Introduction
DarkVault is a versatile and opportunistic threat actor first observed in late 2023. Rather than being a traditional ransomware operation, it acts broadly as a data broker and extortion ensemble, publishing victim information—like company names and industries—via Tor-leak sites. Activities reportedly include doxing, website defacement, bomb threats, malware distribution, and swatting, suggesting a diversified cybercriminal portfolio beyond simple ransomware, often framed as an “exclusive online community.” While the leak site design mirrors LockBit 3.0, there is no verified technical evidence linking DarkVault to LockBit’s codebase. No ransomware executables or encryption tools have been confirmed; its role appears centered on data exposure and extortion without enforced file encryption.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.