Overview
The LeakNet ransomware group has claimed responsibility for a data breach at SWAN General Limited, a Mauritius-based insurance provider.
According to the group’s dark web leak portal, the attackers allege exfiltration of hundreds of gigabytes of sensitive data, including:
- Customer identification documents (IDs, passports)
- Insurance policy contracts and claims records
- Financial documents and transaction logs
- HR files and internal communications
While the data dump’s authenticity has not been independently verified, the claim points to the continued targeting of financial and insurance institutions, which hold large volumes of personally identifiable information (PII) and sensitive business datasets.
What Happened
| Field | Details |
|---|---|
| Date of Claim | August 13, 2025 |
| Threat Actor | LeakNet ransomware group |
| Target Organization | SWAN General Limited (Mauritius) |
| Alleged Data Theft | Hundreds of GB of internal and customer data |
| Extortion Tactic | Threat to leak stolen data unless ransom paid |
The posting is consistent with LeakNet’s double extortion model—where data is stolen before encryption and leveraged as pressure in ransom negotiations.
About LeakNet
LeakNet is a relatively new but fast-growing ransomware and data extortion group, active since late 2024.
Key Characteristics
- Operates a “double extortion” model: encrypt + exfiltrate + leak
- Maintains a darknet leak portal listing victims
- Targets sectors with high-value data—insurance, healthcare, manufacturing, banking
Notable Activity (2024–2025)
- Manufacturing targets in Asia
- Healthcare providers in Europe
- Banks and insurers in Africa
The pattern highlights LeakNet’s focus on financial gain via exposure of sensitive records, which are resold in underground markets or weaponized for further attacks.
Potential Impact
If the claim against SWAN General Limited is accurate, risks include:
- Customer Exposure → Policyholder PII and ID documents could fuel identity theft and fraud
- Regulatory Scrutiny → Possible investigation under the Mauritius Data Protection Act (GDPR-aligned)
- Operational Disruption → Data theft may undermine trust and disrupt operations
- Secondary Threats → Exposed data could drive phishing, social engineering, or insider attacks
Indicators of Compromise (IOCs)
⚠️ Note: These IOCs are based on past LeakNet campaigns—specific artifacts tied to SWAN General Limited have not been confirmed.
Malware Hashes
b37a3f93f9f5c9d3a9a1a2f0a2a8c933– Ransomware loader (SHA-256)c11f2a0a4b1a0a76bbf0d7d7f7ac445e– Credential harvester (SHA-256)
C2 Infrastructure (2025)
leaknet[.]onion– Darknet leak site185.234.217[.]99– Known C2 node103.145.13[.]72– Staging server for exfiltration
File & Registry Artifacts
- Dropped executable →
%AppData%\Local\Temp\svhost.exe - Registry modification →
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svhost
Observed TTPs (MITRE ATT&CK)
- Initial Access: Exploitation of public-facing apps (T1190), Spear-phishing (T1566)
- Execution: PowerShell/Scripting (T1059)
- Credential Access: LSASS dumping (T1003)
- Persistence: Registry Run keys (T1547.001)
- Exfiltration: Staging & compression (T1560), Exfiltration over Web/SMB (T1041)
- Impact: File encryption (T1486), Data exposure via leak portals
Recommendations for Organizations
This incident reinforces defensive priorities for organizations, especially in insurance and finance:
1. Strengthen Data Protection
- Encrypt sensitive customer and financial data at rest and in transit
2. Monitor for Data Exfiltration
- Deploy DLP solutions
- Monitor for abnormal outbound traffic
3. Segment Critical Systems
- Isolate sensitive workloads and backups to reduce lateral movement
4. Enhance Incident Response
- Update playbooks for data extortion-only attacks (without encryption)
5. Transparency & Communication
- If breach confirmed, notify regulators and affected customers promptly
6. Threat Hunting & Intel Sharing
- Monitor leak portals for brand exposure
- Engage with ISACs for cross-sector early warnings
7. Block Known IOCs
- Ingest threat feeds and block IPs, domains, and hashes tied to LeakNet
Conclusion
The alleged LeakNet ransomware breach of SWAN General Limited underscores the financial sector’s exposure to double extortion campaigns.
Even without encryption, the threat of exposure carries significant risks—from regulatory fines to customer harm.
As ransomware groups evolve, financial and insurance organizations must adopt proactive defense strategies:
- Patch aggressively
- Harden authentication and credential hygiene
- Encrypt high-value datasets
- Monitor IOCs
- Share intelligence within the sector
In an era of data-driven extortion, protecting both systems and the sensitive data inside them is critical to resilience.
mine2 team
The MINE2 team consists of cybersecurity experts, researchers, and engineers dedicated to advancing threat detection and cyber deception technologies.
Recent Articles
Need Security Help?
Protect your organization with MINE2's cyber deception platform.
