Pierluigi Paganini
April 04, 2026
The Qilin ransomware group claims it stole data from Die Linke, a German political party, and is threatening to release it.
Die Linke is a left-wing political party in Germany. Its name means “The Left”, and it promotes policies focused on social justice, workers’ rights, and reducing economic inequality. Founded in 2007, it emerged from a merger of earlier leftist groups, including parties with roots in former East Germany.
The party disclosed the cyber incident on March 27, one day after the attack, but did not confirm whether threat actors had stolen data.
The party discovered the cyberattack on Thursday and immediately took parts of its IT systems offline to limit damage. It informed staff, alerted authorities, and promptly filed a criminal complaint.
As of the latest official data, Die Linke has about 123,126 members (end of 2025).
“According to current information, the perpetrators aim to publish sensitive data from within the party organization, as well as personal information of employees at party headquarters. It is impossible to assess whether and to what extent this will succeed or has already occurred. However, a corresponding risk exists.” reads a press release published by the German Party. “The party’s membership database was not affected. The perpetrators did not succeed in stealing any member data.”
The party confirmed that attackers did not access its membership database or steal member data. It linked the incident to the Qilin ransomware group, a Russian-speaking cybercrime organization that may pursue financial and political goals.
The party is taking rapid action to limit damage, working with authorities and IT experts to restore systems and resume normal operations as quickly as possible.
On April 1, Qilin announced the attack on Die Linke and added the party to its Tor data leak site, but shared no samples as proof of the breach.
Qilin ransomware operation has been active since 2022, it has become one of the most active RaaS groups in 2025, claiming over 40 victims monthly and peaking at 100 in June.
The group enables affiliates to deploy customized ransomware payloads against targeted organizations. Qilin uses double-extortion tactics, encrypting data while threatening to leak it via Tor-based portals. The group has targeted multiple sectors worldwide, including healthcare, manufacturing, and finance, leveraging phishing and known vulnerabilities.
In October 2025, Resecurity’s researchers detailed how the Qilin RaaS group relies on global bulletproof hosting networks to support its extortion operations.
In early October, DragonForce, LockBit, and Qilin formed a ransomware alliance to boost attack effectiveness, marking a major shift in the cyber threat landscape. Ransomware groups DragonForce, LockBit, and Qilin formed a strategic alliance to enhance their attack capabilities, signaling an evolving cyber threat landscape. The alliance aims at sharing tools and infrastructure to enhance attack effectiveness.
At the end of March, Qilin Ransomware group allegedly breached the chemical manufacturing giant Dow Inc.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
