A ransomware group known as DragonForce claims to have carried out an intrusion at Mobilelink USA, a large retailer that operates Cricket Wireless stores across the United States. The group said it extracted more than 5TB of data from company systems. The attackers allege that the material includes internal documents and customer-related information, although they have not released sample files to verify the claim.
Mobilelink USA manages more than 550 Cricket-branded stores across 21 states. Security analysts said that if the claims are accurate, the potential impact could extend across a wide customer base. They noted that retailers often hold a mix of operational data, including customer contact details, device purchase records, and account-related information used to support service activation. Analysts said that any exposure of this material could heighten the risk of phishing attempts and other forms of fraud.
Russia-linked DragonForce is described by researchers as an active ransomware as a service organisation involved in global data theft and extortion campaigns. The group has been linked to incidents that target companies in a variety of sectors. Specialists said DragonForce commonly announces breaches by publishing unverified claims before releasing proof of data theft. They added that this approach is intended to pressure organisations into negotiation.
The intrusion at Mobilelink USA has not yet been confirmed by the company. No public statement has been issued, and details about the nature of the attack remain limited. Cybersecurity analysts said that in cases where attackers claim to have extracted large data sets, companies typically conduct parallel forensic investigations to validate or refute the allegations. They said these inquiries can take time because investigators must examine server activity, logs, and network behaviour to identify potential access points.
Experts said that if customer data were compromised, individuals could face attempts to obtain additional personal information through fraudulent communication. Attackers often use partial data to craft convincing messages that appear to come from legitimate customer service teams. Analysts advised customers of Cricket Wireless and Mobilelink USA to monitor account activity, review billing statements, and remain alert to unsolicited contact asking for verification of personal details.
Ransomware groups frequently target retailers because of their large customer bases and distributed IT environments. Analysts said that point of sale systems, customer support platforms, and device management tools can provide opportunities for attackers if networks are not fully segmented or monitored. They added that retailers rely on continuous system availability to support daily operations, which can make them vulnerable to extortion.
Law enforcement and cybersecurity authorities continue to track ransomware groups that specialise in data theft. Investigators said extortion-driven attacks remain a significant challenge because attackers often operate across borders and rely on encrypted communication channels. They noted that claims of data theft are sometimes exaggerated, but must be assessed carefully because even limited exposure can create risks for individuals.
Mobilelink USA has not indicated when further information will be released. Analysts expect additional details once the company completes initial assessments or if the ransomware group publishes evidence.