Hilton pulled into Cl0p’s dark‑web hit list: hotel giant denies
A notorious ransomware gang has claimed it has a new trophy. This time, it’s Hilton.
Cl0p has allegedly struck Hilton, one of the world’s biggest hotel brands. At least that's what it’s claiming on its website on the dark web. The notice came up on January 25th, listing hilton.com as the gang’s newest victim.
So far, Cl0p hasn’t backed up the claim with evidence such as data samples. It’s also staying silent about what kind of Hilton data may have been taken.
“The company doesn't care about its customers, it ignored their security!!!” wrote the gang on the company’s entry. Ransomware gangs use such tactics to scare their victims and pressure them into paying the ransom. Public attention raises the stakes for the victim.
Often, when the pressure builds up, gangs release data samples as the second step to pressure victims even more. If negotiations collapse, stolen data can be dumped online or sold in the underground market, causing the victims reputational risk.
Hilton operates more than 600 properties across 94 countries and territories, spanning 26 hotel brands. Its loyalty program alone counts around 195 million members. That’s a substantial user base that could be packed with personal data.
Hilton denies ransomware claims
Without data samples, there’s no independent way to verify what kind of data attackers allegedly stole from Hilton’s systems. A Hilton spokesperson told Cybernews that the company is "aware of this claim" but denies the breach.
"We have no evidence that either Hilton data or Hilton systems have been compromised,” said the spokesperson in the official statement.
More hotels allegedly hit by ransomware
Last year, Hilton reported $11.7 billion in revenue. That scale is exactly what makes hospitality such an attractive target. According to Palo Alto Networks' research, the initial demand of a ransom falls between 0.05% and 5% of the victim’s perceived annual revenue.
Hilton is not the only hotel giant to have been hit by a ransomware attack. Just last week, another US-based hotel chain, Hyatt, was allegedly compromised by the NightSpire ransomware gang.
The attackers claimed to have exfiltrated 48.5GB of documents originating from the Hyatt Place Chelsea New York hotel. The gang dropped a note that all the data is accessible to anyone to download.
Cl0p hacked file transfer platforms affecting thousands
Cl0p, a cyber gang linked to Russia, has been known for many high-profile attacks. Two of its most devastating attacks, which rippled across the world and affected thousands of companies, targeted the file transfer providers MOVEit, Fortra GoAnywhere, and Cleo.
Among its latest victims, at the end of 2025, Barts Health NHS Trust confirmed that the Cl0p ransomware gang had stolen files from a database containing invoice data, affecting patients, staff, and suppliers.
In November 2025, Cl0p claimed it had the data of Mazda, Mazda USA, and Canon. Despite a 2021 law enforcement crackdown on its operations, the gang has been actively recovering since.
Cl0p is known for its unique communication style. Instead of contacting affected companies, Cl0p often posts a message on its dark web blog, urging the victims to make the first move. One reason the gang chose this unusual manner of communicating could be that it’s overwhelmed by the sheer number of victims it has claimed.
Like many other established players, Cl0p operates in ransomware-as-a-service (RaaS) mode, meaning it rents the software to affiliates for a pre-agreed cut of ransom payments.
It also uses double extortion: the gang steals and encrypts the victim's data, refusing to restore access and publishing the exfiltrated data on its data leak site if the ransom is not paid.
Updated on January 26th [10:30 a.m. GMT] with a statement from Hilton.
Unlock exclusive Cybernews content on YouTube.
