A year after it crippled British high-street icons Marks & Spencer, Co-op, and Harrods, DragonForce is still posting victims at a steady clip — and the latest batch shows a group whose reach extends far beyond the UK retail attacks that made its name. In mid-June 2026, DragonForce’s leak site added a fresh cluster of international targets spanning three continents.
The June victim run
According to the leak-site tracker ransomware.live, DragonForce posted the following victims on June 11–12, 2026:
- Areco — a steel manufacturer in Sweden (manufacturing)
- Hong Kong Parkview — a 200-plus-unit luxury serviced-apartment complex in Hong Kong (hospitality)
- Cheoy Lee Shipyards — a vessel manufacturer in Hong Kong (shipbuilding)
- Al Ishrak Contracting — a construction firm in the UAE
- Corniche Hotel Abu Dhabi — hospitality, UAE
Areco and Hong Kong Parkview are the firmest of the set, corroborated across ransomware.live and mirror trackers; for Parkview, the group posted a data screenshot, and HudsonRock flagged exposed third-party employee credentials from infostealer logs. As is typical for DragonForce postings, none of the listings disclose whether data was encrypted or merely stolen, and no ransom figures are attached — so treat the “attack dates” (auto-generated from posting time) and any single-campaign attribution for the Hong Kong/UAE cluster as inference, not established fact.
The geographic tilt is the story. A Swedish steelmaker, two Hong Kong firms, and two UAE businesses in a single 48-hour window is a long way from M&S and Co-op — a reminder that DragonForce’s affiliate base operates globally and opportunistically.
The “cartel” model behind the postings
What makes DragonForce more than another leak site is its business structure. The group rebranded itself a “ransomware cartel” in early 2025, offering affiliates a full white-label package: admin panels, leak-site hosting, encryptor tooling, and negotiation support, all of which let affiliates run their own brands under the DragonForce umbrella. Its encryptor lineage runs from the leaked LockBit 3.0 builder to a customized Conti v3 codebase.
In September 2025, DragonForce went further, publicly announcing a partnership with Qilin and LockBit to “coordinate attacks, share resources, eliminate conflicts, and dictate market conditions” — an attempt at cartel-style consolidation amid sustained law-enforcement pressure on the RaaS ecosystem. The same period saw DragonForce reportedly attempt a hostile takeover of RansomHub’s infrastructure (a detail sourced to vendor reporting rather than confirmed by the parties), accelerating RansomHub’s disappearance and pushing its affiliates toward Qilin and DragonForce.
The group is also the ransomware payload of choice for Scattered Spider, the English-speaking initial-access crew whose help-desk social engineering opened the door at M&S and others. Scattered Spider now sits inside the broader “Scattered Lapsus$ Hunters” collective alongside ShinyHunters and Lapsus$ — the same loose milieu driving much of 2026’s enterprise-extortion wave.
Where DragonForce stands in 2026
By ransomware.live’s count, DragonForce has claimed roughly 578 victims since December 2023, concentrated in business services, manufacturing, construction, and technology, and weighted heavily toward the United States (around 281 victims), followed by the UK, Germany, and Canada. Other trackers report different totals depending on methodology, so the precise figure depends on the source.
Interestingly, the same data shows DragonForce’s posting volume declining sharply month-over-month — by roughly 74% in the most recent period — even as the group maintains a steady international tempo. Whether that reflects a genuine slowdown, a shift toward quieter negotiated payouts, or simply lag between attack and listing (the tracker notes an average ~22-day gap) is hard to say from leak-site data alone.
The takeaway for defenders isn’t any single one of these June victims — it’s the model behind them. A white-label cartel with a low barrier to entry, a marquee initial-access partner in Scattered Spider, and a willingness to hit a steelmaker in Stockholm and a hotel in Abu Dhabi in the same week is a group built for breadth. The UK retail attacks were never the ceiling. They were the advertisement.
