In a developing cybersecurity incident, hacktivist entities Rey and grep—core operators of the HellCat ransomware group—have purportedly leaked sensitive employee data from CrowdStrike, according to a post by DarkWebInformer.
While CrowdStrike has not confirmed unauthorized access to employee records, the claim follows a confirmed July 2024 breach where threat actor USDoD leaked CrowdStrike’s internal threat actor intelligence.
This incident underscores the evolving tactics of ransomware affiliates to exploit high-profile targets for reputational and financial gain.
CrowdStrike’s Threat Actor List Exposure
On July 24, 2024, USDoD, a hacktivist entity active on BreachForums, leaked a CSV file containing CrowdStrike’s classified threat actor intelligence.
The dataset included adversary aliases, operational regions, target industries, and last-active timestamps up to June 2024.
CrowdStrike clarified that the exposed data was “already available to tens of thousands of customers, partners, and prospects,” minimizing its operational impact.
However, USDoD’s post ambiguously referenced additional leaks from an oil company and pharmaceutical firm, though no direct correlation to CrowdStrike was established.
Notably, USDoD has a history of exaggerated claims, including a debunked 2023 hack of a professional networking platform.
CrowdStrike’s Falcon platform, which recently achieved 100% detection and protection rates in SE Labs’ 2024 ransomware tests, remains a frequent target for adversaries seeking to undermine its market credibility.
HellCat’s Expanding Cybercrime Portfolio
Rey and Grep, identified as HellCat affiliates, have escalated their activities in 2024–2025. The group gained notoriety for breaching Telefónica’s Jira ticketing system in January 2025, exfiltrating 2.3 GB of internal documents and customer-related tickets using stolen employee credentials.
Concurrently, grep claimed responsibility for an October 2024 attack on Dell, leaking 10,863 employee records containing names, department IDs, and internal email addresses.
These breaches align with HellCat’s strategy to target “big game” entities, as described in SentinelOne’s analysis of their payloads.
HellCat’s operational model mirrors that of the Morpheus ransomware group, with both deploying near-identical codebases for payload deployment.
This code homogeneity suggests shared infrastructure or collaborative development among ransomware-as-a-service (RaaS) operations.
CrowdStrike’s Incident Response and Industry Implications
While CrowdStrike has not verified the alleged employee data leak, the company emphasized its commitment to transparency, stating, “Adversaries exploit current events for attention and gain”.
“The information posted was scraped from publicly accessible sources, the accuracy of the data indicates it is not current and there is no indication of a CrowdStrike breach.” CrowdStrike Shared with Cyber Press.
The incident highlights systemic risks in centralized cybersecurity architectures, exacerbated by CrowdStrike’s July 2024 global outage caused by a faulty kernel update.
Experts like Ciaran Martin and Gregory Falco have criticized such monocultures, advocating for decentralized systems to mitigate single points of failure.
Rey and Grep’s alleged involvement in the CrowdStrike incident if substantiated would mark a strategic pivot toward confrontations with cybersecurity firms.
However, current evidence ties them more closely to third-party breaches (e.g., Telefónica, Dell) than to CrowdStrike’s internal systems.
The intertwining of hacktivist claims and ransomware campaigns underscores the blurred lines between data leakage for clout and financially motivated cybercrime.
Organizations must adopt zero-trust frameworks, multi-factor authentication, and real-time threat detection to counter credential-stuffing attacks and insider threats.
CrowdStrike’s unified Falcon platform, despite its recent challenges, remains a benchmark for AI-driven threat prevention.
As HellCat and similar groups proliferate, cross-industry collaboration and regulatory oversight will be critical to dismantling the cybercrime economy.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=While CrowdStrike has not confirmed unauthorized access to employee records,threat actor USDoD leaked CrowdStrike’s internal threat actor intelligence.){kind=link}