Lee International Data Breach

Alleged

Ransomware claim involving Lee International.

Published: Jun 23, 2026 Qilin
Threat Level
High
Confidence: High

Quick Summary

Company
Lee International
Industry
Business Services
Threat Actor
Qilin
Date of Incident
Jun 23, 2026
Status
Alleged

Executive Summary

Lee International, an organization based in Singapore, was listed on the Qilin ransomware group’s dark web portal on June 23, 2026. SOCRadar’s Dark Web Monitoring service identified the listing. While the specific industry of Lee International was not detailed in the metadata, its inclusion adds another APAC-based entity to Qilin’s list of targets, a group known for its high-output and broad targeting strategy. Qilin has been highly active, claiming numerous victims in the 60 days prior to this listing, and has shown a consistent pattern of targeting the Business Services, Manufacturing, and Construction sectors, primarily in the United States, United Kingdom, and Australia. APAC organizations are also frequently targeted.

Technical Analysis

SOCRadar’s threat intelligence identified a severe exposure for the leeinternational.com domain via stealer-log telemetry. Corporate credentials, including those authenticating to the organization’s ADFS single sign-on gateway and several @leeinternational.com credentials from unrelated third-party services, were captured. This pattern suggests stealer infections on employee endpoints harvesting both internal and external logins. The exposure of the ADFS/SSO gateway is particularly concerning as it could allow for tenant-wide authentication and lateral movement. The captured logs date from September 2025 to June 2026, indicating a persistent exposure of masked corporate accounts on the ADFS endpoint without rotation. This aligns with Qilin’s typical initial access vector, where infostealer credentials sourced from underground marketplaces are used to gain access to Microsoft 365, VPNs, or remote-access portals before ransomware deployment. Security teams are advised to prioritize forced resets and Multi-Factor Authentication (MFA) for the affected ADFS accounts and to conduct hunts for anomalous authentication activity against the identity provider.

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.