On January 22, 2026, the cybercriminal group World Leaks posted Nike’s name on its dark web leak site, claiming to have stolen 1.4 terabytes of data containing 188,347 files. Within hours, the gang set a countdown timer threatening to release the stolen information publicly by January 24 unless negotiations began. Nike confirmed it is investigating the alleged breach, acknowledging in a statement that it takes “consumer privacy and data security very seriously” and is “actively assessing the situation.”
The claim marks the latest high-profile target for World Leaks, a data-focused cybercriminal operation that has fundamentally shifted the tactics of enterprise extortion. The group emerged in early 2025 as a rebrand of Hunters International, a ransomware gang that had been active since late 2023. Unlike its predecessor, which encrypted files on victim systems while simultaneously stealing data, World Leaks abandoned encryption entirely in favor of pure data theft and extortion, a strategic pivot that fundamentally changes how these attacks unfold and how targets respond.
On January 24, World Leaks followed through on its threat and published the full dataset on its leak site. Nike has not yet disclosed whether it negotiated with the attackers, paid a ransom, or contacted law enforcement before the leak. This lack of disclosure is standard, as revealing such details could compromise response efforts or set a precedent for future incidents.
World Leak’s modus operandi follows a proven three-stage playbook. Initial access typically arrives through phishing campaigns with malicious attachments, exploitation of exposed internet-facing services, or compromised VPN credentials lacking multi-factor authentication. Once inside, attackers conduct reconnaissance using PowerShell, escalate privileges by exploiting vulnerable drivers, and move laterally across the network using stolen credentials via RDP and SMB protocols.
The group then targets high-value data repositories. Instead of encrypting systems, World Leaks prioritizes speed and stealth. Attackers compress and exfiltrate sensitive files using custom tools, uploading them to their own infrastructure before making the theft public. This method reduces detection risk and preserves extortion leverage without triggering system-wide alerts.
The transition from Hunters International to World Leaks reflects a strategic shift by Russian-linked cybercriminals in response to increased law enforcement pressure. Hunters International, which claimed over 300 victims, announced its shutdown on July 4, 2025, citing “recent developments” as a reference to heightened scrutiny. The same infrastructure, personnel, and methods soon reappeared under the World Leaks brand.
This rebrand represents a substantive change. By shifting from file encryption to data exfiltration, the group reduced its technical footprint and legal risk. Encryption is forensically detectable, triggers automated responses, and can result in additional charges. Data theft leaves fewer traces, operates faster, and remains effective for extortion.
This shift is also economically motivated. Hunters International found that encryption-based ransomware often failed as companies restored from backups and refused to pay. Data theft without encryption changes the threat from system recovery to risks of competitive exposure, regulatory action, and reputational harm. Nike has not yet issued any official clarifications as detailed as its initial investigation statement. The company has not disclosed the actual attack vector, the extent of the attacker’s bypass, or independent verification of the data’s authenticity and sensitivity. This silence reflects the difficult position Nike now finds itself in: detailed disclosure could harm ongoing incident response, supplier relationships, or regulatory standing.
World Leak’s January 24 publication of Nike’s data marks the culmination of this cycle: confidential product designs, manufacturing specifications, and supplier intelligence are now in the hands of competitors, governments, and opportunistic threat actors who monitor dark web leak sites. The competitive damage from disclosed product roadmaps and sourcing strategies cannot be undonе. Nike can investigate the breach, tighten security, and notify affected partners. What it cannot do is restore the secrecy of information that is now public.
The incident also signals a troubling trend. Under Armour, another American sportswear manufacturer, suffered a separate breach involving 72 million records. This incident also reflects a broader trend. Under Armour, another major sportswear company, recently suffered a breach exposing 72 million customer records, linked to the Everest ransomware gang. Two major apparel companies were breached within weeks, suggesting manufacturing firms remain vulnerable to credential-based attacks and data exfiltration tactics that often go undetected until data is published.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
