The Qilin ransomware gang has listed Tulsa International Airport in Oklahoma as its latest victim, dumping more than a dozen documents on its leak site and marking the airline sector’s first reported cyberattack of 2026.
-
Qilin ransomware claims Tulsa International Airport and posts leaked documents online.
-
Files allegedly include financial records, internal emails, and employee identification data.
-
The attack marks the airline sector’s first reported cyber incident of 2026.
The Russian-speaking cybercriminal cartel posted the multi-use civilian and military airport to its dark leak site on Friday.
So far, the attackers have not disclosed how much data was allegedly stolen from the facility, which sits just outside Tulsa’s metropolitan area, home to nearly 1 million residents.
Located in northeastern Oklahoma, roughly 90 minutes from the state capital of Oklahoma City, Tulsa International Airport handled more than 3.2 million passengers in 2024.
An average of 288 commercial, general aviation, and military flights arrive and depart from the airport each day, according to the Oklahoma Aeronautics Commission.
The airport also hosts the Oklahoma Air National Guard’s 138th Fighter Wing, supports major air cargo operations through FedEx Express and UPS, and serves as the global headquarters for all American Airlines' maintenance and engineering operations.
Ransomware gang leaks internal airport document
Qilin has posted exactly 18 samples as proof that it successfully infiltrated the airport's internal network systems.
Cybernews reviewed the documents provided, which appear to contain a range of sensitive data, dated between approximately 2022 and 2025.
Emails showing the airport’s Chief Financial Officer's personal contact information and communications between the executive and high-level banking officials outside the airport are part of the cache, as are copies of several personal IDs from purported employees, including a driver’s license and a US passport.
The Fly Tulsa website lists roughly 14,000 on-airport employees.
Other files include: annual budget and revenue spreadsheets, confidentiality and non-disclosure agreements, telehealth reports, governance meeting minutes, insurance documents, banking communications, tenant databases, vendor revenue sheets, and court case documents.
Cybernews has reached out to airport officials and is awaiting a response at the time of this report.
On February 2nd, Tulsa Airport released an official statement about the attack, according to Government Technology.
“The incident has not impacted airport operations and does not affect daily travel,” said airport spokesperson Kim Kuehler, adding that “the airport has taken steps to contain the incident and is confident the risk has been mitigated.”
Kuehler also noted that law enforcement was “immediately contacted” and that a “comprehensive investigation” is underway.
Aviation sector faces rising cyber threats
And although we do not yet know whether the alleged attack has exposed customer data, Cybernews has documented numerous attacks on the aviation sector throughout 2025, some of which have triggered major disruptions for airlines, passengers, and the airports that serve them.
One of the more notable cyberattacks from last September hit Collins Aerospace and its MUSE check-in and boarding systems.
Carried out by the Everst ransomware group, the attack disrupted flights for several days at more than half a dozen major European airports, including London’s Heathrow, Dublin, Brussels, and Berlin Brandenburg Airports.
The hacking collective Scattered Spider also targeted the North American airline industry last year, first attacking Hawaiian Airlines and then Alaska Airlines.
Other aviation victims reported in 2025 included Iberia Airlines, American Airlines, and Qantas,
Qilin kicks off 2026 with a bang
The Russian-linked Qilin group was first identified by researchers in 2022 and has aggressively outperformed its ransomware rivals over the years, easily becoming the most active gang in 2025.
According to Cybernews' in-house surveillance tool, Ransomlooker, the gang listed over 1,000 victims in 2025 and has already swung into 2026 with a bang, claiming another 50+ victims.
On January 17th, the group claimed responsibility for the Moen high-end faucet-maker, and earlier this month, the Italian dive gear manufacturer Cressi.
Qilin is said to primarily target manufacturers, finance companies, retailers, healthcare providers, and government agencies, according to a Comparitec profile on the group.
Closing out December, the group targeted the controversial cult-like religion Scientology, as well as Argentina’s Club Atlético River Plate, the nation’s largest sports and football club, and home to the most successful professional football team in the nation.
Known for using a ransomware-as-a-service (RaaS) model, the cybercriminal group allows affiliates to use its malware and support infrastructure to carry out attacks – all in exchange for a cut of any ransom collected from the victims.
Recently allied with the notorious Russia-linked gang LockBit and DragonForce, other high-profile victims in 2025 include the digital gaming and casino powerhouse International Game Technology (IGT), the Switzerland-based international Habib Bank AG Zurich, and Japan's largest beer producer, Asahi Holdings.
Additionally, Qilin has claimed responsibility for attacks last year on Nissan Japan's design arm, Creative Box; the US pharmaceutical research conglomerate Inotiv; Korea’s energy and manufacturing giant SK Group; and the US newspaper conglomerate Lee Enterprises.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked