Summary

Cybercriminals use publicity as a tactic to boost their own reputations and increase extortion pressure on victims.

Some ransomware groups and individual threat actors directly engage with the media by contacting journalists or alternative media, or by posting announcements, while others indirectly cultivate attention through activity on social media or open forums.

Not all threat actor claims that attract attention are legitimate. However, false or misleading claims can still create legal and brand impairment risks for the targeted company.

Generative artificial intelligence AI) is likely to amplify these risks in the future by enabling threat actors to easily produce false or misleading content related to data breaches.

An intelligence-led incident response plan can help defenders be more resilient to fear and manipulation tactics and avoid reactionary responses to extortion attempts.

Analysis

Threat actors exploit media attention to amplify their impact and enhance their notoriety. Public discourse around cybercrime increases fear, uncertainty, and doubt FUD, especially when false or exaggerated claims are repeated without scrutiny. These strategies are fueled by a reactive media ecosystem that incentivizes being the first to break a story on an emerging threat. Threat actors use this to their advantage to spread their claims, which contributes to manipulating their victims and increasing the effectiveness of extortion attempts.

Figure 1: Criminals directly and indirectly engage with the media to promote their brand and make extortion more impactful Source: Recorded Future)

Weaponizing Reputation

Cybercriminals use strategies to leverage reputation as an operational weapon. A well-known and feared criminal brand can motivate victims to pay more quickly, especially in ransomware cases. Establishing credibility also helps address the “ransomware trust paradox.ˮ If a victim does not believe a ransomware operator will unlock their data, they will not be motivated to pay the extortion demand. Extortionists need their victims to trust them in order to convince them to send extortion payments. Media coverage of successful attacks helps build the trust and authority needed to compel victims to pay.

Criminals also use publicity not just for strategic advantage but for ego. Notoriety fuels personal pride and status within the criminal community. Beyond operational benefits, some criminals gain personal satisfaction from targeting high-profile organizations or showcasing their wealth or technical skills to peers.

Figure 2: The ransomware trust paradox characterizes the dilemma that criminals need their victims to trust them if they want a large extortion payout Source: Recorded Future)

Direct and Indirect Engagement Strategies

Threat actors use direct and indirect tactics to attract public attention. Acting as their own PR team, threat actors claiming affiliation with DragonForce ransomware-as-a-service RaaS contacted the BBC to promote their attacks on British retailers. Media outreach appears to be one of the “servicesˮ offered by DragonForce to promote the brand of the cartel, both to attract affiliates and intimidate extortion victims. Other ransomware groups include contact information on their extortion blogs or Telegram channels, often with explicit calls for journalists to get in touch.

At the same time, threat actors cultivate attention indirectly by promoting attacks on public messaging platforms, such as Telegram channels that are monitored by security researchers and journalists. Threat actors associated with Scattered Spider, a vendor-applied name for a loosely organized criminal collective, leaned on their name recognition and history of industry-based targeting to attract coverage of an alleged “hacking spreeˮ across retail, insurance, and aviation sectors. Criminals operating under the Scattered Spider collective benefited from the perception of an ongoing crime spree, which they used to maximize their own notoriety and increase extortion pressure on victims through threats of widespread publicity.

Figure 3: References to a “hacking spreeˮ spiked following the initial attacks on British retailers in May 2025 Source: Recorded Future)

Similarly, threat actors exploit the fact that researchers and reporters closely monitor dark web activity. Reporting on new forums, emerging threat groups, or alleged data breaches exposes this activity to the general public. While this reporting can be a useful firsthand source of information for researchers and analysts, repeating claims without verification or context risks reinforcing the threat actor narratives.

In some cases, threat actors deliberately fabricate or exaggerate claims to attract attention. LockBit, for example, made headlines after asserting it had breached the US Federal Reserve. However, the group actually breached a much smaller (and less politically significant) financial institution. This claim may have been a ploy to re-establish the groupʼs hacking credentials following law enforcement takedown in February 2024.

Figure 4: Cybersecurity media outlets repeating Lockbitʼs claims of hacking the Federal Reserve Source: Google News Search)

Data thieves also benefit from notoriety. Alleged serial hacker Kai West used the moniker “IntelBrokerˮ to maximize the perceived value of stolen data as well as to bolster his reputation. Prior to his arrest in June 2025, West advertised hacked data for sale 41 times, with the cumulative initial asking price for datasets (where listed) totaling $2.467 million USD. West frequently exaggerated the extent of his exploits, such as his claim to have access to TMobileʼs “source codes,ˮ which turned out to be previously stolen data. Another attention-grabbing tactic involved exploiting a third-party vendor, then claiming to have compromised a more prominent organization that is a customer of that vendor. This may have occurred in the case of IntelBrokerʼs claims to have stolen Appleʼs “internal source code.ˮ However, technical analysis of the stolen data revealed it was proprietary configurations of Appleʼs Jira and Confluence integrations. Westʼs claims were supported by increasing FUD following other breaches that did turn out to be legitimate, such as a hack of DC Health Link, an online health insurance exchange serving Washington, DC.

Figure 5: Despite the uncertainty around the actual impact of the Apple breach, major news outlets and security researchers alike reported the claims Sources: Forbes and HackingBlogs)

Costs of Amplification

Highly publicized false or exaggerated claims can still have a negative impact on a company. “Rose87168ˮ attracted significant attention for their claims to have stolen data from 6 million Oracle Cloud Infrastructure users. However, Recorded Future and other researchers demonstrated that the vast majority of the data was historical, fabricated, or recycled. According to the threat actorʼs social media account, the asking price for the dataset dropped from $65,000 to just $11,000 USD 50 Monero) over a period of three weeks, suggesting low demand. Despite the evidence that the claims were exaggerated, Oracle is facing at least two class-action lawsuits for lax security measures, which have led to data exposure.

Outlook

The accelerating demand for information is likely to put increased “first moverˮ pressure on journalists: The rapid speed of both cyber threats and the social media-driven news cycle puts pressure on cybersecurity journalists to act quickly. While some reporters intentionally prioritize “clickbaitˮ over accuracy, all reporters face tension between timely reporting and conducting a thorough investigation. Threat actors are likely to continue to exploit the first-mover impulse with intentionally trollish or sensational announcements on dark web and criminal forums.

Generative AI will very likely make false claims and exaggerations more convincing: Increasingly effective generative AI tools are very likely to make it easier to manipulate media narratives and public opinion. Criminals can use generative AI to create convincing synthetic datasets to demonstrate the validity of a claim, or use voice and video deepfakes to spawn an intimidating new persona or imitate an existing public figure.

Perception of a breach is likely to have as much impact as the breach itself: Class-action lawsuits due to data breaches are on the rise, with some lawsuits filed before the facts of the incident have been fully established. This means that even false or exaggerated claims are likely to have a negative impact on a companyʼs legal risk, which can be another pressure point threat actors use to extort payouts.

Influence operation tactics are likely to be weaponized against companies: State-sponsored influence operators churn out inauthentic news articles and social media posts that align with their political narratives. Generative AI makes this operation relatively cheap and easy. Criminal groups may decide to replicate these methods if they are unable to organically generate media attention.

Mitigations

Develop an incident response plan: Threat actors want to intimidate ransomware victims into paying extortion demands. Having an incident response plan can help your organization navigate a high-stress situation and avoid reactionary responses.

Ensure your incident response plan includes legal, PR, and crisis communications teams: Make sure all relevant teams in your organization are part of incident response planning and in tabletop exercises. This will help ensure teams outside of your security department are prepared to respond effectively to a publicized ransomware attack.

Be a critical consumer of data breach reporting: Consider the credibility of the source reporting a data breach. Are they simply repeating a claim, or do they provide evidence that shows they have independently verified this incident? Do they have a history of accurate reporting? Are other credible sources providing similar reports? Articles that only quote or reference the threat actor are likely not providing the whole context for a threat.

Accelerate investigations and avoid reactionary responses: Deploy forensic teams early to independently assess whether and to what extent a breach has occurred and provide executives with verified updates for stakeholder communication. Use Recorded Futureʼs Threat Intelligence module as a source of truth to verify information to avoid being reactionary.

Prepare for AI-enhanced information sharing: Train security and communications teams to recognize synthetic datasets, AI-generated screenshots, and deepfake videos that could be used to “proveˮ false breaches. Maintain relationships with trusted industry partners and information-sharing and analysis centers ISACs for rapid threat intelligence sharing.

Risk Scenario

Scenario: A threat actor claims to have stolen millions of lines of customer data from a widely used cloud services provider.

Potential Outcome #1
Stolen database contains a combination of new and previously leaked data

Potential Outcome #2
Stolen dataset is actually a highly sophisticated synthetic forgery

Potential Outcome #3
Customer data leak is a distraction from more extensive data exfiltration