Ransomware Group: KILLSEC

VICTIM NAME: XChief / ForexChief

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the KILLSEC Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page identifies XChief / ForexChief, a financial services firm described as a regulated online brokerage offering CFD trading on platforms such as MT4 and MT5, as the victim of a ransomware intrusion. The post, attributed to the threat actor group Killsec, frames the incident as a data-leak event rather than solely encryption, and it claims that sensitive data has been exfiltrated and could be released publicly if ransom negotiations fail. The page is dated September 28, 2025, which serves as the post date since no explicit compromise date is provided. A ransom negotiation mechanism is evident: the page notes a claim URL and directs that payment should be made by the company (not individuals), with authorized representatives able to negotiate via a session messenger or a negotiation portal using a provided code. The narrative on the page also highlights XChief’s business profile, noting engagement with more than a million traders and offering CFD trading across a broad asset set, PAMM accounts, bonuses, an affiliate program, and educational resources, while emphasizing a focus on safety and customer support.

The leak page contains a substantial media footprint: 65 image attachments are listed in the post’s metadata, described as images that appear to be internal documents or related visuals. These images are referenced via an onion-hosted domain, but the actual URLs are not included in this summary. The presence of this large set of images aligns with ransomware double-extortion patterns, where attackers accompany claims with visual materials to substantiate the data they claim to possess and threaten to publish. The post does not provide a specific ransom amount in the visible excerpt; instead, it indicates that a payment is required and points to negotiation channels for authorized representatives to pursue a monetary settlement. PII redaction is applied in the published text, and there are no externally linked data downloads mentioned within the available excerpt.

From a sectoral risk perspective, the page underscores the ongoing threat ransomware poses to financial services entities, particularly online brokerages involved in CFD trading. The content presents XChief / ForexChief as a regulated brand with a large trader base, while the attackers’ narrative and the presence of a ransom-claim pathway suggest a data-leak scenario designed to pressure the organization into remediation payments. The absence of a disclosed compromise date beyond the post date means this summary treats 2025-09-28 as the most concrete timestamp available in the leak post. This event highlights the importance of rigorous access controls, data exfiltration detection, and incident-response preparedness for entities operating in high-sensitivity financial sectors.