Europol Denies $50K Reward for Qilin Ransomware, Calls It a Scam

Europol has confirmed that a widely reported $50,000 reward for information on the Qilin ransomware group is a “scam.” The fake announcement is believed to be a tactic used by rival gangs.

A $50,000 reward from Europol for information on two top members of the Qilin ransomware group has been exposed as fake. According to Europol, the announcement, which was shared on a Telegram channel and later reported by several news outlets, is a scam and did not come from the official law enforcement agency.

The organisation confirmed that it does not use Telegram for official announcements. The agency maintains accounts on other platforms like Instagram, LinkedIn, and Facebook.

The fraudulent message claimed that Europol was offering a reward for two cybercriminals known by the online names Haise and XORacle, who allegedly oversee the Qilin ransomware operation. Here is the fake message:

“During the course of ongoing international investigations, we have confirmed that the cybercriminal group Qilin has carried out ransomware attacks worldwide, severely disrupting critical infrastructure and causing significant financial losses,” Europol said in a post to one of its Telegram channels.”

“We have identified two primary administrators operating under the aliases Haise and XORacle, who coordinate affiliates and oversee extortion activities.”

“We are actively pursuing all available leads in cooperation with international partners. A reward of up to US$50,000 is offered for information that directly leads to the identification or location of these administrators.”

The fake reward announcement

****Qilin: A Highly Active Threat****

Qilin, aka Agenda, is a very active ransomware group operating since 2022. It made headlines with a high-profile cyberattack in mid-2024 against Synnovis, a key NHS lab provider in London. The attack caused widespread disruption, delaying over 10,000 outpatient appointments, forcing the postponement of 1,710 operations, and stalling 1,100 cancer treatments.

After demanding a $50 million ransom, the gang eventually leaked nearly 400GB of sensitive patient data, including names and NHS numbers. A review conducted by the NHS in June 2025 revealed that a patient’s death was also caused by the incident.

The group’s members are believed to be based in Eastern Europe and are known to speak Russian. The organization runs on a ransomware-as-a-service (RaaS) model, where it allows other criminals to use its tools in exchange for a share of the profits. This year alone, Qilin has claimed over 400 victims on its leak website, including large companies and organizations.

Source: Bitdefender

****Why The Fake Announcement?****

The fake reward announcement is a strange but familiar tactic in the world of cybercrime. Experts suggest that such fraudulent claims can be used by rival criminal groups to damage the reputation of their competitors, sow distrust, and even lure away their members.

By creating confusion and paranoia within a rival group, a competing gang can try to gain a competitive edge in the illegal market. In this case, the fake Europol reward may serve as a strategic move in an ongoing battle between cybercriminal organizations.