. Their target, a checkerboard defense technology company, was substantially impaired. This connection has led to fears of a possible joint operation between transnational criminal organizations and state-sponsored actors in carrying out sophisticated cyberattacks.
Bitdefender showcases an operation that combined the strengths of a major Ransomware-as-a-Service (RaaS) collective. Further, it starred actors who had worked with the North Korean state. Therefore, the use of a Managed Service Provider (MSP) compromise as the initial access vector is especially frightening. It also sheds light on alarming weaknesses within our cybersecurity paradigms.
“This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector,” – Bitdefender
The greatest risk comes from vendors and contractors with access to their businesses. This is a problem that is unfortunately all too easily brushed under the rug in cybersecurity discussions. As RaaS groups grow more sophisticated, they look to find ways to bundle victims together in such deals.
“Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take,” – Bitdefender
Implications for Cybersecurity
The rapid rise of Qilin ransomware serves as a reminder that organizations desperately need to strengthen their cybersecurity capabilities before it’s too late. The group’s capacity to carry out large-scale attacks whilst still being able to claim political underpinnings muddies the waters of the cybersecurity/cybercrime conversation. Companies and institutions need to be ever watchful as they act in the space of social change. They must arm themselves against threats from independent hackers as well as state-sponsored actors.
As Tactics of the “Korean Leaks” campaign shows, these types of vulnerabilities are found across many sectors. In doing so, it illustrates the far-reaching impact that cyberattacks can have. Industry stakeholders of all stripes will want to keep their eyes peeled. To properly mitigate the risk from these sophisticated dangers, they need to take proactive cybersecurity approaches.