DragonForce has quickly emerged as one of the more disruptive additions to the ransomware landscape, operating with a self-managed infrastructure and targeting victims across multiple regions. Initially surfacing in late 2023, the group has since escalated its operations, moving from symbolic attacks to data extortion campaigns involving terabytes of stolen material.
What distinguishes DragonForce from more traditional ransomware actors is not just their infrastructure setup, but their visible push for operational independence. With incidents recorded across North America, Europe, Asia, and the Middle East, the group has positioned itself as a global threat operating largely outside of the usual affiliate frameworks.
This report traces DragonForce’s evolution through leaked samples, negotiation artifacts, dark web forums, and infrastructure signals. It also highlights the group’s latest campaigns, offering a closer look at how this actor is reshaping the ransomware threat surface across both public and private sectors.
DragonForce’s targeting in late July 2025 reveals a continued emphasis on small to mid-sized enterprises, strategically selected across multiple regions. The most recent breach disclosures, observed on their dark web leak site and confirmed through indexed file server activity, include companies spanning Italy, Germany, the United States, and Lebanon. Each case reinforces the group’s flexible operational model and growing confidence in executing parallel extortion campaigns.
The latest known compromise occurred on 31 July 2025, targeting Framon S.p.A., an Italian industrial design and manufacturing company (domain: framon.it). As with prior incidents, the group published a preview of allegedly exfiltrated data on its leak portal, threatening full disclosure unless ransom demands were met.
Just days earlier, on 28 July, the group listed Software Design Consulting Group, a Lebanon-based IT and project management firm. This marks one of the first verified DragonForce incidents involving a Lebanese entity and expands the group’s documented activity further into the Middle East.
On the same day, DragonForce also claimed responsibility for targeting a Missouri based law firm: Vontava Nantz & Johnson LLC. The group reportedly have access to around 100 GB of data including customer files, which they have already released.
In the U.S., Emerson Chiropractic, a private healthcare business, appeared on DragonForce’s leak site on 25 July. The targeting of healthcare-related entities, especially small clinics, reflects a growing trend of exploiting sectors with low tolerance for downtime and minimal cybersecurity maturity.
That same day, the group also claimed responsibility for breaching md-labels-gmbh.com, a German labeling and printing firm. The diversity of industries affected, from healthcare to industrial labeling, signals opportunistic targeting rather than vertical specialization.
While these campaigns differ in industry and geography, they all follow DragonForce’s signature disclosure pattern: limited file previews, structured data trees, and deadlines enforced through public countdown timers. These incidents further validate DragonForce’s commitment to scaling its ransomware operations while maintaining full control over leak and negotiation infrastructure.
While DragonForce’s branding evokes a typical ransomware collective, their operational stack blends elements of both hacktivist signaling and profit-driven extortion. Unlike more sophisticated ransomware-as-a-service (RaaS) crews, DragonForce favors direct infrastructure control, opting to self-manage their ransomware leak sites, negotiation portals, and data dumps, all hosted on the Tor network.
StealthMole traced DragonForce’s activity across multiple .onion domains, including:
http://z********************************************************d.onionhttp://3******************************************************d.onion