Cyber Threat Actor: Dunghill Leak

Dunghill Leak is an alias that has been used by a ransomware gang publicly identified as operating from the United States of America. The group first entered public awareness in mid‑2023 when it asserted responsibility for a cyber intrusion against Sabre Corporation, a major provider of travel technology solutions. As a ransomware actor, Dunghill Leak is characterized by the use of encryption‑based extortion, although the specific malware families, tools, or initial access methods employed in its operations have not been disclosed in any open‑source reporting. The label “ransomware gang” itself comes from the group’s own claim that it had stolen data prior to encrypting systems and intended to demand payment for the return of that information.

On August 1 2023 the gang announced that it had exfiltrated approximately 1.3 terabytes of data from Sabre’s networks, a volume that would encompass a wide range of internal files. According to the claim, the stolen material included corporate financial records, databases detailing ticket sales, and extensive employee personal information such as passport numbers and U.S. I‑9 work authorization forms. The gang stated that the data had been taken before any encryption activity occurred and that it would be released publicly unless a ransom payment was satisfied. This assertion was reported by several technology news outlets, including a TechCrunch article published on September 6 2023, which noted that Sabre had said it was investigating the claims to determine their validity.

Sabre’s public response indicated that the company was conducting an investigation to verify whether the alleged breach had actually occurred, and it had not confirmed any data loss or encryption at the time of the statement. No technical details regarding the intrusion—such as the initial attack vector, lateral movement techniques, or specific tools used—have been released by Sabre, law‑enforcement agencies, or the threat actor themselves. Consequently, the publicly documented activity of Dunghill Leak remains limited to this single claimed incident and the accompanying assertions about the volume and type of data allegedly taken. No further attributions to state sponsors, criminal consortia, or other threat‑actor groups have been established in open sources.