Key Findings

• Qilin ransomware group claims to have breached Die Linke, Germany's left-wing political party, and posted the claim on its Tor data leak site on April 1, 2026

• Die Linke discovered the attack on March 27 and confirmed the incident but has not verified whether data was actually stolen

• The party's membership database was not compromised and no member data was accessed

• Qilin has provided no proof of the breach despite making the claim

• Qilin is one of the most prolific ransomware-as-a-service operations, claiming over 40 victims monthly and peaking at 100 in June 2025

• The group recently formed a strategic alliance with LockBit and DragonForce to enhance attack capabilities

Background

Die Linke, meaning "The Left," is a left-wing German political party founded in 2007 from a merger of earlier leftist groups with roots in former East Germany. The party focuses on social justice, workers' rights, and reducing economic inequality. As of the end of 2025, Die Linke had approximately 123,126 members.

Qilin emerged as a ransomware-as-a-service operation in 2022 and has grown into one of the most active cybercriminal groups. The Russian-speaking organization enables affiliates to deploy customized ransomware payloads and employs double-extortion tactics, encrypting data while simultaneously threatening to leak it through Tor-based portals.

The Attack and Response

Die Linke's IT team discovered the cyberattack on Thursday, March 27, and immediately took parts of its systems offline to contain the damage. Party leadership informed staff, alerted authorities, and filed a criminal complaint the same day. The party stated that attackers aimed to publish sensitive organizational data and personal information of employees at party headquarters, though it remained unclear whether they succeeded.

The party has been working rapidly with authorities and IT experts to restore systems and resume normal operations. Officials emphasized that while a risk exists regarding the publication of sensitive data, the most critical asset—the membership database containing member information—remained secure.

Qilin's Operations and Recent Activity

Qilin operates one of the largest ransomware-as-a-service platforms, allowing criminal affiliates to conduct attacks using customized tools. The group targets multiple sectors worldwide including healthcare, manufacturing, and finance, typically gaining initial access through phishing campaigns and exploitation of known vulnerabilities.

In October 2025, researchers revealed that Qilin relies on global bulletproof hosting networks to support its extortion operations. That same month, the group formed a significant alliance with ransomware operations LockBit and DragonForce, pledging to share tools and infrastructure to enhance collective attack effectiveness. This partnership marked a notable shift in the ransomware threat landscape.

Claim Lacks Evidence

On April 1, Qilin announced the Die Linke breach on its Tor data leak site and added the party to its list of victims. However, the group provided no samples or technical proof to substantiate its claims, a common tactic used by ransomware groups to apply pressure while maintaining operational secrecy. Die Linke has not confirmed whether sensitive data was actually exfiltrated or whether Qilin's claims hold merit.

Sources

• https://securityaffairs.com/190348/cyber-crime/qilin-ransomware-group-claims-the-hack-of-german-political-party-die-linke.html

• https://www.linkedin.com/posts/cybercureme_qilin-ransomware-group-claims-the-hack-of-activity-7446253306802282496-3hTJ

• https://x.com/shah_sheikh/status/2040487616756490649

• https://x.com/securityaffairs/status/2040484256942567711

• https://www.linkedin.com/posts/pierluigipaganini_qilin-ransomware-group-claims-the-hack-of-activity-7446249965972144128-5k4t