Babuk 2 ransomware is making waves, claiming dozens of high-profile cyberattacks in a short time. Yet, other threat actors are accusing Babuk 2 of stealing their work, calling it a fraud. Evidence supports their claims and some security researchers seem to agree.
Babuk 2 ransomware might be bypassing the breaches part, instead going straight to extortion with recycled leaks and without real leverage. This has frustrated competing ransomware gangs who are calling Babuk 2 a fraud. Even the original Babuk version 1 denies any connection to this new operation.
Babuk 2 only recently announced its comeback. In two days, in January 2025, it quickly listed 64 victims on its alleged leak site on the dark web, which is almost identical to the previous leak site operated by the threat actor Babuk, one of the most notorious ransomware-as-a-service gangs.
Turns out, at least 90% of the listed 64 victims were found to have been claimed by other ransomware groups in the past, GuidePoint’s Research and Intelligence Team (GRIT) reported.
Fifty-five of the claimed breaches were attributed to three other ransomware gangs: Ransomhub, Funksec, and Lockbit3, according to ransomware.live data.
“The operator behind Babuk 2 is almost certainly attempting to attract attention and credibility by assuming the Babuk name and fabricating or exaggerating their attack history,” the GRIT researchers said earlier.
Babuk 2 was notably silent throughout February, but March saw a dramatic resurgence. They boasted of hacking major retailers, telecoms, and government organizations in a single day, and have since claimed 53 additional victims this month.
Again, the “phoenix” gang doesn’t have much to back their achievements. Conveniently, they claim to sell most of the stolen data – no need to leak anything.
However, other ransomware gangs are now getting a taste their own medicine – their work being stolen.
When Babuk 2 claimed a breach at Orange, a major French telecommunications company, Cybernews received a letter from someone claiming to be Funksec, a threat actor responsible for some of the actual breaches claimed by Babuk 2.
“Hey, just wanna inform you that so-called Babuk isn't back yet,” the email reads.
In broken English Funksec explains that all Babuk 2 claims are fake, the data is recycled.
“Orange you mention was from HellCat and most from us. the thing were this guy was broke and asked us for some money I ain't gave him any and he is scamming world just infrom u before they exit-scam,” an unedited email reads.
Other threat actors post similar claims online. One of them is Rey, known as Hikki-Chan, a notorious leaker on the illicit marketplace BreachForums. He claims to be one of the admins of the Hellcat ransomware group and seems to like impersonating journalists on Medium to self-publish interviews.
“Babuk Locker 2.0, also known as Bjorka or SkyWave, after failing to make any profit from selling public databases on forums, decided to impersonate Babuk Ransomware group. He then launched a blog where he claimed multiple public breaches from BreachForums as ransomware attacks,” Rey posted on X.
Rey also complained: “Some of the blog posts were actually mine.”
Threat intelligence and security research channel club1337 reports on X that the real Babuk version 1 denied connections with Babuk 2. They previously had contacts with former Babuk 1 members. Some Telegram channels report the same.
The original Babuk Locker of the first version denies any connection with #Babuk #Locker 2.0.
undefined skynet (@sky31337) March 18, 2025
Additionally, some #Telegram channels report that this is a #scam. https://t.co/jZNaxbOXNO
Cybercrime researchers at Analyst1 believe that the threat actors behind Babuk 2 ransomware are likely impersonating the brand to carry out re‑extortion schemes. Many red flags indicate that they repurpose previously stolen data to support their scams.
“Babuk2 exhibits chaotic behavior, unlike sophisticated ransomware operators, frequently making contradictory statements, deleting posts, and engaging in erratic actions,” the report reads. “Babuk2 actors do not appear to be engaged in actual ransomware operations and likely lack the capabilities to carry out breaches themselves.”
Another account on X, posting ransomware-related news, warns that scammers are impersonating not only Babuk 2., but also Cl0p, LockBit, and potentially other ransomware gangs claiming their breaches, and even looking for affiliates who will pay $10,000 to join their “affiliate program.”
Looks like scammers are attempting to impersonate multiple ransomware brands - Babkuk 2.0, Cl0p and LockBit 4.0. A new account on X claiming to be related to LockBit 4.0 is asking for $10,000 to join their undefinedaffiliate programundefinedhttps://t.co/dYYDf9T3qG
undefined Rans0mbytes (@rans0mbytes) March 19, 2025
Many link Babuk 2’s owner to an @Bjorka account illicit forum DarkForum.
Some of the companies that previously responded to Cybernews’s inquiries about the alleged breaches also denied the claims. Pinduoduo called the breach claims “entirely false.”
“Not a single piece of this fabricated data matches our transaction records,” the company’s spokesperson told Cybernews.
And Taobao didn’t find the alleged leak in their platforms.
It’s unclear how the cybercrime situation will develop, and the jury is still out on whether Babuk 2 will establish itself as a successful ransomware or a scam operation. However, security defenders should be aware of potential unsubstantiated claims, a practice that established ransomware gangs typically avoid.
The first version of Babuk hasn’t been active since July 27th, 2021, when they posted the last victim on the leak site.
At the end of November 2024, authorities arrested the notorious hacker Mikhail Pavlovich Matveev, better known by his alias, Wazawaka. He is charged in the US with using three ransomware variants – LockBit, Babuk, and Hive – to attack thousands of victims in the US and around the world.
Your email address will not be published. Required fields are markedmarked