Securotrop: ransomware and data-leak outfit with 2025 victim roll-up
Tor-hosted leak portal lists 21 victims since July 2025, with multi-hundred-gigabyte claims and staged “published” posts
Securotrop is a ransomware and data-leak outfit first observed in July 2025 that now lists 21 victims on a Tor-hosted portal spanning the United States, Canada, and the United Kingdom; recent entries cite multi-hundred-gigabyte datasets and at least one “published” leak, signaling active coercion through staged disclosures.
Profile
Securotrop operates a Tor leak site where it publishes victim cards that include discovery dates, claimed dataset sizes, and a status field such as “awaiting” or “published.” The brand emerged amid a 2025 wave of extortion-first groups that emphasize public shaming and leak threats over novel encryption techniques. Early social-intel monitors and public trackers began flagging Securotrop in late summer as the portal filled with North American and UK victims.
Victimology and scope
Public roll-ups attribute 21 listed victims to Securotrop with the first discovery on 2025-07-22 and the latest on 2025-10-04. Trackers display an inactivity counter near zero days and an average delay metric estimating time between an alleged incident and public listing, suggesting an active cadence with short lags from compromise to publication. Most named entities appear mid-market, with manufacturing and telecom among the larger claimed datasets.
Top sectors and geographies
| Dimension | Breakdown | Count |
|---|---|---|
| Sector | Manufacturing | 7 |
| Sector | Construction | 2 |
| Sector | Telecommunication | 2 |
| Sector | Business Services | 2 |
| Sector | Consumer Services | 1 |
| Country | United States | 14 |
| Country | Canada | 4 |
| Country | United Kingdom | 1 |
Sample recent entries
Late-September to early-October postings include several multi-hundred-gigabyte claims across North American firms, with most entries marked “awaiting” and an earlier Canadian case shown as “published.”
| Victim (as listed) | Discovery date | Claimed size | Status |
|---|---|---|---|
| Mill Bay Marine Group | 2025-10-04 | 536 GB | AWAITING |
| Structural Component Systems | 2025-10-02 | 1219 GB | AWAITING |
| Allardyce Bower Consulting | 2025-10-01 | 2743 GB | AWAITING |
| VRE Systems | 2025-09-08 | 174 GB | PUBLISHED |
Observed infrastructure
The leak portal is exposed via a Tor onion service listed by public trackers. Those listings also show a TOX identifier attributed to Securotrop, indicating a contact channel advertised alongside the portal. These details are observable artifacts tied to the brand’s public presence and do not, by themselves, validate unique infrastructure ownership beyond the leak site identity.
Tactics and posting behavior
Observable behavior centers on data theft, staged posting, and pressure through public listings. Cards present claimed volumes in gigabytes and can change state as coercion escalates. Disclosures emphasize victim naming and dataset size rather than deep technical narratives, leaving limited confirmed visibility into intrusion vectors, tooling, or encryption usage. In broader 2025 context, Securotrop aligns with entrants that lean on branding and leak-site cadence to drive negotiations rather than on distinctive cryptographic methods.
Relationship to ongoing campaigns
Securotrop’s focus on rapid, large-volume claims mirrors the year’s shift toward exfiltration-first extortion. For contrast with availability-focused pressure in the same period, see the South Caucasus overview in the Red Wolf profile. For a separate 2025 incident where consulting artifacts and credentials shaped an extortion narrative at scale, see our coverage of the Red Hat Consulting GitLab breach.
Timeline highlights (2025)
| Date | Signal |
|---|---|
| 2025-07-22 | First Securotrop victim entry appears on public trackers. |
| 2025-08 → 09 | Multiple U.S. and Canadian firms added across manufacturing and services. |
| 2025-09-08 | VRE Systems listed as “published” with a 174 GB dataset. |
| 2025-10-01 → 10-04 | New claims cite 2.7 TB, 1.2 TB, and 536 GB across three firms in CA and US. |
| Notes: The tracker lists a Tor address for Securotrop’s leak site and a TOX contact ID. These are treated as publicly posted artifacts and do not by themselves validate attribution. |
Sources
- https://www.ransomware.live/group/securotrop
- https://x.com/FalconFeedsio/status/1959955638836171238
- https://www.hookphish.com/blog/ransomware-group-securotrop-hits-structural-component-systems/
- https://www.hookphish.com/blog/ransomware-group-securotrop-hits-mill-bay-marine-group/
- https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q2-2025
