Ransomware Group: STORMOUS

VICTIM NAME: crystalhotels[.]com[.]tr

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the STORMOUS Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak pertains to the hospitality sector, specifically targeting the hotel chain accessible through the domain crystalhotels.com.tr in Turkey. The attack was identified on May 21, 2025, and the compromised data includes sensitive customer and internal information. The leaked data, estimated at approximately 40GB, encompasses full names of hotel guests, email addresses—both internal and external—customer complaints, feedback content, booking and reference numbers, and internal communication records. The incident was attributed to the threat group Stormous, with the leak involving several data-stealer tools such as RedLine, StealC, Vidar, Lumma, Raccoon, and others. The leak also includes screenshots of internal documents, which may reveal operational or confidential information. This breach exposes critical personal and organizational data, posing significant privacy risks and potential misuse. The leak’s publicity underscores the ongoing threat faced by the hospitality industry from cybercriminal activity targeting sensitive customer and business data. The incident highlights the importance of cybersecurity measures to protect internal communications and customer records against future attacks.

The leak page publicly displays a screenshot of internal documents, hinting at the scope of the stolen information, which may include detailed hotel guest data, internal communication logs, and possibly more sensitive material. The attack was carried out by the cybercriminal group Stormous, known for their infostealer operations, using malware like RedLine and Vidar among others to extract valuable data. The attack involved approximately 28 user accounts and multiple third-party sources, indicating a multifaceted breach with considerable data exfiltration. The leak not only exposes customer privacy but also jeopardizes the hotel’s operational integrity, especially as the compromised data could be exploited for further malicious activities or fraud. Given the severity of the breach, the hotel is advised to enhance its cybersecurity defenses and implement rigorous data protection protocols to prevent similar incidents in the future.