Club Atlético River Plate ransomware attack

Argentina’s largest professional football and sports club, Club Atlético River Plate (CARP), is targeted by the Qilin ransomware group on Friday.

The ransomware operators posted the Buenos Aires-based athletic organization on its dark victim blog, actually categorizing the club as "Accounting Services."

The ransomware group did not list the number of gigabytes of data they may have exfiltrated from the sports club’s servers, but did attach an Onion share link containing thousands of files.

Founded in 1901, River Plate is considered the most successful professional football team in Argentina, winning 72 titles overall, and plays at the Estadio Mâs Monumental, the largest stadium in South America. To note, Turkish Airlines is the team jersey sponsor.

With over 350,000 members, the world's largest sports club also has a robust youth division, with team players as young as seven years old.

Qilin Club Atlético River Plate ransomware attack - post — Qilin leak site. Image by Cybernews.

Of those thousands of files, the majority in the leaked index appear to be in PDF, Excel, Word, image, email (.eml), and compressed archive formats (.7z), with some video files as well.

The individual file sizes range from 1 KB to approximately 22 MB, with the largest files being compressed plan archives and technical documents.

Dated between 2021 and 2025, document categories indicated by the file names include invoices, credit notes, budgets, purchase requests (SOLPED), contracts, regulatory forms, technical specifications, architectural plans, and photographic records.

Qilin Club Atlético River Plate ransomware attack - samples — Qilin leak site. Image by Cybernews.

Cybernews has reached out to Club Atlético River Plate and is awaiting a response.

Additionally, Qilin attached five documents to the entry, presumably from the stolen cache. The samples, viewed by Cybernews, appear to include various credit card statements, purchase orders, and contracts.

Qilin ransomware dominates 2025

The Qilin gang claims that it began operating in 2021, although its first known attack was recorded in 2022.

Linked to Russia, Qilin has claimed more than 600 attacks in the past six months alone, aggressively outperforming its ransomware rivals to become the most active gang in 2025.

According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 1085 victims since 2023, including numerous high-profile organizations.

Qilin Ransomlooker stats Dec 4 2025 — Cybernews Ransomlooker snapshot of the most active ransomware gangs in the past six months. December 4th, 2025. Image by Cybernews

The group targeted the controversial cult-like religion Scientology earlier this month.

In November, the gang claimed the digital gaming and casimo powerhouse International Game Technology (IGT), the US-based Cornerstone Staffing Solutions, exposing the resumes of 120,000 job seekers, as well as the North American industrial electrical contractors Spark Power and the Switzerland-based international Habib Bank AG Zurich, allegedly comprising two million files.

A recent profile of the group by Comparitec states that Qilin primarily targets manufacturers, finance companies, retailers, healthcare providers, and government agencies, as these sectors store sensitive information and are most vulnerable to data breaches.

When it comes to affected countries, Qilin has hit the US with the most attacks (375), followed by France (41), Canada (39), South Korea (33), and Spain (26), the research shows.

Known for using a ransomware-as-a-service (RaaS) business model, the cybercriminal group often employs double extortion, demanding a ransom for decryption and then a second payout to guarantee the stolen files will not be leaked.

Qilin Ransomlooker stats Dec 2025 — Cybernews Ransomlooker snapshot of Qilin ransomware activity in 2025, showing 854 victims. December 4th, 2025. Image by Cybernews.

Qilin is known for actively recruiting affiliates on Russian-language hacker forums and avoids targeting Commonwealth of Independent States (CIS) countries, suggesting a Kremlin-aligned agenda.

Recently allied with the notorious Russia-linked gang LockBit and DragonForce, Qilin made waves in October with attacks on Japan's largest beer producer, Asahi Holdings; Volkswagen Group France; California Golf Club of San Francisco (Cal Club); and Israel's 4th-largest hospital, Shamir Medical Center, on Yom Kippur.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Qilin has additionally claimed attacks this year on Nissan Japan's design arm, Creative Box, and US pharmaceutical research conglomerate Inotiv, and US pharmacy benefits manager MedImpact Healthcare Systems.

Other past Qilin victims further include California PR firm Singer Associates, energy and manufacturing giant SK Group, US newspaper conglomerate Lee Enterprises, the Houston Symphony, Detroit’s PBS TV station, top North American auto parts suppliers Yanfeng in China, and the Utsunomiya cancer treatment center in Japan.

Unlock more exclusive Cybernews content on YouTube.