Clearwater Marine Aquarium Ransomware Claim by Qilin (Apr 2026)

Claim Summary

The Qilin ransomware group has posted an unverified claim of a cyberattack against the Clearwater Marine Aquarium, a non-profit organization based in the United States. According to the group’s dark web leak site, the alleged intrusion occurred on April 15, 2026. The post does not specify the volume or type of data purportedly stolen, listing it only as “N/A.” Such claims are commonly used by ransomware actors to pressure victims into paying a ransom by threatening to publish sensitive information.

Threat Actor Profile

Qilin, also tracked by some researchers as “Gold Feather” or “UNC3944,” is a financially motivated ransomware-as-a-service (RaaS) operation with a significant history. The group claims over 1,600 victims. Their known toolkit is extensive and includes credential access tools like Mimikatz, anti-forensic and EDR evasion utilities such as EDRSandBlast, PCHunter, and PowerTool, and network reconnaissance tools like Nmap and Nping. For data exfiltration, they have been observed using services like EasyUpload.io and MEGA. Their tactics often involve initial access via phishing (including SMS phishing and SIM-swapping) and subsequent lateral movement to target virtualization platforms like vCenter and ESXi servers for maximum disruption. This technical profile indicates a capable and aggressive adversary.

Alleged Data Exposure

The specific nature of the data allegedly compromised from Clearwater Marine Aquarium remains undisclosed by the threat actor. In similar attacks, Qilin has exfiltrated financial documents, employee and donor personally identifiable information (PII), internal communications, and operational data. Until the group provides a “proof pack” – a sample of the stolen files – or the victim organization confirms the breach, the exact scope of the claimed exposure is unknown and should be treated as unsubstantiated.

Potential Impact

If the claim is valid, the potential impact on the aquarium could be severe. As a consumer-facing non-profit, a data breach could compromise sensitive donor information, animal care records, and financial data, leading to significant reputational damage, regulatory scrutiny, and loss of public trust. Operational disruption from ransomware deployment could also affect critical life support systems for marine animals and daily visitor services, posing both ethical and safety concerns.

What to Watch For

Monitor Qilin’s leak site for any follow-up posts, such as the publication of a data sample or a full data dump, which would escalate the threat. Security teams should review detection rules associated with Qilin’s known tools, particularly for EDR bypass attempts and anomalous network traffic to cloud storage services. Organizations in similar sectors should assess their defenses against the initial access vectors Qilin favors, especially phishing campaigns and vulnerabilities in virtualization infrastructure.

Disclaimer

This report is based on an unverified claim from a ransomware group’s dark web leak site. The alleged attack on Clearwater Marine Aquarium has not been independently confirmed by Yazoul Security or public sources at this time. Ransomware groups frequently exaggerate or fabricate claims to extort payments. This information is provided for threat intelligence purposes only.