Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Ransomware gang or opportunistic newbie FunkSec is certainly good at at least one thing – exposure.
FunkSec exploded onto the ransomware scene in December 2025, claiming 13 victims on 4 December – the date it first posted to its darknet leak site – alone.
In fact, by the end of the month, it had claimed well over 80 victims, making it the number one ransomware operation in the world for that period.
However, while that may seem impressive – even if criminally so – security researchers at Check Point Research have questioned whether the gang is everything it claims to be.
AI-powered malware
According to Check Point, one of the things that sets FunkSec apart is its reliance on AI to assist in the building of its ransomware and other malware suites, which it offers on its darknet site.
While members of the group – there are at least four, including one in Algeria who likely works on the code itself and regularly uploads it to the gang’s site – have been observed communicating on hacking forums in limited English, the comments within their code are in perfect English, which Check Point believes points to the code being written, at least in part, with the assistance of an AI agent.
“In some of their published messages,” Check Point said in a 10 January blog post, “the group specifically linked the development of their ransomware to AI-assisted agents, likely providing it with the source code for the ransomware and simply shared the output on their site”.
The group also created and shared its own AI chatbot – called Scorpion, after one of its members – which is focused on hacking activity, with suggested chat prompts such as “Teach me some hacking tricks” and “How do you plan a digital heist?” The chatbot is based on Miniapps, which has similar functionality to ChatGPT but without any of that platform’s restrictions and safeguards.
The ransomware itself is stripped Rust binary with a high degree of redundancy built-in, either by design or as a result of inexperience on the part of the coders. The ransomware is also constantly updated by its creators, with new versions often published just days apart.
“In our analysis of this ransomware,” Check Point said, “we uncovered all its versions which point to an ongoing development effort likely carried out by an inexperienced malware author”.
While the group offers its ransomware as a paid service, it also offers several free tools on its website, including the Scorpion DDoS Tool, a password scraping tool called funkgenerate, and JQRAXY_HVNC, a remote desktop program.
Who is FunkSec?
While FunkSec clearly positions itself as a ransomware-as-a-service operation, it’s also somewhat of a hacktivist group. The group is vocally pro-Palestine and has said it is directly targeting entities in the United States and India for political reasons.
The most active member is Scorpion, who goes by a number of aliases online, most notably DesertStorm.
“DesertStorm’s YouTube profile listed their location as Russia, though the video’s shared URL suggested it was uploaded from Brazil,” Check Point said.
“DesertStorm continued posting leaks on Breached Forum – most unverified or not credited to FunkSec – until the account was banned in November 2024.”
Hackers known as el_farado and XTN are two other figures associated with FunkSec. The former’s posts on a popular hacking forum strongly suggest the neophyte nature of the group.
“I wanna learn hacking website and databases,” el_farado wrote in a November 2024 post to Breach Forums.
“Like how other guys posting links. What should I look for?”
Bjorka, a “known Indonesian hacktivist”, is thought to have some form of affiliation with the group. The group has also associated itself with two other hacktivist groups, Ghost Algeria and Cyb3r Fl00d, both of which appear to now be defunct.
“FunkSec’s operations highlight the role of AI in malware development, the overlap between hacktivism and cyber crime, and the challenges in verifying leaked data,” Check Point said in conclusion.
“It also raises questions about how we assess the threat posed by ransomware groups, as we often rely on the groups’ own claims. These findings reflect a changing threat landscape, where even low-skill actors can make use of accessible tools to cast a very large shadow.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
