DAN0Ndan0n

dAn0n is a data-extortion actor that first appeared in April 2024. Operating primarily in a leak-focused extortion model, they publish stolen data on a Tor-hosted site rather than encrypting files. Their victims include organizations across sectors like business services, technology, healthcare, transportation, and legal—all largely based in the United States, with a few in Ireland and South Korea. Activity surged in May 2024, landing them in the top 10 most active ransomware actors that month. Despite limited branding efforts, their smaller operational footprint has allowed for swift, targeted breaches that prioritize rapid data exposure over elaborate cryptographic tactics.