The Russian-linked ransomware group Qilin has added Transport Workers Union Local 100 to its dark web leak site. More than 67,000 individuals — including 26,000 retirees — could now face identity theft, targeted phishing campaigns, and financial fraud if the alleged breach is confirmed.
Qilin, recognized as the most active ransomware gang of 2025, claims it has already “publicated” data allegedly exfiltrated from TWU Local 100 servers. The group has not disclosed the scope or exact contents of the stolen information.
TWU Local 100 represents approximately 41,000 active transit workers and 26,000 retirees across New York City’s subway, bus, and transit infrastructure.
Labor unions are particularly attractive targets because they store extensive sensitive data, including:
If exposed, such data could enable:
identity theft;
pension diversion schemes;
tax fraud;
highly targeted social engineering attacks.
The risk is amplified by ongoing contract negotiations between the union and the Metropolitan Transportation Authority (MTA), potentially creating opportunities for blackmail, reputational attacks, or manipulation of internal elections.
Qilin operates under a ransomware-as-a-service (RaaS) model, allowing affiliates to deploy its malware in exchange for a share of ransom payments.
According to monitoring data, the group listed over 1,000 victims in 2025 and has already claimed more than 200 victims in 2026 as of February. Qilin has been linked to major campaigns targeting airports, manufacturers, financial institutions, healthcare providers, and government agencies. Analysts also associate the group with networks tied to LockBit and DragonForce.
The attack on TWU Local 100 highlights a growing trend: labor unions are becoming prime ransomware targets due to the volume and sensitivity of the data they retain. If the breach is confirmed, the fallout could extend beyond union members, potentially impacting public trust and operational stability within New York City’s transit system.
