Ransomware Group: PLAY

VICTIM NAME: NextLabs

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the PLAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 18, 2025, a ransomware leak page attributed to the group “play” surfaced, identifying NextLabs as the victim—a US-based technology company. The post frames the incident as a data leak rather than a pure encryption event and claims that private and personal confidential data, client documents, budgets, payroll, IDs, taxes, finance information, and related records were exfiltrated. The page states that part of the data has already been published and warns that a full dump will be uploaded if there is no reaction. It provides a claim URL and two defanged onion access links for verifying or obtaining the claimed material: No ransom amount is disclosed in the visible content.

The page shows 884 views and explicitly provides no screenshots or images on the leak page (images_count is 0) and indicates zero downloadable content (downloads_present is false). The data size is not disclosed (size_gb shown as ??? gb). The publication date is 2025-08-18, which also serves as the post date since no separate compromise date is provided. The description notes that the exfiltrated material includes categories such as client documents, internal budgets, payroll details, IDs, taxes, and financial information. The references to NextLabs’ official site appear to anchor the victim’s identity, while the defanged onion links and the claim URL offer channels related to the attackers’ claims.