Sinobi Ransomware: Between Real Leaks and Fabricated Personas

October 10, 2025

In early July 2025, a new ransomware name began to circulate across the dark web. It called itself Sinobi, and at first, it appeared to be just another player in the crowded underground. Its site looked familiar, its tone measured, its promises routine. But in the weeks that followed, activity surrounding Sinobi began to grow at a pace few new groups managed to sustain. By October, it had already listed dozens of victims, most of them in the United States, and its operations showed signs of coordination that suggested more than a passing experiment.

At first glance, Sinobi’s infrastructure followed a predictable pattern. It maintained a mirrored network of leak and negotiation portals, ran both Tor and clearnet gateways, and relied on multiple encrypted channels for communication. The structure was efficient, even professional. Yet certain details stood out. Domains appeared and disappeared within hours. Identifiers linked to the group surfaced in unexpected places. Mentions of Sinobi began to spread through Telegram spaces connected to well-known threat groups, far beyond what a newcomer could normally reach.

Behind those fragments was a story that did not entirely fit the usual mold of ransomware expansion. What began as a technical investigation into new infrastructure soon unfolded into a broader look at how reputation, identity, and visibility are built in the cyber underground. The deeper the trail went, the less clear it became where Sinobi’s genuine operations ended and where the noise around it began.

Incident Trigger and Initial Detection

Sinobi first appeared on StealthMole’s radar in early July 2025, when our system detected a new ransomware leak portal circulating through restricted dark web channels. At the time of its discovery, the site already listed its first confirmed victim, establishing Sinobi as an operational ransomware entity rather than a speculative or developing brand.

Initial analysis of the domain revealed a layout consistent with established ransomware portals. It featured a dedicated leak section, a negotiation interface, and a structured framework for publishing compromised data. What distinguished Sinobi, however, was its level of organization at launch. Most ransomware groups appear gradually, introducing infrastructure in stages before releasing verified leaks. Sinobi surfaced fully operational: its leak pages, mirrored domains, and embedded contact identifiers were already active from the outset.

From that point onward, Sinobi’s activity grew at an exceptional rate. Between 7 July and 8 October 2025, StealthMole recorded a total of 67 confirmed victims attributed to the group. The majority of these belonged to organizations headquartered in the United States, followed by a smaller number of targets in Canada, Germany, and Italy. The victim profile pointed toward mid-sized enterprises involved in textile manufacturing, logistics, industrial materials, and consumer goods, sectors often characterized by operational dependency and limited cyber resilience.

The group’s pace accelerated sharply in October. Within the first eight days of the month, Sinobi listed 33 new victims, effectively doubling its total count in just over a week. This spike suggested either an expansion of affiliates or an automated deployment of prepared payloads across pre-compromised networks.

The most recent confirmed breach, detected on 8 October 2025, targeted Sun Fiber, a US-based producer of textile mill products. The company’s name appeared on Sinobi’s primary leak domain and was later mirrored across several affiliated onion portals tracked by StealthMole’s dark web tracker. The inclusion of a known, regionally recognized manufacturer reinforced Sinobi’s apparent interest in the American industrial sector and indicated a focus on firms integrated into broader supply chains.

Infrastructure Mapping: From Core Domain to Distributed Network

The first trace of Sinobi’s infrastructure appeared through its primary leak domain, which served as the main publication site for its attacks. The domain followed the standard structure of a ransomware leak portal, with clearly defined sections for victim listings, data leaks, and negotiation access. Yet its deployment showed a level of readiness uncommon for a new operation. Within days of its discovery, StealthMole identified additional domains replicating the same content, each synchronized to the original portal.

  • sinobi*********************************************yd.onion

These duplicates were not stand-alone instances but part of a mirrored network. As new victims were added to the primary site, the same updates appeared almost instantly across the others. The replication speed suggested the presence of a central management system capable of pushing identical content to multiple locations at once. StealthMole had mapped fourteen active onion domains tied to Sinobi’s leak operations. All carried identical interfaces, time-stamped entries, and even mirrored server response patterns, pointing to an automated deployment framework.

Each of these domains carried identical titles, victim lists, and contact markers, confirming automated synchronization. Among the newly identified domains were:

  • Sinobi***********************************************zqd.onion
  • Sinobi***********************************************yqd.onion
  • Sinobi**********************************************omqd.onion
  • Sinobi***********************************************kid.onion
  • Sinobi***********************************************kad.onion
  • Sinobi***********************************************vqd.onion
  • Sinobi************************************************ad.onion
  • Sinobi***********************************************kqd.onion
  • Sinobi***********************************************sid.onion
  • Sinobi***********************************************ayd.onion
  • Sinobi***********************************************iqd.onion
  • Sinobi************************************************qd.onion
  • Sinobi************************************************yd.onion

StealthMole’s dark web tracker connected seven malware hashes to the same infrastructure, each containing embedded references to Sinobi’s onion network. The payloads were near-identical, differing only by minor timestamp variations, indicating controlled versioning rather than independent affiliate builds. This consistency reflected a coordinated backend system rather than an open ransomware-as-a-service model.

  • e9a**********************************************************1fe
  • d49**********************************************************b18
  • dc1**********************************************************1d0
  • 98d**********************************************************87e
  • 82c***********************************************************25
  • 84e***********************************************************0d
  • c8*************************************************************3d

Beyond the Tor environment, Sinobi also operated two clearnet bridges under the subdomain structure login.sinobi.us.org. The first, c*****.login.sinobi.us.org, functioned as a negotiation portal for victims, while b****.login.sinobi.us.org mirrored leaked content from the primary site. These additional gateways made Sinobi’s operations accessible outside the Tor network, ensuring both availability and visibility even if the onion infrastructure went offline.

The overall structure suggested planning rather than improvisation. Every layer of the network: its mirrored sites, synchronized content, and redundant access points, was designed to sustain pressure on victims while maintaining operational continuity. At this stage, Sinobi’s presence appeared tightly organized, but as we followed the identifiers embedded within its domains, the investigation began to reveal connections extending far beyond its immediate infrastructure.

Communication Channels and Cross-Platform Presence

As the mapping of Sinobi’s infrastructure progressed, it became clear that the group’s operations extended beyond its leak and negotiation sites. Embedded across these domains were multiple contact identifiers pointing to external communication platforms commonly used in ransomware negotiations. When examined through StealthMole, these identifiers revealed a pattern of activity consistent across both dark web and encrypted channels.

The contact points associated with Sinobi were consistent across its portals and related mentions. These included:

  • Emails: mi************@yax.im, mi*************@tutamail.com, se*******************p@tuta.io
  • Session ID: 050*********************************************a41
  • TOX ID: 4F048*************************************************71
  • Telegram: t.me/s***********s

The presence of a Session ID and TOX identifier within the contact section of Sinobi’s portals reflected the group’s use of end-to-end encrypted communication methods, a practice common among modern ransomware operations to maintain anonymity and prevent message interception. These identifiers, along with the email handles, remained uniform across all mirrored leak sites, suggesting centralized management rather than affiliate-based administration.

StealthMole’s Telegram Tracker provided further insight into how Sinobi maintained visibility beyond its onion network. The group’s Telegram handle, @s******s, was identified through a message posted on 18 August 2025 within the Shiny Groups channel. The same message, referencing Sinobi’s activity, was subsequently forwarded across several well-known ransomware and data-trading spaces, including Scattered LAPSUS$ Hunters, ALPHV (BlackCat), Aegis, Babuk Locker V2, Data World All, Babuk Groups Officials, and RaidForums Office.

The overlap was striking. These were the very same channels that had previously amplified Scattered LAPSUS$ Hunters, reposting its messages almost word-for-word earlier in the year. Now, they were doing the same for Sinobi. The timing and distribution followed a familiar rhythm: identical content appearing in the same sequence across interconnected spaces.

To an outside observer, the repetition could easily appear as broad underground validation, with multiple groups amplifying and recognizing Sinobi’s rise. In reality, the uniformity of posting patterns suggested a controlled distribution network, one that had already been observed promoting other emerging collectives through coordinated amplification.

Further analysis of the Session ID uncovered references on dark web forums, where posts linked to the same identifier and TOX address were used to share or repackage leaked material attributed to Sinobi. This cross-appearance reinforced the connection between Sinobi’s operational infrastructure and a broader ecosystem of accounts that circulated its content beyond its own domains.

Through these findings, Sinobi’s communication network emerged as a blend of structured operational channels and public-facing amplification nodes. The consistency of its identifiers demonstrated deliberate control, while the wider distribution of its messages pointed to a secondary layer of visibility maintained through shared or sympathetic channels. Tracing that overlap would soon lead to a clearer understanding of how Sinobi’s ransomware activity became intertwined with a parallel network of impersonation and recycled identities operating under its name.

Attribution and the Illusion of Amplification

Patterns within Sinobi’s communication network began to converge around a familiar structure. The same Telegram clusters that had once elevated Scattered LAPSUS$ Hunters were now promoting Sinobi with identical precision: forwarding the same messages, using the same timing, and following the same chain of distribution. To a casual observer, this appeared as a network of loosely affiliated ransomware collectives acknowledging a new actor’s arrival. But deeper tracing revealed that the reality was far narrower.

StealthMole’s analysis found that several of these channels shared overlapping digital markers, including identical forwarding chains, matching administrator handles, and in some cases, recurring contact identifiers. These parallels echoed findings from the earlier Scattered LAPSUS$ Hunters investigation, where a small set of operators managed multiple Telegram entities, using them to amplify one another’s messages. By cross-posting their own content under different banners, they created the illusion of broad underground consensus, an echo chamber built for visibility.

When Sinobi’s identifiers were run through StealthMole’s Session and Telegram correlation modules, they intersected with the same network previously linked to those amplification patterns. The Session ID appeared in unrelated dark forum posts, alongside the email address b********s@proton.me, a contact long associated with the impersonator cluster that had posed as multiple ransomware groups earlier in the year. The discovery added a new dimension to Sinobi’s story: while its leaks and infrastructure were authentic, its public-facing voice appeared to have been shaped, at least in part, by the same network known for constructing false identities and manufactured narratives.

  • 050**************************************************a41

This overlap became even more significant when, on 23 September 2025, Indonesian police announced the arrest of an individual believed to be the hacker “Bjorka.” Subsequent reports clarified that the person in custody was an impersonator operating under the alias, responsible for managing a network of channels and accounts used to mimic various ransomware brands, including ShinyHunters, Babuk, and BlackCat. Following the arrest, all of the Telegram channels previously involved in Sinobi’s amplification went silent, a sudden and complete drop in activity that mirrored the earlier network’s collapse.

The timing was too precise to ignore. Sinobi’s onion infrastructure remained active, and its leak sites continued to update, yet the promotional layer surrounding it disappeared overnight. This suggested that the amplification network and the impersonation cluster were one and the same, managed by a single entity or small team that had been central to multiple campaigns.

Conclusion

Sinobi’s trajectory offers a clear view of how modern ransomware groups evolve and how perception has become as important as infrastructure. From its first recorded breach in July 2025, the group demonstrated genuine operational capability: real victims, functional encryption payloads, and a mirrored leak system built for resilience. Yet around this operational core existed something less tangible but equally powerful, a curated narrative of visibility sustained through repetition and impersonation.

StealthMole’s investigation revealed that Sinobi’s technical backbone and its public persona did not always align. The ransomware infrastructure functioned independently, continuing to publish leaks and maintain activity even after the broader amplification network vanished. The promotional layer surrounding it, however, proved synthetic, an artifact of coordinated cross-posting by a small circle of actors controlling multiple Telegram spaces.

This duality underscores a wider shift within the underground ecosystem. Modern threat groups no longer rely solely on encryption tools or data exfiltration to exert pressure; they build presence. By managing perception, through mirrored channels, recycled identities, and staged recognition, they amplify impact far beyond their technical reach. For analysts, distinguishing between authentic operations and performative signals has become as critical as identifying the ransomware families themselves.

Sinobi sits precisely at that intersection. Its intrusions are real, its victims verifiable, its leaks authentic. Yet its rise was shaped by a network skilled in manipulation and presentation. The result is a hybrid operation, part ransomware campaign, part performance, reflecting how today’s cyber underground blends technical precision with narrative control.

Through StealthMole, this investigation separated structure from spectacle, isolating verifiable compromise from managed illusion. In doing so, it showed not only how Sinobi operates but also how the digital stage around it was built and, just as quickly, how it began to unravel.

Editorial Note

As with all dark web investigations, cyber attribution is inherently probabilistic. The deliberate use of noise, recycled brands, and overlapping identities makes disentangling one actor from another difficult by design. Yet, as this case demonstrates, patterns of continuity persist. Session IDs, recycled usernames, forwarded posts, and deleted channel traces leave artifacts that resist obfuscation.

This investigation, using StealthMole’s indexing of deleted Telegram channels, correlation of session-level artifacts, and ability to track historical infrastructure reuse, shows how apparent chaos can be methodically unpacked. What emerges is a portrait not of fragmentation but of persistence: a core operator set leveraging masks, rebrands, and theatrics to preserve its centrality within the cybercrime underground.

The story of Sinobi, therefore, is not the birth of a new collective, but the reassertion of continuity under conditions of instability.

To access the unmasked report or full details, please reach out to us separately.

Contact us: support@stealthmole.com

Labels:

Learn more about StealthMole

Talk to our team of experts today to learn how you can manage your dark web exposure.
Request demo More Reports

Share this report