Mobilelink US, the nation’s largest authorized dealer for Cricket Wireless cellular phones and service, was claimed by the DragonForce ransomware group on Tuesday.
-
DragonForce claims Cricket Wireless dealer, Mobilelink USA, breach with 5TB of stolen data, threatening publication in 6 days.
-
Hack potentially compromises customer data across 550+ Cricket Wireless stores in 21 US states.
-
Recently allied with Qilin and the resurrected LockBit gang, the Russian ransomware gang has claimed 185 victims in 12 months.
The Russian-linked hacking cartel claims to have siphoned over 5TB of data from the Sugarland, Texas-based retailer, posting the Mobilelink USA logo on its dark leak site, along with several other victims, including Capital Star Oil and Gas in Houston.
The DragonForce entry also displays a countdown clock, apparently giving the private Cricket Wireless retailer roughly 6 days and 16 hours to meet the ransomware gang’s demands before the stolen 5.04TB cache is published on its leak site.
The cybercriminal group has posted limited information in its blog entry, omitting any proof samples, details of the allegedly stolen data from Mobilelink networks, or any mention of how many files it has in its possession.
Operating across 21 US states, the rapidly expanding telecommunications provider boasts 550 Cricket retail stores and more than 650 employees, according to its website.
Mobilelink USA provides no annual contract, unlimited 5G LTE cellular service, prepaid plans, mobile phones, and phone accessories exclusively to a subset of Cricket Wireless customers, whose parent company, AT&T, listed at 13 million customers in 2022.
In addition to internal company data, the vast number of Cricket Wireless customers across the US suggests the breach could potentially expose millions of sensitive personally identifiable information (PII), as well as financial data, putting compromised individuals at serious risk of identity theft and targeted phishing attacks.
Store locations include Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Kentucky, Maryland, Michigan, Mississippi, Missouri, Nevada, New Jersey, New York, North Carolina, Ohio, Pennsylvania, Tennessee, West Virginia, and Wisconsin.
Cybernews has reached out to Mobilelink USA and is awaiting a response at the time of this report.
Who is DragonForce?
DragonForce has become one of the most notorious ransomware cartels currently operating in 2025, and is said to be aligned with the Kremlin agenda.
The gang recently made headlines after being linked to the devastating attacks on major British retailers, Marks and Spencer (M&S), Belk, and Co-op stores this spring, allegedly in coordination with the infamous Scattered Spider ransomware gang.
According to the Cybernews dark web monitoring tool Ransomlooker, DragonForce has attacked 185 organizations in 2025, with 130 of those attacks taking place in the past six months.
First spotted in 2023, the DragonForce gang announced in October a new collaborative ransomware-as-a-service (RaaS) alliance with two of the most prominent players in the ransomware scene: Qilin and Lockbit.
The partnership is expected to drive more frequent and more effective ransomware attacks, as DragonForce announced on its leak site.
Ironically, LockBit infrastructure was taken down by the FBI last year after a lengthy international police operation, but as is typical of ransomware operators, it appears to have resurrected itself this past spring, with its alleged leader LockBitSupp evading personal arrest.
Qilin, meanwhile, tops the list as the most active ransomware gang in 2025 listing over 831 victims.
In a ransomware anomaly, the DragonForce cartel is also known to regularly attack its cybercriminal counterparts, luring competitors with the opportunity to join their ranks, and then, diabolically, overtaking that group’s infrastructure, according to research by Sophos.
In April, DragonForce was alleged to have carried out a “hostile takeover” of RansomHub, another prominent ransomware group and one of the most active gangs of 2024.
The conversation on this topic is live. Join in the discussion.
DragonForce has also claimed responsibility for hacks of the data-leak sites belonging to BlackLock and Mamona, two related ransomware groups.
In practice, DragonForce isn’t a cartel operation, but an offering that gives affiliates the flexibility to leverage DragonForce’s infrastructure and ransomware tools while operating under their own brands, Sophos threat intel states.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked