Draft article not currently submitted for review. This is a draft Articles for creation (AfC) submission. It is not currently pending review. While there are no deadlines, abandoned drafts may be deleted after six months. To edit or make changes to this draft, simply click on the "Edit" tab at the top of the window. To be accepted, a draft should: Show the subject qualifies for a Wikipedia article by using multiple sources that meet four criteria. The sources should be (1) reliable (2) secondary (3) independent of the subject (4) talk about the subject in some depth. For some topics, there are alternative criteria. Be written from a neutral point of view Respect copyright and do not plagiarize. Do not copy-paste. It is strongly discouraged to write about either yourself or your business or employer. If you do so, you must declare it. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Last edited by Qwerfjkl (bot) (talk | contribs) 3 months ago. (Update) Submit the draft for review!

Overview

Stormous is a cybercriminal group primarily associated with ransomware and data-extortion operations.

The group has been active since at least 2022 and has publicly claimed responsibility for attacks against organizations across Europe, North America, and other regions. Stormous is known for combining data theft with extortion tactics, threatening to leak stolen data if ransom demands are not met.

The group has been referenced in multiple cybersecurity news outlets and threat-intelligence reports, particularly in connection with attacks on large enterprises and public institutions. Relationship with GhostSec

Stormous has been repeatedly linked, by independent cybersecurity researchers and media reports, to GhostSec, a hacktivist collective that later expanded into ransomware and extortion activities.

Several threat-intelligence analyses have reported: Operational overlap between Stormous and GhostSec

Shared infrastructure and ransomware tooling in some campaigns Joint or coordinated claims of responsibility for certain attacks While neither group has publicly confirmed a formal organizational structure, analysts generally describe the relationship as collaborative or overlapping, rather than as a single unified entity. Some campaigns attributed to Stormous were observed using tooling or tactics previously associated with GhostSec-linked ransomware variants. Notable Attacks Duvel Moortgat (Belgium) Stormous claimed responsibility for a ransomware attack against Duvel Moortgat, a major Belgian brewing company. The company confirmed a cybersecurity incident that resulted in temporary production disruptions and system shutdowns in order to contain the attack. Media reports stated that operations in multiple locations were affected while investigations were ongoing. Transak Stormous publicly claimed an attack against Transak, a cryptocurrency and Web3 payment infrastructure provider. Reports indicated that the incident involved unauthorized access and data exposure, with Stormous alleging data exfiltration as part of an extortion attempt. The attack was widely discussed in cybersecurity reporting due to Transak’s role in blockchain-based financial services. Fractal Stormous claimed responsibility for an intrusion involving Fractal, a company operating in the digital identity and blockchain ecosystem. According to published reports, the attack allegedly involved data theft followed by extortion threats, consistent with Stormous’s typical operational pattern. KAI ID Stormous also claimed to have compromised KAI ID, a digital identity platform. Cybersecurity reporting described the incident as involving the alleged theft of user or internal data, with Stormous threatening public disclosure unless ransom demands were met. Hy-Vee Stormous was linked in media reports to a cyber incident affecting Hy-Vee, a major U.S. supermarket chain. The company acknowledged a cybersecurity issue impacting some of its systems. While attribution details were limited, Stormous publicly listed Hy-Vee among its claimed victims during the same period. France Travail Stormous claimed involvement in a cyber incident affecting France Travail, the French national employment agency. French media confirmed a data breach impacting millions of users, caused by compromised credentials obtained through third-party access. While official investigations did not publicly attribute the breach to a specific group, Stormous publicly claimed responsibility and attempted to leverage the incident for extortion purposes. Marjane Group (Morocco) Stormous claimed to have targeted Marjane Group, one of Morocco’s largest retail chains. Threat-intelligence platforms and regional cybersecurity reporting noted extortion threats and alleged data theft, although public confirmation from the company remained limited at the time of reporting. Tactics and Techniques Stormous is commonly associated with double-extortion ransomware tactics, which typically include: Initial access through phishing campaigns, stolen credentials, or third-party compromise Data exfiltration prior to encryption Ransomware deployment or data-leak threats Public pressure through leak sites or social-media channels In several reported incidents, Stormous relied on credential-based access rather than exploiting zero-day vulnerabilities, a method frequently observed in financially motivated cybercrime groups. Conclusion Stormous is widely regarded by cybersecurity analysts as a financially motivated ransomware and data-extortion group with an international targeting scope. Its repeated appearance in reporting by major cybersecurity news outlets, combined with confirmed disclosures from affected organizations, has positioned Stormous as a notable threat actor in the current ransomware landscape. While attribution remains complex in some cases—particularly where claims are made without official confirmation—the group’s activities continue to be monitored by cybersecurity researchers and law-enforcement agencies.