DragonForce has demonstrated a significant surge in operational volume over recent months. With six pending publications currently staged on their infrastructure, the group’s “company strategy” has transitioned from opportunistic strikes to established, long-term market dominance. They represent a specialized threat to organizational privacy, utilizing a “Cartel” model that lowers the barrier to entry for highly skilled affiliates by providing a complete, productized criminal ecosystem.
Threat Actor Profile: Who is DragonForce?
DragonForce represents a rare case of “hacktivist graduation.” Originally identified in 2021 as DragonForce Malaysia, the collective initially focused on ideologically motivated defacements and DDoS attacks.
The Professional Transformation
By mid-2023, the group underwent a tactical pivot, transitioning from hacktivism to a profit-driven Ransomware-as-a-Service (RaaS) model. This evolution culminated in the March 2025 announcement of the DragonForce Ransomware Cartel.
Much like the collaborative “supergroups” (e.g., ShinySp1d3r, comprising elements of ShinyHunters, Scattered Spider, and LAPSUS$), DragonForce was engineered to fill the market gap left by the disruption of legacy groups like LockBit. Their current success is predicated on a “premium” infrastructure that prioritizes sophisticated exfiltration over simple encryption.
The Intelligence Pipeline: OSINT as a Business
DragonForce does not rely on random scanning. Their model is built on Targeted Reconnaissance, where OSINT (Open Source Intelligence) is used to map the organizational hierarchy before a single packet is sent.
Executive Mapping
Affiliates use professional networks (LinkedIn), corporate filings, and media appearances to identify:
The “Pressure Points”: Identifying the C-Suite, Legal Counsel, and Data Protection Officers (DPOs).
Personal Exposure: Identifying high-net-worth executives whose personal data (home addresses, private emails) may be used to increase leverage.
Communication Styles: Analyzing public interviews to craft highly convincing spear-phishing or “vishing” (voice phishing) scripts that mimic executive tone.
The “Data Analysis Service” (DAS)
The most significant innovation in the 2025/2026 model is the Data Analysis Service. This dedicated back-end utility allows affiliates to weaponize exfiltrated data through:
Pattern Recognition: Scanning stolen datasets for “Strategic Non-Obvious Value,” such as satellite imagery of sensitive mineral deposits or proprietary manufacturing techniques.
Dossier Generation: Automatically creating “Extortion Packs” containing tailored call scripts for help desk deception, formal demand letters to CEOs, and specific risk summaries detailing the legal consequences of the breach.
Human-Centric Exploitation: Vishing & Social Engineering
The group’s collaboration with the Scattered Spider collective has professionalized their voice-based attacks.
Help Desk Deception: Attackers call IT help desks, impersonating executives or regional managers to request password resets or “MFA Push” approvals.
MFA Fatigue: Using OSINT-gathered phone numbers to “bomb” an executive with notifications until they accidentally approve access to the SSO portal.
Core Extortion Model: The Graduated Pipeline
DragonForce transforms extortion from a binary event into a time-based pressure system. This pipeline transforms the breach into a cycle of psychological attrition:
Initial Compromise & Exfiltration: Data is staged, indexed, and analyzed using the DAS before any encryption occurs. High-value files (financials, legal, IP) are prioritized.
Private Negotiation Phase: Victim is onboarded into a dedicated negotiation panel with structured timers and proof-of-compromise samples.
Pending Leak Listing: If negotiations stall, the victim is added to an “Upcoming Leaks” section. This acts as a pre-public exposure layer, publishing metadata (Organization name, sector, data volume) and “teasers.”
Progressive Disclosure: Partial data dumps are released incrementally to validate threat credibility and increase internal urgency.
Full Leak Publication: Complete searchable datasets are released and mirrored to ensure persistence.
Technical Workflow & Resource Accessibility
The group’s rise is fueled by the operational convenience of their RansomBay platform. By framing infrastructure as a product, they have significantly lowered the barrier to entry for cybercrime.
The “Productized” Cartel
DragonForce advertises a comprehensive suite of services that allows affiliates to launch attacks quickly:
Multi-Tenant Panels: Separate interfaces for Admin management, Victim negotiation, and Affiliate oversight.
Technical Support: Automated work processes, anti-DDoS protection, NTLM/Kerberos decryption, and adjustable encryption modes.
Affiliate Economics: Offering an 80/20 profit split and the ability to white-label payloads, incentivizing a volume-over-quality approach for the cartel.
Investigator Insight: The Real Lesson
DragonForce is not growing because it is noisy; it is growing because it has removed friction. The increase in activity is a blend of accessible tooling, aggressive social engineering, and opportunistic partnerships (such as exploiting SimpleHelp vulnerabilities to reach multiple downstream MSP environments).
DragonForce is now a criminal platform, not just a ransomware strain. The packaging, the distribution model, and the reach have all changed to facilitate rapid, scalable extortion.
Originally published at https://privacyinsightsolutions.com on March 19, 2026.
DragonForce Ransomware: Exfiltration Cartel Analysis | Privacy Insight Solutions was originally published in OSINT Team on Medium, where people are continuing the conversation by highlighting and responding to this story.