Draft:Hellcat Ransomware Group

Hellcat (also stylized as HellCat) is a ransomware-as-a-service (RaaS) cybercrime group that emerged in the second half of 2024. Originally operating under the name ICA Group, the group rebranded and became known for attacks against multinational corporations including Schneider Electric, Telefónica, Orange Group, and Jaguar Land Rover.^[1]^[2] Hellcat employs double extortion tactics, exfiltrating data before encrypting systems and threatening to release the stolen information if ransom demands are not met.^[1]

Draft article not currently submitted for review.

This is a draft Articles for creation (AfC) submission. It is not currently pending review. While there are no deadlines, abandoned drafts may be deleted after six months. To edit the draft click on the "Edit" tab at the top of the window.

To be accepted, a draft should:

Show the subject qualifies for a Wikipedia article by using multiple sources that meet four criteria. The sources should be (1) reliable (2) secondary (3) independent of the subject (4) talk about the subject in some depth. For some topics, there are alternative criteria.
Be written from a neutral point of view
Respect copyright and do not plagiarize. Do not copy-paste.

It is strongly discouraged to write about either yourself or your business or employer. If you do so, you must declare it.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Last edited by Frietjes (talk | contribs) 3 seconds ago. (Update)

Submit the draft for review!

Founded2024

Yearsactive2024–present

Criminal activitiesRansomware, cyber extortion, data theft

AlliesScattered LAPSUS$ Hunters

Quick facts Founded, Years active ...

Hellcat
Founded	2024
Years active	2024–present
Criminal activities	Ransomware, cyber extortion, data theft
Allies	Scattered LAPSUS$ Hunters

Close

The group's primary operator, known online as "Rey", was identified by the threat intelligence firm KELA in March 2025 and subsequently by journalist Brian Krebs in November 2025 as Saif Al-Din Khader, a teenager from Amman, Jordan.^[3]^[4] Hellcat attracted media attention for its use of provocative ransom demands, most notably requesting US$125,000 in "baguettes" from Schneider Electric, a reference to the company's French headquarters.^[5] Hellcat's March 2025 breach of Jaguar Land Rover has been linked to a subsequent September 2025 attack on the automaker that halted production for three weeks, with estimated economic damage of £1.9 billion.^[6]

Background

Members of the group that would become Hellcat were active as individual threat actors during the third quarter of 2024, carrying out data breaches and selling access on dark web forums such as BreachForums and XSS. The group began operating collectively in the fourth quarter of 2024 under the leadership of members using the aliases "Pryx" and "Rey".^[2] Prior to the group's formation, individual members—particularly the member known as "Grep"—were attributed to separate breaches of Dell and Capgemini.^[2]

Unlike most ransomware operations, which confine communications to dark web forums, Hellcat's operators participated in multiple media interviews and regularly shared updates about their activities on X and Telegram.^[7] The group's attacks have predominantly involved the exploitation of stolen Atlassian Jira credentials harvested from devices infected with infostealer malware.^[8]

Major attacks

Schneider Electric

In November 2024, Hellcat breached the Atlassian Jira system of Schneider Electric, a French multinational energy management company with over 100,000 employees and annual revenue of approximately US$39 billion. The group claimed to have exfiltrated over 40 gigabytes of compressed data, including project information and more than 400,000 rows of user data.^[5]^[9] The member "Grep" claimed to have gained access using compromised credentials, obtaining approximately 75,000 unique employee names and email addresses.^[10]

The group demanded US$125,000 to be paid in "baguettes", a reference to the company's French headquarters. The actual payment was sought in Monero, a privacy-focused cryptocurrency.^[5] The group also offered to halve the ransom if Schneider Electric publicly acknowledged the breach.^[11] Schneider Electric confirmed that the incident involved unauthorised access to an internal project execution tracking platform hosted in an isolated environment, and stated that its products and services were unaffected.^[9] The incident was the company's third cyberattack in approximately 18 months, following a Cactus ransomware attack in January 2024 and exposure through the MOVEit breach in mid-2023.^[9]

Telefónica

In January 2025, three Hellcat members—"Grep", "Pryx", and "Rey"—claimed responsibility for an attack on Spanish telecommunications company Telefónica.^[12] According to cybersecurity firm Hudson Rock, the attackers gained initial access by using infostealer malware to compromise the credentials of more than 15 employees, then employed social engineering to target employees with administrative privileges.^[13]

The compromised data reportedly included the personal information of approximately 24,000 employees, a Jira database containing 500,000 issues and summaries, 236,493 lines of customer data, 469,724 lines of internal ticketing data, and over 5,000 internal documents.^[13]^[12] Hudson Rock reported that 531 Telefónica employee computers had been infected by infostealers during 2024.^[12] Telefónica acknowledged unauthorised access to its internal ticketing system.^[13]

In mid-2025, "Rey" claimed to have breached Telefónica a second time, alleging 12 hours of uninterrupted access and the exfiltration of over 106 gigabytes of additional data. When Telefónica denied the second breach, Rey published a 5-gigabyte sample containing over 20,000 documents.^[14]

Orange Group

In February 2025, French telecommunications provider Orange Group confirmed a data breach affecting its Romanian operations. "Rey" claimed to have infiltrated Orange's systems by exploiting compromised credentials and vulnerabilities in the company's Jira software and internal portals, maintaining access for over a month before exfiltrating data during a three-hour window on 25 February 2025.^[15]^[16]

The stolen data totalled approximately 6.5 gigabytes across roughly 12,000 files, including source code, invoices, contracts, partial payment card details, and approximately 380,000 unique email addresses belonging to current and former employees, partners, and contractors. Customer data from Orange's Yoxo subscription service was also exposed. Analysis of the data indicated that some email addresses belonged to individuals no longer affiliated with Orange Romania, and many of the payment card details had expired.^[15] Among the extracted data were 8,601 files from Orange's Jira server and 235 JSON files detailing employee-reported issues, including items related to GDPR compliance.^[17]

"Rey" stated that he had left a ransom note but Orange did not respond, leading him to leak the data on a hacker forum. He stated the breach was a standalone operation and not an official Hellcat ransomware deployment.^[15] Orange confirmed the attack targeted a non-critical back-office application with no impact on customer operations. The Romanian National Cybersecurity Directorate (DNSC) issued a public advisory, and European Union regulatory bodies initiated preliminary inquiries into potential GDPR violations.^[17]

Jaguar Land Rover

On 10 March 2025, "Rey" claimed responsibility for a data breach at Jaguar Land Rover (JLR), a British luxury automotive manufacturer and subsidiary of Tata Motors, posting approximately 700 internal documents on a dark web forum. The leaked material included development logs, tracking information, proprietary source code, and employee data.^[18]^[19]

According to Hudson Rock, the breach was facilitated by stolen Jira credentials belonging to an LG Electronics employee who held third-party access to JLR's Jira server. The credentials had been harvested by infostealer malware years earlier but had never been rotated or invalidated.^[20]^[19] Days later, a second, unrelated threat actor using the alias "APTS" exploited similar legacy credentials to independently access JLR's systems and leaked an additional approximately 350 gigabytes of data.^[19]

In September 2025, JLR suffered a further cyberattack that forced the company to halt vehicle production at its three United Kingdom plants—which normally produce approximately 1,000 vehicles per day—for more than three weeks. A group calling itself "Scattered Lapsus$ Hunters", in which "Rey" held a leadership role, claimed responsibility.^[6] The estimated total economic damage was £1.9 billion, and the attack was described in media reports as potentially the most damaging cyberattack in British history. Member of Parliament Liam Byrne described the attack as a "digital siege".^[6] Security researchers at the Forum of Incident Response and Security Teams (FIRST) suggested that the attackers had likely retained access from the March Hellcat breach, which allowed them to study JLR's internal network before launching the September attack.^[6]

Other reported attacks

In March 2025, Hellcat also claimed an attack on Swiss telecommunications provider Ascom, which confirmed that its technical ticketing system had been compromised but said no other systems or customer data were affected.^[20] In April 2025, the group claimed to have breached HighWire Press, Asseco Poland, Racami, and LeoVegas Group, all through stolen Jira credentials.^[8]

Members

Rey

The principal operator behind many of Hellcat's major attacks used the alias "Rey", having previously been active under the name "Hikki-Chan" on BreachForums from early 2024, where he quickly attracted attention with data leaks and claims of high-profile breaches. He rebranded as "Rey" in late 2024, became the administrator of Hellcat's data leak site, and was personally attributed to the Telefónica, Orange Romania, and Jaguar Land Rover breaches.^[4]^[3]

In March 2025, KELA published research identifying Rey, tracing earlier aliases ("ggyaf" and "o5tdev") used on RaidForums and other cybercrime communities back to an individual in Amman, Jordan.^[4]^[21] KELA shared its findings with law enforcement agencies in the United States, Europe, and the Asia-Pacific region.^[4]^[22]

In November 2025, Brian Krebs identified "Rey" as Saif Al-Din Khader, a Jordanian teenager whose father worked as a pilot for Royal Jordanian.^[3]^[21] In the same report, Khader told Krebs that he had been cooperating with European law enforcement since June 2025 and had contacted Operation Endgame, an international initiative targeting cybercrime infrastructure.^[3] Scattered Lapsus$ Hunters disputed the reporting.^[23]

By late 2025, "Rey" had transitioned from Hellcat into a leadership role within "Scattered LAPSUS$ Hunters" (SLSH), a cybercrime collective associated with elements of Scattered Spider, Lapsus$, and ShinyHunters. He served as one of three administrators of the SLSH Telegram channel and had also taken over as administrator of the latest incarnation of BreachForums.^[3]^[21] Khader told Krebs that he had distributed the Hellcat ransomware source code to SLSH, which used it as the basis for a new ransomware-as-a-service offering called "ShinySp1d3r".^[3]

Pryx

The co-founder and administrator of Hellcat used the alias "Pryx" (also "HolyPryx"). Active on cybercrime forums including XSS, BreachForums, Dread, Telegram, and X since approximately June 2024, "Pryx" initially targeted educational institutions before escalating to government systems in the United Arab Emirates, Saudi Arabia, and Barbados. In a December 2024 interview with the independent research group osint10x.com, "Pryx" claimed to be 17 years old.^[4]^[24]

KELA identified "Pryx" as an Arabic-speaking individual named Adem, believed to reside in the UAE but originating from another Arab country.^[4]^[22] "Pryx" was also associated with the now-defunct DangerZone cybercrime forum.^[4]