Following the Snake Trail: How Medusa Built Its Ransomware Empire

October 04, 2025

What began as a single dark web leak site quickly evolved into one of the most interconnected ransomware ecosystems operating today. The Medusa collective, once perceived as a routine RaaS outfit, now reveals a far more layered and distributed infrastructure, one that spans forums, encrypted messengers, underground markets, and an array of onion domains tied to active malware distribution.

This report retraces Medusa’s digital footprints across these hidden corners of the web. Using StealthMole’s tracking and intelligence capabilities, the investigation uncovers cross-domain overlaps, recurring malware artifacts, shared cryptographic identities, and communication channels that piece together a broader picture of Medusa’s operational sprawl.

What emerges isn’t just a ransomware group, it’s a decentralized cyber economy built on shared resources, recycled infrastructure, and evolving coordination across threat actor communities. The following sections trace that evolution, one trail at a time.

Incident Trigger: The LGB Data Leak (3 October 2025)

On 3 October 2025, StealthMole’s Ransomware Monitoring tool detected a new data leak published by the Medusa ransomware group targeting the Indian automotive manufacturer LGB. The listing appeared on one of Medusa’s primary onion domains, xfv*********************************************qd.onion, under the unique identifier a8***********************b7.

The post featured a short description of the company, highlighting LGB’s legacy as a major supplier of automotive chains, sprockets, and tensioners to both domestic and international OEMs. The leak page followed Medusa’s standard template,  the company’s name displayed at the top, accompanied by a countdown timer, basic corporate information, and navigation links to “News,” “Fast Downloads,” and external resources. While the formatting was typical, the post’s timing caught attention, aligning with a recent pattern of Medusa targeting manufacturing and logistics-linked entities across Asia.

At this stage, no ransom note or negotiation trace was publicly visible, but the structure of the listing confirmed it as part of Medusa’s leak archive rather than a fake or spoof domain. The presence of an active detail endpoint suggested it was part of Medusa’s newer backend template for individual victim pages, a design shift noted in the group’s infrastructure since mid-2024.

  • /detail?id=a8******************************b7

The detection of this page marked the starting point of the investigation. What began as a single confirmed leak would soon unravel into a wider infrastructure trail, one that connected multiple onion domains, Telegram handles, and blockchain transactions under Medusa’s evolving ransomware network.

Initial Infrastructure Discovery

The investigation began by profiling the onion domain where the LGB leak first appeared. StealthMole’s dark web tracker revealed that while the leak page followed Medusa’s familiar structure, its underlying architecture wasn’t isolated. The domain pointed to a cluster of interconnected assets that extended beyond a single victim site.

  • xf**************************************************qd.onion

Early correlation checks led to the discovery of an associated file-hosting platform, which appeared in the same infrastructure footprint.

  • https://www.s*******e.com/file/8******a

This linkage hinted at an external exfiltration vector: a staging ground possibly used to store or verify stolen data before public release. The coexistence of this clearnet hosting service alongside the onion-based leak site suggested that Medusa continued its hybrid model of using public and private-facing services to distribute breach material.

Further inspection of the domain revealed yet another address in the same ecosystem. Both domains shared backend characteristics, including directory naming conventions, favicon hashes, and compression patterns in hosted HTML files, indicators that they were maintained under a common administrative backend.

  • hm2*************************************************qd.onion

At this stage, what looked like a routine leak portal began to resemble a layered ecosystem:
a web of domains, mirrored infrastructure, and shared hosting components, all interlinked to sustain Medusa’s expanding ransomware operation.

Malware Correlation and Infrastructure Overlap

Once the interconnected onion domains were mapped, the next step was to determine whether they shared more than just visual or structural similarities. Using StealthMole’s dark web tracker, we extracted and cross-referenced malware samples linked to the domains uncovered in the LGB leak.

The first significant cluster originated from Medusa’s primary domain, which was associated with 22 distinct malware hashes. Many of these samples appear to be encrypted installer components and loaders consistent with ransomware delivery chains used by MedusaLocker variants.

  • Xfv*****************************************************qd.onion

The 22 hashes observed on the primary domain are:

  • b091*********************************************************e12
  • 08b7*********************************************************0c7
  • 6b80*********************************************************4de
  • 91a3*********************************************************09d
  • 9131*********************************************************86f
  • 44d6*********************************************************2be
  • c9ab*********************************************************db4
  • 0065*********************************************************d64
  • 9ec6*********************************************************353
  • bcd9*********************************************************c42
  • 4991*********************************************************33d
  • 4a0e*********************************************************778
  • 19b6*********************************************************34b
  • a0ce*********************************************************239
  • 0382*********************************************************460
  • f0c**********************************************************c2c
  • 6b6**********************************************************2bc
  • 10c3*********************************************************8ec
  • fe7b*********************************************************473
  • 33ef*********************************************************0d8
  • 3d0**********************************************************327
  • 94f**********************************************************9fe

Subsequent domain pivots through StealthMole linked additional samples to related other Medusa domains. These addresses returned 13 and 18 hashes respectively, with a strong overlap, nearly all aligned with the original 22 listed above.

  • 5ar**************************************************tyd.onion
  • uyk**************************************************wyd.onion

The repeated presence of same malware hashes across different onion domains confirmed that Medusa’s infrastructure was synchronized rather than replicated by coincidence. This distribution pattern pointed to an intentional redundancy framework, ensuring that core payloads remained accessible and functional even if one domain was seized or taken offline.

A further verification run identified the domain, previously mentioned in a Telegram forwarding thread, exhibiting nearly identical malware fingerprints. This consistency across multiple channels established a clear technical signature for Medusa’s operational backbone, a shared malware repository deployed across several mirrored portals.

  • s7l************************************************ad.onion

These findings defined the point where the investigation transitioned from structural mapping to behavioral analysis, setting the stage for exploring Medusa’s activity on external communication platforms and underground forums.

Communication Channels and Telegram Linkages

As the infrastructure map took shape, traces of Medusa’s presence began to appear beyond its onion network. Several references surfaced on public and semi-closed communication platforms, particularly Telegram, where threat actors frequently advertise leak portals, recruit affiliates, and distribute updates to maintain visibility across the underground ecosystem.

A key discovery emerged from a Telegram message traced through StealthMole’s telegram tracker, where a post from the Atlantis Cyber Army chat room (https://t.me/AI********T) openly shared multiple Medusa onion domains, including the following.

  • S7l**************************************************lad.onion
  • Cx5**************************************************3qd.onion
  • Xf***************************************************5qd.onion 

The inclusion of Medusa’s domains in this channel indicated that its operators were leveraging Telegram not only for promotion but also for cross-group visibility, relying on overlapping networks to expand reach and reputation

Further queries through the same tracker identified a discussion in the Ra***** **am chat,
where a user asked for Medusa’s Telegram contact. The response pointed to the handle @m**********a_s********t, accompanied by the remark “Meduza stealer?”

  • https://t.me/Ra*******am

While the message itself did not confirm a formal affiliation, the naming pattern and timing aligned with Medusa’s known support channels, suggesting a potential link between the ransomware group and infostealer branding operating under the same name cluster.

An additional communication node appeared in the form of a Telegram user under the display name Lemtrix (previously UNDER), who participated in the same chat thread referencing Medusa. Historical profile data showed a pattern of handle changes and cross-channel participation in ransomware-themed groups, reinforcing the likelihood of an overlapping actor base or shared communication environment.

Taken together, these Telegram channels revealed that Medusa’s operational visibility extended well beyond the dark web. Its infrastructure was supported by a loosely connected network of amplifiers, intermediaries, and aliases across cybercrime communication hubs. By embedding its domains and contacts within existing communities like Atlantis Cyber Army and Ransom Team, Medusa achieved persistent circulation without maintaining a permanent public presence, a strategy that mirrors its onion-domain redundancy and reflects a broader emphasis on resilience and decentralization.

Financial Infrastructure and Cryptocurrency Activity

The next layer of correlation focused on Medusa’s financial infrastructure, where cryptocurrency wallets serve as critical identifiers for ransom payments, affiliate commissions, and operational funding. By pivoting from the onion network to blockchain analysis, several Bitcoin (BTC) addresses surfaced that strengthened the linkage between Medusa’s domains and its transactional footprint.

The first wallet identified was bc1*********************************qpu, found embedded in the leak page of LGB on the primary Medusa domain.

  • xfv****************************************************5qd.onion

Blockchain inspection revealed two inbound transactions, one in June 2023 and another in December 2024, totaling 0.000032375 BTC (≈ $39.59). No outgoing transactions were recorded, indicating that this address likely served as a temporary receiving or testing wallet rather than an active ransom collection point.

Its reappearance across multiple Medusa-linked portals confirmed that the group reused wallet addresses for operational or staging purposes, contrary to best practices among more compartmentalized ransomware operations.

A second address, bc1*******************an, was discovered on a subsequent domain.

  • med*********************************************cyd.onion

At the time of analysis, this wallet showed no recorded transactions, suggesting it had been generated but not yet activated. The presence of an unused address alongside an older, active one illustrated Medusa’s ongoing practice of rotating financial endpoints, preparing new wallets in advance while retaining older ones for traceable low-value tests.

This tiered pattern of wallet deployment, combined with minimal on-chain movement, supports the hypothesis that Medusa manages per-victim payment channels externally through encrypted communications such as Tox or Telegram rather than directly embedding them within its leak infrastructure.

Publicly exposed wallets thus appear to function more as infrastructure identifiers than primary ransom receivers, a tactic designed to maintain plausible deniability and obscure financial flows across victims, affiliates, and developers.

Collectively, these findings positioned Medusa’s cryptocurrency activity as an extension of its larger operational philosophy: distributed, compartmentalized, and intentionally opaque. Each observable wallet, like its mirrored onion domains, acts as a disposable node, part of a decentralized web of traceable fragments that only form a complete picture when correlated through multiple intelligence layers.

Extended Infrastructure Discovery

The infrastructure mapping expanded significantly as additional onion services began to surface through successive pivots within StealthMole’s dark web tracker. Each newly identified domain revealed traces of shared assets, backend similarities, or cross-linked indicators that reinforced their association with Medusa’s core ecosystem.

The first expansion came from a reference on Medusa’s own leak portal, which revealed a second domain. This address mirrored the same HTML structure and directory schema as the original leak site, including its unique “/detail?id=” parameter format, confirming it as part of the same infrastructure cluster rather than a spoofed copy.

  • hm2************************************************qd.onion

Further exploration led to the discovery of four additional domains linked through a shared malware hash “4a0************************************78” with the last functioning as Medusa’s chat room portal. Each of these domains hosted overlapping malware sets consistent with the 22-hash corpus observed on the primary domain, confirming their integration within a unified backend framework.

  • 5a****************************************************yd.onion
  • Uy***************************************************wyd.onion
  • S7l**************************************************lad.onion
  • Med**************************************************4yd.onion

Another discovery from the LGB leak page, 7a***************************************4id.onion,
introduced a new communication layer, revealing an associated Tox ID and a Bitcoin wallet previously linked to other Medusa activity.

  • AE***********************************************C

This overlap between contact identifiers and on-chain traces provided the first clear evidence of operational continuity across Medusa’s domains, a single actor maintaining control over multiple infrastructure nodes.

Further pivots revealed three additional domains that extended Medusa’s network:

  • Kyf***************************************************qd.onion
  • 62f**************************************************cid.onion
  • medu************************************************ccyd.onion

The last of these was directly linked to the malware hash 3e1**********************f8, which surfaced during deeper artifact analysis. This domain not only shared 14 of the previously recorded hashes but also introduced two new ones:

  • 736***********************************************************70
  • 2c7***********************************************************34

The introduction of these new samples indicated ongoing activity, suggesting that Medusa continues to iterate on its payload infrastructure while retaining historical dependencies for redundancy.

Taken together, these findings revealed a network of at least eleven active onion domains,
each linked by overlapping malware artifacts, recurring Tox identifiers, or shared wallet addresses. The pattern illustrated Medusa’s commitment to distributed infrastructure management, ensuring operational persistence through mirrored services and payload deployment.

Assessment

The investigation into Medusa’s network reveals a ransomware operation built for endurance. Its structure, mirrored domains, recurring payloads, and overlapping communication layers, shows a deliberate emphasis on resilience rather than novelty. The consistent reuse of malware artifacts across multiple onion sites points to a single, centrally maintained backend that supports synchronized payload deployment. This design allows Medusa to replicate its infrastructure within hours, ensuring continued visibility and operational continuity even under disruption.

Medusa’s financial and communication layers mirror this same principle. Minimal on-chain movement through recurring Bitcoin wallets, combined with external negotiation channels over Tox and Telegram, reflects an intent to separate functional operations from traceable infrastructure. The group’s selective presence across Telegram networks also reinforces its strategy of using existing communities to extend reach while maintaining a fragmented digital identity. Together, these factors portray Medusa as a methodical, well-coordinated ransomware enterprise sustained through redundancy and controlled exposure.

Conclusion

Medusa’s evolution demonstrates how modern ransomware groups are shifting from static leak sites to adaptive, multi-channel ecosystems. Its mirrored portals, rotating contact layers, and compartmentalized financial methods illustrate an operation designed to persist across takedowns and detection cycles. Each new discovery, whether a hash overlap, wallet reuse, or shared communication trail, adds to a framework defined by consistency and regeneration rather than scale.

By correlating these indicators through StealthMole’s intelligence tools, the investigation traced Medusa’s infrastructure, exposing how the group maintains cohesion across seemingly disconnected assets. The result is a clear view of an actor that thrives on distribution: a network difficult to dismantle, yet increasingly predictable in its design.

Editorial Note

While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.

The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report