Ransomware Group: QILIN

VICTIM NAME: welldone[.]com[.]tw

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 20, 2025, the leak page attributed to the threat group Qilin presents welldone[.]com[.]tw as a victim. The Taiwan-based manufacturing entity is described as the first legal remittance service for migrant workers in Taiwan, citing approvals from the Financial Supervisory Commission in 2018 to conduct fintech remittance experiments and the first migrant-worker remittance license issued in 2021, renewed in 2024. The post states that its remittance services cover Indonesia, Vietnam, the Philippines, and Thailand, offering legal, safe, and round-the-clock remittance for migrant workers. The central claim is that personal data for more than 700,000 customers has been leaked, including names, phone numbers, dates of birth, passwords, ROC Resident Certificates, and selfies. The attackers warn that the full dataset will be released if the company does not engage, and the post notes a claimed URL associated with the data, though no downloadable content is shown on the page.

The leak page includes nine image assets, which appear to be screenshots or document-like visuals, though their exact contents are not described in detail. The post does not present any direct downloads. There is no ransom amount stated in the visible text. In line with extortion tactics, the page implies that data exposure will escalate if the company remains nonresponsive. Personal data categories implicated include names, phone numbers, dates of birth, passwords, government ID numbers, and selfies; actual values are not disclosed here. A Jabber contact is listed but shown in redacted form, and additional connection details (including an FTP-like reference) are likewise redacted. The victim name that this incident centers on is welldone[.]com[.]tw, and the leak’s distribution appears to utilize onion-hosted resources, with no external links visible on the page.