Qilin ransomware gang leaks 700K files tied to NYC transit workers

Published: 23 February 2026
Last updated: 28 February 2026
MTA transit worker, NYC subway
Erik McGregor/LightRocket via Getty Images


Update – February 27, 2026: Qilin’s leak site now shows 700,277 published files – totaling 551 GB – tied to TWU Local 100 systems.

The Qilin ransomware gang has leaked a trove of more than 700,000 files – 551 GB of data – that it claims are from TWU Local 100, putting more than 67,000 New York City transit workers and retirees at heightened risk of fraud and identity theft.

Key takeaways:
  • More than 67,000 active and retired NYC transit workers could now face identity theft after Qilin adds their union to its dark web victim blog.
  • Union records often contain pensions, salaries, benefits, and disciplinary files – a goldmine for fraudsters.
  • Qilin, clocked as the most active ransomware gang of 2025, is already ramping up attacks in 2026.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The most active ransomware group of 2025 added the Local 100 chapter of the Transport Workers Union of America to its dark leak site Monday, claiming to have already “publicated” data it purportedly siphoned from the organization’s network servers.

ADVERTISEMENT

Qilin has since updated its leak site to show more than 700,000 published files – totaling 551 GB – but still does not specify what the files contain.

Listed as the world’s largest transportation union, TWA Local 100 represents approximately 41.000 workers tasked with maintaining New York City’s subway and bus systems across the five boroughs and the surrounding tri-state area, as well as 26,000 retirees.

Qilin ransomware - TWU Local 100
Transport Workers Union of America Local 100 is added to the Qilin leak site. Image by Cybernews.

This includes operating trains, maintaining trains and tracks, staffing token booths, cleaning platforms and subway cars, and servicing and repairing mechanical equipment such as elevators and escalators.

Transit workers for the New York Waterway's ferry service, paratransit, and several school bus companies are also represented by the Local 100.

Working directly with the Metropolitan Transportation Authority (MTA), the union happens to be currently engaged in contentious contract negotiations with the publicly funded, state-governed agency.

What’s more, the claim comes the same day the city battles its second major blizzard of 2026, as another foot or more of snow is dumped on its more than eight million winter-weary residents.

NYC transit workers, NYC subway
MTA workers clear snow from a subway station platform in the Queens borough of New York, US, on Monday, Feb. 23, 2026. Victor J. Blue/Bloomberg via Getty Images
ADVERTISEMENT

What sensitive data does TWU Local 100 retain?

Unions are often a high-value target for ransomware operators due to the prolific amounts of sensitive data held on its workers.

According to the TWU Local 100 website, personally identifoable information (PII) collected and retained in its systems range from basic contact, job titles, and salary information, medical and insurance benefits, retirement and pension planning, to services such as housing assistance, safety and health, grievances and disciplinary actions, union scholarship programs, as well as childcare, widows, and orphan funding.

In the wrong hands, this data can expose workers to a variety of cybersecurity risks, including identity theft, tax refund fraud, benefit diversion schemes, and pension withdrawal scams.

New York City Transit Workers Union Local 100
TWU Local 100 workers rally in downtown Manhattan. Amy Sussman/Getty Images for Overture Films

Furthermore, highly targeted social engineering campaigns could impersonate union leadership, possibly exploiting active contract negotiations.

Coveted union leadership positions and those involved in the election processes could also be at risk of blackmail, particularly if attackers gain unauthorized access to internal emails, disciplinary files, or financial records that could easily be used to pressure candidates or sway internal elections.

Cybernews has reached out to TWU Local 100 for clarification but has not received a response.

Qilin’s victim count continues to climb

First identified by researchers in 2022, the Russian-linked Qilin group has rapidly eclipsed many of its ransomware rivals, emerging as the most active gang in 2025.

ADVERTISEMENT

Known for operating a ransomware-as-a-service (RaaS) model, the cybercriminal group enables affiliates to deploy its malware and leverage its support infrastructure to carry out attacks – all in exchange for a cut of any ransom collected from victims.

According to the Cybernews in-house surveillance tool, Ransomlooker, the gang listed over 1,000 victims in 2025 and has extended its surge into 2026, claiming another 200 victims as of February 23rd.

Qilin Ransomlooker Feb 23rd
The Qilin ransomware group has claimed over 200 victims so far in 2026. Cybernews Ransomlooker snapshot taken on February 23rd, 2026. Image by Cybernews.

Last month, the group claimed responsibility for attacks on Oklahoma's Tulsa International Airport, high-end faucet maker Moen, and Italian dive-gear manufacturer Cressi.

Qilin primarily targets manufacturers, finance companies, retailers, healthcare providers, and government agencies, according to a Comparitec profile on the group.

In late December, the group targeted the controversial cult-like religion Scientology, as well as Argentina’s Club Atlético River Plate, the nation’s largest sports and football club.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Said to be allied with the notorious Russia-linked LockBit and DragonForce gangs, other high-profile victims in 2025 include the digital gaming and casino powerhouse International Game Technology (IGT), the Switzerland-based international Habib Bank AG Zurich, and Japan's largest beer producer, Asahi Holdings.

Additionally, in 2025, Qilin claimed attacks on Nissan Japan's design arm, Creative Box; the US pharmaceutical research conglomerate Inotiv; Korea’s energy and manufacturing giant SK Group; and the US newspaper conglomerate Lee Enterprises.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked