New Criminal Service “Leak Bazaar” Plans to Monetize Data Stolen by Ransomware Gangs

What happened

A new criminal service is advertising a way to turn data stolen in ransomware attacks into a more structured and marketable product. The service, called Leak Bazaar, is being promoted on multiple criminal forums and aims to process large stolen datasets into searchable intelligence that can be sold or used for extortion. Flare researcher Tammy Harper described it as effectively an e-discovery service for stolen data. The model is designed to make messy breach data more useful by filtering, packaging, and organizing it for follow-on abuse. Will Lyne, who previously worked on the UK National Crime Agency’s LockBit operation and now leads economic and cybercrime work at London’s Metropolitan Police Service, said the disruption of LockBit showed that groups did not delete stolen data when they claimed they did, reinforcing that they still see value in holding large volumes of stolen information. 

Who is affected

The direct exposure is potential rather than tied to one named victim. The model could affect organizations whose data was previously stolen in ransomware attacks, as well as individuals whose personal information may be buried inside those datasets and later repackaged for fraud or direct extortion. 

Why CISOs should care

The service attempts to extract additional value from data that ransomware groups already hold, even after a negotiation ends. Jamie MacColl of the Royal United Services Institute said most attackers remain more interested in corporate data they can use for extortion or access to other systems, and questioned whether deep analysis of individual datasets fits the current economics of ransomware. Even so, services like Leak Bazaar reflect ongoing experimentation in the cybercrime ecosystem and could increase the harm caused by breaches if the model proves workable. 

3 practical actions

1. Treat stolen data as a continuing risk: Assume data taken in a ransomware incident may still be reused later, even if attackers claim it was deleted or a negotiation has ended. 
2. Prioritize exposure reduction after exfiltration: Focus on understanding exactly what corporate and personal data was taken, since the article says criminals may try to make old stolen datasets more targeted and useful over time. 
3. Watch for downstream fraud and extortion patterns: Expand post-breach monitoring to include the possibility of follow-on business email compromise, fraud, or direct pressure on individuals if stolen data becomes easier for criminals to process and reuse. 

For more news about ransomware-related criminal innovation and extortion tactics, click Ransomware to read more.