Here’s a must-read post, especially if you read and repeated claims that DragonForce, Qilin, and LockBit have formed some kind of cartel. Marco A. De Felice writes on SuspectFile:
In the recently published “Threat Spotlight: Ransomware and Cyber Extortion in Q3 2025” by ReliaQuest, one particular section drew significant attention: the claim of an alleged “alliance” between three ransomware groups — LockBit, DragonForce, and Qilin.
According to the report, these groups had allegedly formed a cooperative relationship, sharing software, resources, and affiliates in a coalition meant to enhance their operational reach and efficiency.
However, this depiction lacks any verifiable basis. There are no technical indicators, digital forensics, or credible primary sources supporting the existence of shared code, infrastructure, or operational collaboration among these groups. In our view, the claim of an “alliance” is speculative and was presented without sufficient empirical verification.
More concerning is how this unverified assumption rapidly spread across various media outlets, where it was often treated as established fact.
The only analysis that maintained a cautious and methodologically sound position came from ZeroFox, whose flash report emphasized that the rumored coalition had not materialized and urged caution against publishing uncorroborated claims.
Read more at SuspectFile. Seriously: read the whole post. Marco reached out to all three groups and got a statement from Qilin that flatly denies claims about any alliance or cartel. Could Qilin be lying? Of course. But is there any real evidence to support claims of an alliance or cartel? If so, what is it?