1.6M+ Salvation Army transactions exposed, hackers claim

Published: 29 December 2025
salvation army leaking data

Attackers have shared information on millions of donations to the Salvation Army, an international charitable organization run by Protestant Christians. Cybernews researchers believe that attackers could exploit data for financial crimes.

The organization was posted on the Interlock ransomware gangs’ dark web blog, which the cybercrooks use to showcase their latest victims. The attackers claim that they’ve obtained 93GB of information from the Salvation Army.

We have reached out to the organization and will update the article once we receive a reply.

ADVERTISEMENT

Meanwhile, the Cybernews research team investigated the attackers’ claims of a major data breach. According to the team, Interlock shared several screenshots of the supposedly stolen details that reveal personal identifiable information (PII).

Interlock posted Salvation Army on the dark web
Attackers' post on the dark web. Image by Cybernews.

What Salvation Army data was exposed?

According to the team, the data leak appears to be made up of Microsoft SQL server database backups. The names of the backups indicate that the attackers may have accessed at least some financial data belonging to the Salvation Army.

At least one backup contained 1.6 million donation transactions that add up to tens of millions of dollars. The exposed details include:

  • Full names
  • Phone numbers
  • Home addresses
  • Donation amounts

The way data is structured points to attackers getting their hands on an extensive list of individuals who donated to the Salvation Army. While the charitable organization operates globally, state names and individual names point to exposed individuals being US residents.

Attackers can find numerous uses for large collections of structured data. The most obvious one is identity theft, where attackers use real credentials to set up fraudulent accounts or file fraudulent tax returns. However, in this instance, attackers are more likely to utilize leaked details for scams.

ADVERTISEMENT
Salvation Army data breach sample
Sample of the leaked data. Image by Cybernews.

“The data leak is dangerous as it could be used for financial profiling by cybercriminals, as well as scams that impersonate the Salvation Army, attempting to lure money out of individuals,” our team explained.

These types of attacks are particularly vicious, as cybercrooks target individuals who are likely to donate money and exploit their generosity. Attackers may opt to impersonate other charitable organizations, as multiple studies indicate that individuals who donate to one charity are more likely to donate to other charitable causes.

The Salvation Army is one of the world’s biggest charity organizations. Founded in 1865, the Christian nonprofit reported revenue approaching $5 billion in 2024, making it the sixth-largest charity in the US.

With operations in 134 countries, the Salvation Army delivers aid to the elderly, homeless, disabled, and disaster-stricken while also running rehab programs. It is also affiliated with the United Nations (UN).

Who’s behind the Salvation Army data breach?

The alleged attack marks the second time this year that ransomware has targeted the Salvation Army. In late May, the Chaos ransomware cartel posted the organization on its dark web leak site, announcing a supposed data breach.

Meanwhile, Interlock, the group claiming to be behind the recent attack, has gained some traction in 2025. First spotted in late 2024, the gang is somewhat of an unusual player in the ransomware market.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

According to researchers from the cybersecurity firm Arctic Wolf, the gang operates independently of traditional affiliates and focuses on opportunistic double extortion campaigns. The group often gains an initial foothold via compromised websites or by using social engineering techniques.

ADVERTISEMENT

Cybernews’s dark web monitoring tool, Ransomlooker, shows that the gang victimized at least 66 organizations over the past 12 months, with June and August being the most active periods.

For example, earlier this year, the gang claimed to have siphoned 43GB of data from the Minnesota city of St. Paul. Before that, an Interlock attack on the Kettering Health network in Ohio forced over 120 medical facilities, including nine major hospitals, to cancel thousands of patient procedures.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Meta has quietly shipped the technology needed for facial recognition glasses
Hackers getting an easy ride: misconfigured cloud settings behind growing number of data breaches
Anthropic claims AI is too fast and needs to hit the brakes: let’s take it with a pinch of salt
US lawmakers push new bill on AI safety, state law limits, worker protections
Pewdiepie declares war on big tech following the release of his free and local AI workspace
California tech CEO busted for selling forbidden US technology to Iran’s nuclear agency
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked