Ransomware Group: QILIN

VICTIM NAME: www[.]wyongleagues[.]com[.]au

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On August 17, 2025, a ransomware leak page attributed to the group qilin identifies www[.]wyongleagues[.]com[.]au as a victim. The victim_name corresponds to Wyong Rugby League Club, Australia, described on the page as a network of 12 organizations that offer entertainment, recreational and dining opportunities and promote membership across the club network. The leak page characterizes the incident as a data-leak event, indicating that sensitive information has been exfiltrated by the attackers, and it notes the presence of a claim URL for potential extortion or public disclosure. The post date associated with the page is August 17, 2025. The dataset does not reveal a specific ransom amount in the available fields.

The leak page includes ten image attachments, presented as screenshots or thumbnails of internal documents or related media. There are no visible downloads or additional links in the excerpt aside from a claim URL, which is consistent with extortion-focused leak pages observed in ransomware campaigns. The number of images (10) suggests a sizeable collection of leaked materials, though the exact contents of the images are not described in the provided data.

The body excerpt references contact-like elements associated with the leak, including a Jabber field and a TOX identifier, with the Jabber email shown as redacted in the public text. An FTP-style address is also present, though the credentials appear redacted in the dataset. The key labels indicate the Jabber field is redacted and the FTP-related contact is obscured, which is typical for leaked pages that publicly display contact and exfiltration channels without exposing sensitive details. No ransom figure is listed in the excerpt, and the post date remains August 17, 2025, corresponding to the page’s publication date.