On July 3, 2025, the notorious Hunters International ransomware-as-a-service (RaaS) group announced the closure of its operations via a statement on its dark web leak site, claiming to offer free decryption keys to victims as a parting gesture. The group cited "recent developments" without elaboration, leaving uncertainty about whether the decision stems from law enforcement pressure, financial satisfaction, or other motives. However, cybersecurity experts widely suspect this shutdown is a strategic rebrand to evade scrutiny, with evidence pointing to a transition to an extortion-only operation named World Leaks.
Shutdown Announcement and Decryption Keys
The Hunters International statement read: “After careful consideration and in light of recent developments, we have decided to close the Hunters International project. This decision was not made lightly, and we recognize the impact it has on the organizations we have interacted with.” The group pledged to provide free decryption tools to victims, directing them to its official website for access, though no such tools were publicly available at the time of the announcement. The move follows a November 17, 2024, statement where the group cited declining profitability and increased law enforcement scrutiny as reasons for planning a shutdown. Despite this, operations continued, raising doubts about the group's intentions.
Allan Liska, a threat intelligence analyst at Recorded Future, told TechCrunch that the release of decryption keys is likely a low-cost gesture, as remaining victims are unlikely to pay ransoms. “As far as releasing decryption keys, at this point they aren’t likely to make any money from any Hunters’ victims who are still out there, so they probably see it as a gesture that doesn’t really cost them anything,” Liska noted.
Rebranding to World Leaks
Security researchers, including those from Group-IB, have reported that Hunters International is not retiring but rebranding as World Leaks, a data extortion-only group that forgoes encryption. Launched on January 1, 2025, World Leaks uses a custom-built data exfiltration tool, an upgraded version of Hunters’ Storage Software, to automate data theft and blackmail. This shift reflects a broader trend among ransomware groups moving to lower-risk, high-reward extortion tactics, as encryption-based attacks draw heavier law enforcement attention. Group-IB noted, “From the administrator’s perspective, ransomware is no longer profitable and risky.”
The rebranding theory is supported by the group’s history and industry patterns. Hunters International, which emerged in late 2023, was flagged as a potential rebrand of the Hive ransomware group due to code similarities. Similarly, other ransomware groups like DarkSide, which rebranded to BlackMatter and later ALPHV/BlackCat after the Colonial Pipeline attack, and REvil, preceded by GandCrab, have used rebranding to evade law enforcement and refresh their operations.
Strategic Motives and Skepticism
Cybersecurity experts remain skeptical of Hunters International’s claimed shutdown. Daniel dos Santos of Forescout noted that the move to World Leaks confirms ransomware groups’ awareness of increasing law enforcement crackdowns, stating, “The fight against ransomware is moving from the virtual to the real plane.” Luke Connolly of Emsisoft cautioned that the decryption key offer should be viewed skeptically, as “ransomware groups are notorious for making false claims in support of their own objectives.” The lack of verifiable decryption tools on Hunters’ website further fuels doubts about the group’s sincerity.
Rebecca Moody of Comparitech emphasized that World Leaks’ focus on data extortion is “potentially more lucrative” than ransomware, as it avoids the complexities of encryption while maintaining leverage through stolen data. World Leaks has already claimed 33 attacks, including against Chain IQ and Freedom Healthcare, since its launch.
Hunters International’s Track Record
Active since October 2023, Hunters International conducted over 280 attacks globally, targeting sectors like healthcare, real estate, and financial services. Notable victims included the Fred Hutch Cancer Center, where data of over 800,000 cancer patients was stolen, Tata Technologies, the U.S. Marshals Service, and ICBC’s London branch. The group’s malware, written in Rust, supported multiple platforms (Windows, Linux, FreeBSD, SunOS, ESXi) and architectures (x64, x86, ARM), showcasing its technical sophistication.
Implications for Victims and Organizations
While the offer of free decryption keys could benefit some victims, experts warn that the tools may be unreliable or incomplete, as cybercriminals rarely prioritize robust “customer support.” Organizations are advised to enhance defenses against data exfiltration, including real-time monitoring, endpoint security, and employee training to counter phishing tactics like callback phishing, which Hunters International has employed. The shift to World Leaks underscores the need for proactive measures to detect and respond to data theft, as backups alone are insufficient against extortion-only attacks.
The rebranding to World Leaks suggests Hunters International’s operators are adapting to a changing cybercrime landscape, likely to continue their activities under a new guise while evading law enforcement pressure. As ransomware groups evolve, organizations must stay vigilant and prioritize comprehensive cybersecurity strategies.