The Cl0p ransomware gang, a Russian-linked cybercriminal organisation known for high-profile extortion campaigns, has posted an unverified claim on its dark-web leak site stating that it has compromised systems associated with Hilton Worldwide Holdings Inc, a major global hospitality company. The notice appeared on 25 January 2026 and lists hilton.com among purported victims. At this stage, no evidence has been publicly released to confirm the claim or show that data from Hilton systems was accessed or exfiltrated.
Cl0p operates under a ransomware-as-a-service (RaaS) model and has been associated with numerous ransomware and data extortion incidents internationally. The group evolved from earlier malware variants and has been linked by cybersecurity researchers to large-scale breaches affecting enterprise software and managed file transfer products, where victims are named on its leak site if ransom demands are not met.
The listing for Hilton on the Cl0p site includes references to hilton.com, but, as of the latest update, no sample data or technical details have been made available by the group or independently verified by third-party researchers. Hilton operates thousands of properties across the world and maintains extensive digital systems for reservations, loyalty programs, and customer service. It has not publicly commented on the claim or confirmed whether any breach has occurred.
Ransomware gangs commonly post victim names on dark-web sites to pressure organisations into engaging in ransom negotiations or to draw attention to their claims. Cl0p, in particular, is known for posting entries for alleged victims before providing any proof of data access or theft, and for using public listings as an initial step in its extortion strategy. This practice can raise reputational concerns for listed organisations even in the absence of verified breach data.
Hilton has not disclosed any operational disruption or security incident in response to Cl0p’s posting. Without confirmation from the company or independent forensic verification, the extent of any potential compromise remains unclear, and industry observers caution that claims on ransomware leak sites should be treated with care until substantiated. The hospitality sector continues to face ransomware and data extortion threats as attackers target large organisations with extensive digital footprints.