Dark Web Most Wanted: CL0P

• Name: CL0P
• Type: Ransomware Group
• First Seen: October 2024
• Last Observed: May 2026
• Risk Level: Critical

---

Introduction

CL0P is one of the most prolific data leak site (DLS) operators tracked by DarkWebSonar, yet the group's observable activity follows a bursty, campaign-driven cadence rather than sustained daily operations. Since October 2024, DarkWebSonar has recorded 638 victim postings attributed to CL0P's Tor-based leak infrastructure. Nearly four-fifths of that volume (503 postings, or 79%) occurred in January and February across two consecutive years, with long quiet periods in between. This pattern suggests that CL0P's public-facing activity is driven primarily by batch victim publication following mass exploitation windows, not by a steady stream of new compromises.

This profile is consistent with broader industry analysis. Google Threat Intelligence Group (GTIG) notes that while CL0P ranked among the top DLS brands in 2025, the majority of associated incidents involved data theft extortion without ransomware deployment (a distinction that matters when interpreting leak-site counts as a proxy for intrusion volume or encryption activity).

Key findings from DarkWebSonar telemetry (October 2024–May 2026):

• 638 victim postings observed on CL0P's leak site; 637 (99.8%) categorized as ransomware or data extortion claims.
• 79% of all postings concentrated in January–February (503 of 638), repeating in both 2025 (371) and 2026 (132).
• The single largest posting week was 2025-W09 (212 victims), driven by a batch of 166 victims published on February 25, 2025.
• 68.5% of named victims are U.S.-based organizations (437 of 638); manufacturing and construction is the most frequently represented industry (125 victims, 19.7%).
• November 2025 represents the only significant secondary peak (97 victims, ~15%), temporally aligned with public reporting on Oracle E-Business Suite exploitation.

CL0P (also written as Clop or Cl0p) has been active since at least 2019 and is associated with the Russian-speaking TA505 / FIN11 ecosystem. Public reporting indicates that early operations relied on phishing and Windows-focused ransomware payloads. In subsequent years, the group shifted toward data-theft extortion and mass exploitation of widely deployed enterprise platforms (including Accellion FTA, GoAnywhere MFT, MOVEit Transfer, Cleo, Fortra, and, most recently, Oracle E-Business Suite (EBS)). DarkWebSonar's 2024–2026 telemetry captures the outcome of that shift: high-volume DLS activity tied to supply-chain-style campaigns rather than isolated, bespoke intrusions.

By the Numbers (DarkWebSonar Telemetry)

Scope and limitations

The analysis below is based on victim postings observed on CL0P's leak site. DarkWebSonar monitors this infrastructure continuously; the data represents what the group chooses to publish, not confirmed intrusions, encryption events, or ransom payment outcomes.

We caution against interpreting DLS posting volume as a direct measure of CL0P's total operational activity. Several factors can inflate, deflate, or distort these counts relative to actual compromise volume:

• Threat actors typically create DLS posts for victims who have not paid or who are being actively pressured; organizations that pay quietly may never appear on the leak site, so posting counts likely underrepresent total victims.
• Conversely, posting surges may reflect batch publication of victims compromised weeks or months earlier, which can make a single week appear disproportionately active relative to current intrusion rates.
• DLS category labels do not confirm that ransomware was deployed; external analysis and GTIG reporting indicate CL0P operations are primarily data theft extortion, with ransomware deployment occurring only occasionally.
• Victim industry and country fields reflect CL0P's own leak-site metadata and may be incomplete or inconsistently populated.

Unless stated otherwise, statistics in this section are derived from DarkWebSonar telemetry. Historical TTP and campaign context draws on public reporting where DarkWebSonar does not have direct visibility into pre-compromise activity.

Summary metrics

• Total victim postings (Oct 2024–May 2026): 638
• Postings in last 90 days: 5
• Postings in last 30 days: 3
• DarkWebSonar risk score: 100 (Critical)
• Activity classification: steady baseline with episodic campaign spikes
• Primary attack category: ransomware / data extortion (637 of 638 entries)

Posting cadence and year-week analysis

When DarkWebSonar telemetry is aggregated by ISO year-week, leak-site activity concentrates sharply in the first quarter of each calendar year, with a secondary elevation in late 2025:

Year-week	Victims posted	Notes
2025-W09	212	Largest single week; includes 166-victim batch on Feb 25
2025-W07	70	Early February sustained campaign
2025-W03	58	Mid-January spike
2025-W47	62	November wave; aligns with Oracle EBS reporting
2026-W04	45	Late January 2026 sustained postings
2026-W05	44	Continued January wave
2026-W07	30	February 2026 spike week

By calendar month, January and February account for 79% of all observed postings (503 of 638), substantially exceeding any other two-month window. November 2025 is the only other period with meaningful volume (97 victims, ~15%).

We assess that this concentration is unlikely to reflect random seasonal variation. CL0P's operational model (mass exploitation of a shared technology stack, followed by staged victim naming) plausibly explains the pattern through several converging factors:

• Holiday-period exploitation window: Reduced security staffing and slower patch cycles during late December and early January may extend the dwell time of compromises initiated via zero-day exploitation before detection, though DarkWebSonar cannot directly confirm intrusion dates from leak-site postings alone.
• Batch publication behavior: Rather than naming victims at the time of compromise, CL0P frequently holds and releases victims in coordinated batches. Quiet periods in DarkWebSonar data (e.g., March–September 2025, when only 14 postings were observed) are consistent with intrusion activity occurring out of public view, followed by publication surges when the group escalates extortion pressure.
• Cross-year repeatability: Both 2025 (371 Jan–Feb postings) and 2026 (132 Jan–Feb postings) exhibit the same general shape (low baseline activity through much of the year, then a sharp increase in ISO weeks W03 through W09).

For defenders, this cadence has practical value: organizations with exposure to platforms CL0P has historically targeted (managed file transfer, ERP, integration middleware) should consider pre-positioning monitoring and exposure review before January, particularly if mass-exploitation activity was reported in the preceding quarter. Year-week trend analysis of DLS postings can surface these waves before they appear in public breach disclosures or regulatory filings.

Targeting distribution

DarkWebSonar victim metadata indicates CL0P names organizations across a wide range of industries, with concentration in sectors where operational disruption and data sensitivity likely increase extortion leverage:

• Manufacturing & Construction: 125 (19.7%)
• Technology & Telecom: 101 (15.9%)
• Consumer Goods & Retail: 83 (13.1%)
• Transportation & Logistics: 68 (10.7%)
• Retail & E-commerce: 63 (9.9%)
• Financial Services: 22 (3.5%)

Public reporting on CL0P's MOVEit, Cleo, and Oracle EBS campaigns similarly identifies victims at critical supply chain junctions (a pattern consistent with, though not confirmed by, DarkWebSonar's industry distribution).

Geographically, postings are heavily weighted toward North America:

• United States: 437 (68.5%)
• Canada: 63 (9.9%)
• United Kingdom: 21 (3.3%)
• Australia: 15 (2.4%)
• India / Mexico: 9 each (1.4%)

Additional victims have been observed across Europe, Asia, and the Middle East. External sources corroborate a primary focus on large Western enterprises, though DarkWebSonar's country attribution depends on leak-site metadata and may not reflect the full geographic scope of CL0P's intrusion activity.

Notable posting events

The following dates represent the highest-volume posting activity in DarkWebSonar's CL0P dataset:

• Oct 3, 2024 (first observed victim posting)
• Jan 15, 2025 (56 victims posted in a single day)
• Feb 9–13, 2025 (sustained campaign: 22, 21, 17, and 32 postings)
• Feb 25, 2025 (166 victims posted; largest single-day event in dataset)
• Feb 28, 2025 (44 victims posted)
• Nov 6–21, 2025 (resurgence: 12, 11, 11, 10, 29, and 23 postings across multiple days)
• Jan 21–30, 2026 (sustained wave: 10–11 victims per day on most days)
• Feb 10, 2026 (25 victims posted in a single day)
• May 1, 2026 (recent postings including Integra LifeSciences and Steinger, Greene & Feiner)

The February 2025 spike remains among the largest single-day extortion publication events tracked by DarkWebSonar. We assess this is consistent with either coordinated multi-victim exploitation of a shared technology stack or batch publication of victims compromised during an earlier intrusion window (two explanations that are not mutually exclusive). The January–February 2026 wave follows a similar profile.

Tactics, Techniques & Procedures (TTPs)

Extortion Strategy

• Double / multi‑pronged extortion: Traditionally combines file encryption with data exfiltration and public leak threats; in recent campaigns, CL0P has frequently prioritized data theft and extortion without encryption, especially during supply‑chain zero‑day exploitation campaigns.
• Tor‑based leak site: Maintains a dedicated dark web portal for victim shaming and data publication (often branded "CL0P^_-LEAKS").
• Escalation tactics: Progresses from private negotiations to public data releases with countdown timers, staged data dumps, and direct outreach to media, partners, and customers to increase pressure.
• Selective high‑value targeting: Focuses on organizations with significant revenue, rich datasets, and high operational disruption costs; external reporting repeatedly notes CL0P's emphasis on large enterprises and public‑sector entities.

Initial Access Methods

DarkWebSonar only observes post‑compromise victim postings, but external technical reporting provides a detailed view of how CL0P and associated clusters gain initial access:

• Zero‑day vulnerability exploitation (signature MO):
  • 2021–2023: Accellion FTA, GoAnywhere MFT, MOVEit Transfer zero‑days (e.g., CVE‑2023‑34362) used to compromise hundreds of organizations in single campaigns.
  • 2024–2025: Continued focus on managed file transfer and integration platforms, including Cleo products (CVE‑2024‑50623 / CVE‑2024‑55956) and Oracle E‑Business Suite BI Publisher Integration (CVE‑2025‑61882 and likely CVE‑2025‑61884).
• Supply chain and "one‑to‑many" attacks: Targets third‑party platforms and service providers (MFT, ERP, integration middleware, MSPs) to gain access to large downstream victim populations with identical vulnerabilities.
• Compromised credentials: Uses credentials harvested from infostealer logs and compromised business email accounts to send convincing extortion and phishing emails from legitimate infrastructure.
• Phishing and malspam: Earlier campaigns (2019–2022) relied heavily on mass phishing and spear‑phishing to deploy loaders like Truebot, Cobalt Strike beacons, and other tools prior to ransomware execution.

Technical Capabilities

• Ransomware payloads:
  • Windows‑focused ransomware family derived from CryptoMix/CrypBoss; encrypts files and appends extensions like .clop, .CL0P, CIIp, C_L_O_P, etc.
  • A Linux variant appeared around late 2022, though early analysis suggested flaws that sometimes allowed decryption.
• Data exfiltration:
  • Systematic theft of sensitive files and databases before any encryption step.
  • Use of custom tools such as Teleport for large‑scale data exfiltration, alongside common red‑team tooling (Cobalt Strike, web shells such as DEWMODE/LEMURLOOT, SDBot, FlawedAmmyy RAT).
• Lateral movement & privilege escalation:
  • Tools and techniques such as Mimikatz, PsExec, and Cobalt Strike to traverse networks, dump credentials, and gain domain‑wide privileges.
• Persistence & evasion:
  • Disables security controls (e.g., Windows Defender, backup agents), uses obfuscation, and maintains a minimal footprint, especially in pure data‑extortion campaigns where encryption is skipped to reduce detection risk.

Business Model & Operations

• Affiliates and ecosystem links: Historically described as Ransomware‑as‑a‑Service (RaaS) and closely tied to TA505/FIN11, with multiple overlapping clusters sharing infrastructure and payloads. Public reporting suggests today's CL0P operations blend:
  • a core team controlling leak infrastructure, tooling, and negotiations, and
  • associated intrusion operators (e.g., FIN11/Graceful Spider–linked clusters) executing mass exploitation and intrusion activity.
• High‑value targeting: Prioritizes enterprises with revenues in the tens or hundreds of millions, where downtime and data exposure translate into strong incentives to pay.
• Strategic timing: Frequently aligns mass exploitation with unpatched zero‑days, exploiting the short window between first exploitation and vendor patch / customer rollout.

Notable Campaigns / Victims

MOVEit Exploitation (2023)

CL0P gained global attention for the 2023 exploitation of a zero‑day in Progress Software's MOVEit Transfer platform (CVE‑2023‑34362). This campaign affected hundreds of organizations worldwide, including government agencies, financial institutions, healthcare providers, and major enterprises. Public reporting on MOVEit victims (e.g., Maximus, numerous U.S. and European agencies, and major private‑sector firms) illustrates CL0P's ability to:

• weaponize previously unknown vulnerabilities quickly,
• pivot from initial access to mass data theft, and
• run large‑scale, multi‑month extortion operations based on a single technology stack.

Cleo / GoAnywhere / Fortra Campaigns (2023–2024)

Following MOVEit, CL0P continued to target managed file transfer and integration platforms, including GoAnywhere MFT, Cleo products, and Fortra file transfer solutions. These campaigns reinforced a pattern:

• identify a widely deployed enterprise file transfer / integration product,
• develop or acquire a working exploit (sometimes zero‑day, sometimes n‑day but under‑patched),
• compromise large numbers of organizations in a short window, and
• slow‑roll victim postings on the leak site over subsequent weeks and months.

Oracle E‑Business Suite Zero‑Day (2025)

In 2025, CL0P (and/or closely associated clusters) were linked to mass exploitation of a zero‑day vulnerability in Oracle E‑Business Suite:

• Vulnerability: CVE‑2025‑61882 (BI Publisher Integration in Oracle Concurrent Processing, CVSS 9.8), with indications that CVE‑2025‑61884 is also part of the exploit chain.
• Scope: Affects Oracle EBS versions 12.2.3 to 12.2.14 and potentially older unsupported versions.
• Timeline:
  • Suspicious activity and exploitation observed as early as July–August 2025, before patches were available.
  • Oracle advisory and patch release in early October 2025.
  • Mass extortion emails sent from compromised third‑party email accounts starting late September 2025, claiming CL0P branding and threatening data leaks.
• Victims: Public reports mention nearly 30 named organizations on CL0P's leak site, including major enterprises and public‑sector entities; follow‑on reporting highlights victims such as GlobalLogic, UK NHS organizations, and others notified of Oracle EBS–related data theft.

This campaign closely mirrors CL0P's MOVEit playbook: mass exploitation of a strategically positioned enterprise platform, delayed extortion notifications, and staged victim naming on the leak site. DarkWebSonar's February and November 2025 spikes strongly align with this Oracle‑linked wave of postings.

January–February 2026 Campaign Wave

DarkWebSonar telemetry captured a renewed posting surge in early 2026, with sustained daily victim announcements from January 21 through January 30 (10–11 victims per day on most days) and a February 10 spike of 25 victims. Recent May 2026 postings include high-profile targets such as Integra LifeSciences (healthcare & pharma) and Steinger, Greene & Feiner (legal services), reinforcing CL0P's continued focus on data-rich U.S. enterprises across manufacturing, technology, healthcare, and professional services.

Targeting Patterns (DarkWebSonar + external)

Cross‑referencing DarkWebSonar victim telemetry with public reporting reveals several recurring themes:

• Critical supply chain nodes: logistics providers, manufacturers, MSPs, and integration service providers feature heavily both in DarkWebSonar's top‑industry list and in public disclosures.
• Public sector & healthcare: especially during MOVEit and Oracle campaigns, with victims including contractors handling government data and national healthcare systems.
• High‑value data concentration: sectors that hold large volumes of PII, financial records, or sensitive IP (e.g., finance, healthcare, tech, government contractors) are repeatedly over‑represented among public victims.

Evolution & Trends

• Long‑running operation: First detected in 2019, CL0P is one of the longest continuously operating cyber extortion brands, maintaining a dark web leak site since around December 2020.
• Shift from classic ransomware to data extortion: Since 2021, CL0P has increasingly de‑emphasized encryption in favor of pure data theft and extortion, especially in large supply‑chain campaigns. DarkWebSonar's dataset captures the outcome of this shift: a high volume of victim postings linked to mass exploitation waves rather than isolated, bespoke intrusions.
• Mass exploitation as a business model: Public sources and DarkWebSonar telemetry both show that CL0P's most impactful campaigns are built on mass exploitation of critical services, rather than one‑off intrusions.
• Operational resilience: Despite law‑enforcement actions and periods of reduced visibility, CL0P and affiliated clusters have repeatedly resurfaced with new campaigns (Accellion > GoAnywhere/Fortra > MOVEit > Cleo > Oracle EBS > 2026 wave).
• Campaign cadence: DarkWebSonar data shows CL0P operates in bursts of high-tempo victim naming separated by quieter periods (a pattern consistent with batch publication after mass exploitation windows rather than continuous daily operations).
• Predictable posting windows: ISO year-week analysis shows 79% of all leak-site activity falls in January–February, repeating in both 2025 and 2026. This strongly suggests CL0P times batch publication to coincide with post-holiday periods when victim organizations are least prepared to respond, making early-year monitoring a high-value defensive investment.

DarkWebSonar Insights

Unlike traditional incident‑driven reporting, DarkWebSonar tracks CL0P's victim postings in real time directly from their leak infrastructure. This enables:

• Granular targeting insight: Real‑time visibility into which industries, geographies, and organization sizes CL0P is actively extorting at any given moment.
• Spike detection: Immediate identification of coordinated campaigns, such as 2025-W09 (212 victims), 2025-W47 (62 victims), and 2026-W04/W05 (45 and 44 victims), year-week spikes that align with major exploitation waves.
• Seasonal forecasting: Year-week trend analysis reveals that January–February consistently produces the highest posting volume, enabling teams to anticipate when CL0P is most likely to name new victims and escalate extortion pressure.
• Early warning: Victim announcements on CL0P's leak site often appear before public disclosure, regulatory filings, or service‑impact confirmation, giving defenders and third‑party risk teams an earlier signal that a given organization has been compromised.
• Trend analysis: Continuous monitoring of changes in operational tempo, target selection, and geography, essential for understanding whether CL0P is ramping up, pausing, or shifting focus.
• Vulnerability correlation: Ability to correlate spikes in new victim postings with public disclosures and vendor advisories (e.g., MOVEit and Oracle EBS zero‑days), enabling faster assessment of which technologies are currently being weaponized.

DarkWebSonar's telemetry offered early confirmation that CL0P's Oracle EBS campaign had moved from isolated incidents to mass exploitation, days before many victims publicly acknowledged impact.

Threat Intelligence Indicators

Key Vulnerabilities Exploited (Selected)

• CVE‑2023‑34362 – MOVEit Transfer SQL injection vulnerability (2023 campaign; mass exploitation and data theft).
• CVE‑2024‑50623 / CVE‑2024‑55956 – Vulnerabilities in Cleo software products exploited in 2024–2025 campaigns.
• CVE‑2025‑61882 / CVE‑2025‑61884 – Oracle E‑Business Suite BI Publisher / related vulnerabilities exploited as a zero‑day at scale in 2025.

DarkWebSonar victim spikes around February and late 2025, and the January–February 2026 wave, align with public reporting around these mass exploitation events.

Typical Attack Progression Timeline

1. Initial compromise via zero‑day exploitation against file transfer / ERP platforms, credential theft from infostealer logs, or (less commonly today) phishing / malspam campaigns.
2. Lateral movement and privilege escalation using tools such as Cobalt Strike, Mimikatz, PsExec, and custom loaders.
3. Data discovery and exfiltration of sensitive files, databases, and mail stores, often using tools like Teleport or bespoke scripts.
4. (Optional) Ransomware deployment across Windows (and occasionally Linux) systems to maximize business disruption.
5. Leak site posting with victim details and sample data on the CL0P Tor portal.
6. Extortion and negotiation via Tor‑hosted chat portals, email, or compromised business email accounts, often with countdown timers and threats of public data release or harassment campaigns.

Operational Indicators

• Tor‑based leak infrastructure branded around CL0P / CL0P^_-LEAKS.
• Batch publication patterns (large clusters of new victims added in a single day).
• High‑value, Western enterprise focus with disproportionate representation of U.S. organizations.
• Recurring targeting of file‑transfer, integration, and ERP technologies as initial access vectors.

Outlook

CL0P's 638 victim postings tracked by DarkWebSonar since October 2024, combined with continued reliance on high‑impact zero‑day exploitation and periodic campaign waves, position them as a critical global threat through 2026. External reporting consistently ranks CL0P among the most active and damaging ransomware / extortion operations, frequently outpacing or rivaling groups such as LockBit, Akira, and RansomHub in victim volume during peak quarters.

Given CL0P's:

• proven capability to identify and weaponize new vulnerabilities quickly,
• preference for systemic, one‑to‑many attacks against critical enterprise platforms,
• focus on large, data‑rich organizations in the U.S., Canada, and Europe, and
• post-holiday batch publication pattern (79% of DLS activity observed in the weeks following end-of-year holidays),

Organizations that rely on managed file transfer solutions, ERP platforms (such as Oracle EBS), or integration middleware should treat CL0P as a persistent priority threat. DarkWebSonar telemetry suggests the group may exploit reduced staffing and slower incident response during the end-of-year holiday season, then name victims in coordinated batches in the weeks that follow. Security teams should tighten patch management, exposure review, and leak-site monitoring before the holiday period, not after posting volumes spike in the new year.

Priority defensive actions include:

• Pre-position before the holiday season: Review exposure to platforms CL0P has historically weaponized (MFT, ERP, integration middleware) in Q4, when staffing reductions and delayed patching can extend dwell time for compromises that surface as batch DLS postings after the holidays.
• Aggressive patch management for MFT, ERP, and integration platforms, especially when zero‑day advisories mention active exploitation by CL0P‑linked actors.
• External attack surface monitoring to rapidly detect exposed file transfer portals, admin interfaces, and misconfigured services.
• Deep inspection of outbound data flows from these systems to spot unusual data exfiltration activity.
• Hardened identity and email security, including monitoring for compromised third‑party accounts used in extortion or phishing campaigns.

Conclusion

CL0P exemplifies how established ransomware and extortion operations can maintain scale and relevance over years of operation through repeated mass exploitation campaigns. DarkWebSonar's telemetry (638 victim postings between October 2024 and May 2026, with 79% concentrated in January–February across two consecutive years) shows that CL0P remains one of the most operationally relevant threat actors in the ransomware landscape, and one whose activity follows a predictable year-week cadence that defenders can plan around.

Their strategic focus on U.S. and Western enterprises, supply‑chain and platform‑level vulnerabilities, and zero‑day mass exploitation ensures that a single unpatched system can expose hundreds of organizations. External intelligence on MOVEit, Cleo, and Oracle EBS campaigns strongly validates the trends observed in DarkWebSonar's data.

For defenders, DarkWebSonar's real‑time visibility into CL0P's leak‑site activity offers a unique, victim‑centric vantage point: it reveals not only who is being targeted, but which technologies and supply chains are currently under active exploitation. Combined with timely patching and vigilant monitoring, this perspective is critical for reducing exposure to one of today's most dangerous extortion groups.

👉 Dark Web Most Wanted profiles are powered by DarkWebSonar's continuous monitoring of ransomware leak sites. Want real‑time visibility into groups like CL0P? Contact Sales.