{ "id": "1008ec07-a322-490d-9daf-ffc4b457f058", "created_at": "2026-04-06T00:09:58.004652Z", "updated_at": "2026-04-10T03:23:52.167435Z", "deleted_at": null, "sha1_hash": "875f01d0aaa177a5d2ecc9b2b5bfae1ac2c91b9a", "title": "Clop ransomware now uses torrents to leak data and evade takedowns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2446880, "plain_text": "Clop ransomware now uses torrents to leak data and evade takedowns\r\nBy Lawrence Abrams\r\nPublished: 2023-08-05 · Archived: 2026-04-05 17:06:11 UTC\r\nThe Clop ransomware gang has once again altered extortion tactics and is now using torrents to leak data stolen in MOVEit\r\nattacks.\r\nStarting on May 27th, the Clop ransomware gang launched a wave of data-theft attacks exploiting a zero-day vulnerability\r\nin the MOVEit Transfer secure file transfer platform.\r\nExploiting this zero-day allowed the threat actors to steal data from almost 600 organizations worldwide before they realized\r\nthey were hacked.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nOn June 14th, the ransomware gang began extorting its victims, slowly adding names to their Tor data leak site and\r\neventually publicly releasing the files.\r\nHowever, leaking data via a Tor site comes with some drawbacks, as the download speed is slow, making the leak, in some\r\ncases, not as damaging as it could be if it was easier to access the data.\r\nTo overcome this, Clop created clearweb sites to leak stolen for some of the MOVEit data theft victims, but these types of\r\ndomains are easier for law enforcement and companies to take down.\r\nMoving to torrents\r\nAs a new solution to these issues, Clop has begun to use torrents to distribute data stolen from MOVEit attack.\r\nAccording to security researcher Dominic Alvieri, who first spotted this new tactic, torrents have been created for twenty\r\nvictims, including Aon, K \u0026 L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg.\r\nAs part of this new extortion method, Clop has set up a new Tor site providing instructions on how to use torrent clients to\r\ndownload the leaked data and lists of magnet links for the twenty victims.\r\nList of available Clop torrents\r\nSource: BleepingComputer\r\nAs torrents use peer-to-peer transfer among different users, the transfer speeds are faster than the traditional Tor data leak\r\nsites.\r\nIn a brief test by BleepingComputer, this method resolved the poor data transfer issues, as we were receiving 5.4 Mbps data\r\ntransfer speeds, even though it was only seeded from one IP address in Russia.\r\nFurthermore, as this distribution method is decentralized, there is no easy way for law enforcement to shut it down. Even if\r\nthe original seeder is taken offline, a new device can be used to seed the stolen data as necessary.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/\r\nPage 3 of 4\n\nIf this proves successful for Clop, we will likely see them continue to utilize this method to leak data as it’s easier to set up,\r\ndoes not require a complex website, and may further pressure victims due the increased potential for broader distribution of\r\nstolen data.\r\nCoveware says Clop is expected to earn $75-$100 million dollars in extortion payments. Not because many victims are\r\npaying but because the threat actors have successfully convinced a small number of companies to pay very large ransom\r\ndemands.\r\nWhether or not the use of torrents will lead to more payments is yet to be determined; however, with these earnings, it may\r\nnot matter.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns/" ], "report_names": [ "clop-ransomware-now-uses-torrents-to-leak-data-and-evade-takedowns" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434198, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/875f01d0aaa177a5d2ecc9b2b5bfae1ac2c91b9a.pdf", "text": "https://archive.orkl.eu/875f01d0aaa177a5d2ecc9b2b5bfae1ac2c91b9a.txt", "img": "https://archive.orkl.eu/875f01d0aaa177a5d2ecc9b2b5bfae1ac2c91b9a.jpg" } }