As previously reported on this site, in September 2023, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack. In October 2023, the Qilin ransomware group added CVC to its leak site, claiming to have exfiltrated 520,961 files and 206 GB of data. And in December 2023, CVC announced the breach in a substitute notice on its site and reported the incident to HHS as having impacted 484,000 patients. Those affected were offered two years of identity protection, credit monitoring, and fraud resolution services, but the notification made no mention of data being leaked anywhere.
Then, in September 2024*, data from the Qilin attack appeared on a clear net IP address associated with “WikiLeaksV2.” The clear net CVC leak consists of more than 76 GB of compressed files. Since September 2024, then, patients of CVC may be at a somewhat greater risk of having their PII and PHI shared or misused than when it was just on Qilin’s dark web leak site because downloads from the clear net site are much faster than using Tor with slower download speeds from dark web leak sites.
What is WikiLeaksV2?
So who or what is WikiLeaksV2, why are they leaking protected health information, and how did they get the data from Qilin, if they did? Noting that Qilin’s dark web site linked directly to WikiLeaksV2, DataBreaches reached out to the latter to ask some questions. Over the next week, WikiLeaksV2 answered this site’s questions via email.
According to a spokesperson, the WikiLeaksV2 project began about two years ago. Inspired by the original WikiLeaks, they are not hackers, but analyze data leaks and information that they acquire through various channels “to bring the truth to people around the world. That may sound loud or high-minded,” they state, “but we believe that information should be free. Especially in a sensitive area like cybersecurity.” Commenting that the public generally only finds out about a small percentage of the breaches each year, they state, “We want to change this. This is the reason why we started to realize this project. We don’t sell data, we don’t steal it. We are analyzing what has appeared in the public domain.”
As to their use of an IP address, they explained, “When we created the project, we had an address by name – Wikileaksv2. We tried to get it up on servers in China, in EU countries, and in the USA. However, we were simply blocked everywhere.”
One of their main approaches to obtaining data to analyze has been to try to establish collaborative relationships with ransomware groups. So far, however, only Qilin has agreed to a collaborative relationship whereby they provide victim data to WikiLeaksV2. Although DataBreaches is using CVC as a specific example of the site, WikiLeaksV2 is not specific to healthcare incidents and includes leaks from other sectors as well.
But what does Qilin or any ransomware group or source get out of any collaboration? Nothing, it seems. WikiLeaksV2 isn’t buying data. They are just hoping potential sources will give them data to analyze and write articles about. “It’s a non-profit collaboration,” WikiLeaksV2 tells DataBreaches. “They send us information, we study it. Now we are actively negotiating with other groups. However, there is another problem. You realize that it is very long, expensive, and difficult to process such volumes of information. Just downloading a terabyte archive from the darknet is a very difficult task. Besides, you need to store it all somewhere … We are not a commercial organization and we don’t have the money to rent servers, for example. So yes, now we are working closely with Qilin, they are great guys. But who they are and where they are we don’t know. In the future we hope to increase the number of publications and work more closely with other groups as well.”
No Rules on Countries or Sectors
Because some ransomware groups are very clear about countries that they will not attack or sectors they will not attack, DataBreaches asked WikiLeaksV2 if they had any restrictions on whose data they would analyze or report on. They answered:
If someone in the government of a country doesn’t like our publications, that’s their problem. We analyze data and put out what we think is necessary and interesting. If we are talking about the geography of our work, there are no borders for us. Most of our publications concern the USA and the European Union. The reason is simple – this is where the largest number of leaks occur.
As to ethical prohibitions about attacking any sectors or leaking any information, they replied:
We are not talking about ethics here. We certainly refuse a lot of publications, but the reasons are different. First, we look at any material from the standpoint of public interest. The more important the leak, the more likely we are to have it. Two, we have too few hands to handle all the incoming information. Ethics is about interpretation. The same event can be interpreted differently by each person. Look at Syria right now. Over a thousand civilians have been killed by the new authorities in the last week and no one in the world is bothered. Where is the ethics in that? Ethics in the modern western world is a point of view. We try to stay out of it.
WikiLeaksV2 as a Source
Ethics is exactly why DataBreaches thinks it would be incorrect to describe WikiLeaksV2 as independent journalists, a point they acknowledged when DataBreaches commented about how they named real patients in an article discussing an incident’s data tranche and how highly critical and even defamatory some of their articles appear:
If we write about someone, we have an obligation to give the “other side” an opportunity to speak out. That’s the gold standard. However, we are not journalists in this project. Our job is to bring information to light and for independent journalists to pay attention. They can download the archives, study them, read our publication and draw their own conclusions. They can also turn to the hero of our publication and ask for their comments. This is their job. We see it as our mission to draw their attention.
Of course, we write negative lyrics, sometimes angry lyrics. We like this style. People regularly write to us demanding that we remove the publication. Sometimes they offer money. Sometimes a lot of money. But we always answer like this: we will not remove anything, if you want to support our work – there is a “donate” button on the main page. Of course, some people may consider our publications “defamatory”…let them write about it on their resources, we will be glad to receive such feedback. Take legal action? Haha…well, that would be an interesting experience. Let them try it.
Commenting on the original WikiLeaks, Wikipedia noted that First Amendment attorney Floyd Abrams did not consider WikiLeaks a journalistic organization but rather “an organization of political activists; … a source for journalists; and … a conduit of leaked information to the press and the public.” DataBreaches thinks the same distinction applies to WikiLeaksV2: it is may be a source for journalists to the extent that it is leaking data and analyzing some of it, but it does not adhere to journalistic ethics in its reporting or writing.
WikiLeaksV2 describes itself as a small team at this point:
We have a small team – less than 10 people. Of course, I can’t tell you the exact number and where we work from. I can say that they are people from different countries and from very different social backgrounds. Some of them used to be involved in civil activism and street politics, some of them work in a large corporation, some of them work as journalists. To be honest, I myself don’t know who all these people are in real life. We’ve never met because it’s difficult and not safe. We met on forums on the darknet. At first it was just the two of us, then more people showed up. The main thing that unites us is common values and the same view of the world. You should understand that we are not doing this for money.
Because DataBreaches adheres to a policy of not linking to data dumps of protected health information or personally identifiable information, DataBreaches is not linking to their CVC post or other specific posts on their site. And although they requested we link to their IP address and their wallets for donations, we cannot do that either for the same reason we don’t link to hacking forums or dark web leak sites: we don’t directly link to sites where PHI or PII can be found. We will simply note, however, that if you agree with their approach and methods, WikiLeaksV2 seeks and appreciates donations to their work; donations can be made from their site.
* Update: An article on Medium has a screenshot that indicates that WikiLeaksv2 first added CVC to their site in February 2024.