A hacking group claims to have stolen more than 380 gigabytes of data from the U.S. Marshals Service, including confidential and top-secret documents and records about gangs, active cases, and electronic surveillance.
The ransomware group Hunters International took credit for the breach and posted pictures of the allegedly stolen records on its data leak site, according to the cybersecurity firm Hackmanac, which provided screenshots of the post to Gizmodo. In total, the group claims to have exfiltrated more than 327,000 files from the federal law enforcement agency responsible for tracking down fugitives and running the witness protection program. The hackers set an August 30 deadline for a ransom to be paid.
In addition to screenshots of what it says are gang files and active case files, which appear to contain headshots and other information about suspects, the hacking group also posted documents it claimed were from “Operation Turnbuckle.” In 2022, upstate New York media outlets reported on a marshals operation by the same name that led to the arrest of more than a dozen drug trafficking suspects.
The agency suffered a debilitating ransomware attack in February of 2023 that crippled some of its systems for months. It’s not immediately clear whether the data Hunters International claims to have stolen is connected to that breach, said Sofia Scozzari, the CEO of Hackmanac. Cybersecurity researchers first identified Hunters International as a threat group in October 2023, about eight months after the U.S. Marshals Service ransomware attack.
“USMS is aware of the allegations and has evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident,” Brady McCarron, a spokesperson for the agency, wrote to Gizmodo in a statement received after the initial publication of this article.
After Hunters International emerged on the scene, cybersecurity researchers speculated that it was a rebranding of the Hive ransomware group, which the FBI infiltrated and disrupted in a six-month investigation culminating in January 2023. Hunters International, however, claimed that it had simply purchased Hive’s malware and improved upon it. Hackmanac has tracked 181 attacks connected to the group targeting a wide range of victims across private industry and government.
The group offers ransomware-as-a-service, meaning it sells and rents out its malware that infects a target’s system and encrypts the files. The attacker then charges a fee to return access to the files. About 75 percent of the Hunters International attacks Hackmanac has documented involve ransomware, Scozzari said, but in its posts about the U.S. Marshals Service’s data the group did not claim to have encrypted the files in addition to stealing them, as it has done previously.
“It is clear that for Hunters, data is money and the group’s main focus is maximizing profits” rather than any political motivation, Scozzari said. “In this regard, the more sensitive the stolen data, the greater the chances of receiving a large payment.”
Update: This article was updated on August 27, 2024 to include a statement received after publication from the U.S. Marshals Service.
