Cyber Threat Actor: Donut Leaks
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
2 incidents |
|---|
Profile
Donut Leaks, also tracked as the d0nut ransomware team and D#nut Leaks, is a threat actor that has been observed operating since at least mid‑2022. Open source reporting indicates the group may be based in Russia, though no definitive geographic attribution has been publicly confirmed. The actor is primarily known for conducting data extortion operations that combine ransomware deployment with the theft and threatened release of sensitive information. Their public persona includes maintaining Tor‑hosted shaming blogs and data storage sites where leaked material is made available for download. These sites are often built around the File Browser application, which allows visitors to navigate the exfiltrated data by victim.
Observed targeting spans multiple industries, including healthcare providers, legal services firms, construction and architectural companies, and energy sector entities. Geographic focus appears to be international, with victims located in the United States, the United Kingdom, Greece and other multinational organizations. The group's stated objective is financial gain, as evidenced by ransom demands that range from hundreds of thousands to several million dollars and the subsequent leakage of data when payments are not met. Initial access has been linked to exploitation of vulnerable Microsoft Exchange servers, as described in the Montgomery General Hospital compromise. Beyond the exchange exploit, the actor utilizes ransomware strains associated with Hive and Ragnar Locker, suggesting an affiliate relationship with those established ransomware operations.
One of the earliest publicly reported operations involved the legal technology firm UnitedLex, from which the actors claimed to have exfiltrated approximately 200 GB of confidential contracts, payment records and merger documents. In early 2023 the group attacked Montgomery General Hospital in West Virginia, exfiltrating employee and patient files and demanding a $750 000 ransom before releasing the data on their leak site. A separate campaign disclosed in August 2022 linked Donut Leaks to the Greek natural gas company DESFA, the UK architectural practice Sheppard Robson and the multinational construction firm Sando, with the actors publishing far more data than the original ransomware claims and accumulating roughly 2.8 TB across ten victims. They also engage in direct negotiation emails to victims, often escalating to public shaming when extortion attempts fail. The pattern of stealing data, negotiating for payment and then leaking the information regardless of payment outcome highlights their reliance on data extortion as a core tactic.
