At the end of January, the Qilin cyber extortion group listed the first of four Australian victims it would claim over the coming weeks, Western Australia-based electronics retailer Esperance Communications.
The affiliate behind the alleged hack – Qilin offers its ransomware services to anyone with money to pay and takes a cut of any ransoms paid – did not share much about the hack, however.
In fact, it didn’t share anything at all, and almost a month later, the leak post remains tantalisingly bereft of detail.
On 11 February, an affiliate of the group listed the Mount Barker Co-operative, another organisation based in Western Australia. In this case, while Cyber Daily has covered the alleged incident earlier this month, since then, the hackers claim to have published the 40 gigabytes apparently stolen during the attack.
The link to that data, however, is currently returning a 404, Not Found error. Does the data actually exist? At this stage, who can tell?
Qilin’s next alleged Australian target – and, again, one based in Western Australia – Esperance Metaland, which was listed on the group’s leak site on 21 February. In this instance, the hackers claim to have gotten away with 14 gigabytes of data, more than 16,000 files, according to the leak post.
Once again, though, the hackers or affiliate, or whoever is claiming to be behind the hack, did not provide any evidence that data was successfully exfiltrated.
Qilin’s fourth victim – from Queensland, this time, breaking the Western Australia spree – was listed more recently, on 22 February. Like some of the previous victims, details of the alleged hack are scarce – the volume of data stolen is not listed, nor the file count, and no files have been published to prove the validity of the hack claims.
So what’s the deal? As none of the alleged victims responded to our requests for comment on the hackers’ claims, it’s hard to tell.
Who is Qilin?
According to a November 2025 report on the group by cyber security firm ThreatLocker, the group’s operations have surged since it first emerged in 2022. That year, it claimed 45 victims; in 2025, it boasted more than 800.
“Qilin utilises a variety of methods to establish malicious connections and persist on an unsuspecting network. Historically, their dwell time has an average of 19 days, but may be extended for further enumeration and discovery on a target,” ThreatLocker said.
“Established communication to a command and control server provides the means necessary to spread and execute their ransomware binary throughout a network.”
The rest of the blog post goes on to detail how the group’s ransomware actually works, breaking down the code in quite some detail. Some observers have questioned Qilin’s ransomware chops, suggesting the group is more practised at finding open databases online and then extorting the victim, but the evidence suggests the group is the real deal, with quite an effective ransomware binary on offer.
Could the hackers still be in the networks of their victims, waiting to make a move? Are the affiliates attempting to build pressure on their victims over time? It’s almost impossible to say, but Cyber Daily will continue to monitor Qilin’s leak site to see if any stolen data eventually materialises.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.