When evil eats itself: The fake bounty built by hackers, for hackers

On Telegram, scammers impersonating Europol, the EU's law enforcement agency, offered $50,000 for information about two members of the Qilin (Agenda) ransomware group. Europol confirmed to Security Week that the message didn't originate from the agency, noting that it doesn't operate a Telegram channel and that its official accounts are on Instagram, LinkedIn, X, Bluesky, YouTube, and Facebook.

Qilin’s Ransomware-as-a-Service operations

​​Qilin, created in 2022, operates as a Ransomware-as-a-Service (RaaS) group. In this model, the developers behind the malware recruit affiliates who carry out the actual intrusions and ransomware deployments. Affiliates receive between 15-20% of ransom profits, while the core team provides tools, infrastructure, and operational support.

According to cybersecurity researchers from Group-IB, Qilin has links to Russia, with much of its activity and infrastructure tied to Russian-speaking cybercriminal forums. Furthermore, Qilin's attacks tend to avoid targeting organizations within the Commonwealth of Independent States (CIS), a common characteristic of threat actors based in Russia or former Soviet territories.

Two figures stand out in Qilin’s operations: Haise and XORacle. Both are seen as key members who coordinate the group’s RaaS platform and maintain its network of affiliates. Their roles likely include managing negotiations, overseeing technical operations, and keeping the ransomware service active for partners.

This operational model has proven successful – according to Cyble research, Qilin led ransomware activity in July 2025 with 73 claimed victims.

How Qilin’s ransomware targets victims and demands crypto payments  

Qilin targets organizations in various industries, including education, healthcare, and critical services, across countries such as Australia, Canada, the UK, the US, and others. One of its largest attacks hit the UK healthcare provider Synnovis in June 2024. The group stole around 400GB of sensitive healthcare data and demanded a $50 million ransom to prevent its release. The attack caused major disruptions at multiple hospitals, canceled over 6,000 appointments, and led to a shortage of blood donations.

In March 2025, Qilin targeted Ukraine’s Ministry of Foreign Affairs, stealing and selling data that included private correspondence and decrees. 

Qilin ransomware comes in different versions and can affect Windows and Linux systems. It typically spreads through phishing emails or by exploiting vulnerable remote access tools. Once inside, it can lock files, change their names, and even stop certain programs. The attackers often steal data and threaten to release it online if victims don’t pay. Victims are instructed to contact the attackers via dark web portals or encrypted messaging services, which keeps the criminals anonymous and makes it harder for law enforcement to track them. Ransom payments are requested in cryptocurrencies like Bitcoin or Monero, according to Group-IB. However, paying ransoms offers no guarantee that victims will receive working decryption tools or that stolen data won't be sold regardless.