The Qilin ransomware group has claimed responsibility for an attack against Die Linke, a German political party, alleging that it exfiltrated internal data and is threatening to release it. While the party has acknowledged the cyber incident, it has not confirmed that any data was stolen.
Die Linke translated as “The Left” is a left‑wing political party in Germany that advocates for social justice, workers’ rights, and reduced economic inequality. Established in 2007, the party emerged from a merger of earlier leftist movements, including organizations with roots in former East Germany.
The party publicly disclosed the cyber incident on March 27, one day after it was detected, but stopped short of confirming whether threat actors successfully accessed or removed sensitive data.
According to the disclosure, Die Linke identified the breach on Thursday and immediately implemented containment measures, including taking portions of its IT infrastructure offline. Party officials notified staff, alerted relevant authorities, and filed a formal criminal complaint shortly after discovering the attack.
As of the end of 2025, Die Linke reported approximately 123,126 registered members nationwide.
In an official statement, the party warned that attackers appeared intent on publishing sensitive internal documents as well as personal information belonging to employees at party headquarters.
“Based on current knowledge, the perpetrators intend to publish sensitive data from within the party organization, as well as personal information of employees at party headquarters,” the statement said. “It cannot be determined whether or to what extent this has already occurred or will succeed, but a corresponding risk exists.”
The party emphasized that its membership database was not affected, adding that attackers were unable to access or steal member data.
Die Linke linked the incident to the Qilin ransomware group, a Russian‑speaking cybercrime operation believed to pursue both financial and political objectives. Party officials said they are working closely with law enforcement and IT security specialists to mitigate the impact, restore systems, and resume normal operations.
On April 1, Qilin publicly claimed the attack and added Die Linke to its Tor‑based data‑leak site. However, the group has not released sample data to substantiate its claims.
Active since 2022, Qilin has grown into one of the most prolific Ransomware‑as‑a‑Service (RaaS) operations, particularly throughout 2025, when it reportedly averaged more than 40 victims per month and peaked at roughly 100 victims in June.
The group operates by providing affiliates with customizable ransomware payloads and employs double‑extortion tactics, encrypting systems while threatening to publicly release stolen data through Tor‑based leak portals. Qilin’s campaigns have impacted organizations across multiple sectors, including healthcare, manufacturing, and finance, often leveraging phishing techniques and exploitation of known vulnerabilities.
In October 2025, researchers at Resecurity detailed how Qilin relies on a globally distributed bulletproof hosting infrastructure to support its extortion operations and evade law enforcement takedowns.
That same month, Qilin reportedly joined forces with DragonForce and LockBit, forming a ransomware alliance aimed at pooling tools, expertise, and infrastructure to amplify attack capabilities—a development widely viewed as a significant escalation within the ransomware ecosystem.
Most recently, at the end of March, Qilin was also linked to an alleged breach of Dow Inc., a major chemical manufacturing company.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
