Genevieve Stark, head of cybercrime analysis at Google Threat Intelligence Group, said DragonForce could be attempting to attract RansomHub’s affiliates. The hacking group is also believed to be behind attacks on the pages of other rivals, including BlackLock and Mamona, according to Sophos.
Stark warned that whatever the motive, the fallout brings with it an increased risk of cyberattacks. “Instability within the extortion ecosystem can have serious implications for ransomware and data theft extortion victims,” she said.
While double extortions remain rare, US company UnitedHealth Group was the victim of one last year due to a fallout between hacking groups.
In that case, RansomHub was approached by affiliate hacker group, Notchy, to try to extort a second ransom payment after an initial $22 million fee was stolen by Notchy’s original RaaS partner, which faked its disappearance in order to avoid splitting the proceeds, according to cybersecurity experts.
A person familiar with the UnitedHealth hack said multiple extortion attempts were commonplace in cyberattacks, but that follow-up attempts were often opportunistic and lacked credibility.
Rafe Pilling, director of threat intelligence at Sophos, said in a worst-case scenario, the conflict between DragonForce and RansomHub could see them both target the same victim in a battle for business.
“Cybercriminals are a ruthless bunch, and a betrayal between partners can result in a situation where the victim gets extorted twice,” he added.
The global cost of cybercrime is estimated to reach $10 trillion in 2025, according to Cybersecurity Ventures. The figure—which is up from $3 trillion in 2015—comes as hacker groups have increasingly looked to maximise profit through their attacks.
DragonForce, which was first identified in August 2023, listed a total of 82 victims on its dark-web site in the following 12 months, according to cybersecurity firm Group-IB, while RansomHub—which also came to prominence in 2023—reported about 500 victims on its site in 2024.
Jake Moore, global cybersecurity adviser at ESET, warned that the volatility of the situation could make companies’ defence and response tactics more vulnerable.
“Remember this is a Wild West, lawless environment where normal competition rules simply do not apply,” he said.
© 2025 The Financial Times Ltd. All rights reserved. Please do not copy and paste FT articles and redistribute by email or post to the web.
