Hacking Group BlackFile Targets Retail and Hospitality Sectors with Voice Phishing Campaign
AI-generated from multiple sources. Verify before acting on this reporting.
LONDON (AP) — A financially motivated hacking group known as BlackFile has launched a coordinated wave of data theft and extortion attacks against retail and hospitality organizations worldwide, utilizing sophisticated voice-based phishing tactics to infiltrate corporate networks.
The campaign, identified by cybersecurity researchers as originating from the group also tracked under aliases CL-CRI-1116, UNC6671, and Cordial Spider, marks a significant escalation in the group's operational methods. BlackFile has historically targeted a range of sectors, but recent activity indicates a focused shift toward businesses with high volumes of customer data and payment processing systems.
The attacks involve social engineering techniques delivered through voice communications, often mimicking legitimate customer service representatives or technical support staff. By convincing employees to divulge credentials or execute malicious scripts, the group gains unauthorized access to internal systems. Once inside, operators exfiltrate sensitive data, including customer personally identifiable information (PII) and financial records, before demanding ransom payments to prevent public release.
Victims of the campaign include major chains in the retail and hospitality industries across multiple continents. While specific company names have not been publicly disclosed in initial briefings, the scope of the intrusion suggests a broad geographic footprint. Security firms monitoring the threat landscape have noted an increase in similar voice-based phishing attempts over the past several months, indicating a maturing capability within the group's infrastructure.
BlackFile's motivation remains strictly financial. The group operates on an extortion model, leveraging the reputational risk of data breaches to pressure organizations into paying ransoms. This approach differs from state-sponsored espionage, which typically seeks intelligence or strategic advantage. The group's ability to adapt its tactics, moving from traditional email phishing to voice-based social engineering, highlights the evolving nature of cyber threats facing the private sector.
Cybersecurity experts warn that the use of voice channels adds a layer of complexity to defense strategies. Traditional email filters and network monitoring tools are often less effective against real-time audio interactions, requiring organizations to invest in specialized employee training and advanced call verification systems. The timing of the attacks, which intensified in late April 2026, coincides with peak travel and shopping seasons, potentially maximizing the value of stolen data.
As investigations continue, the full extent of the data compromised remains unclear. Law enforcement agencies and private sector defenders are working to identify the specific infrastructure used by BlackFile and disrupt its operations. The group's use of multiple aliases complicates attribution efforts, as different threat intelligence platforms may track the same actors under varying names.
Questions remain regarding the group's ultimate reach and whether additional sectors are currently being targeted. Security professionals advise retail and hospitality organizations to audit their communication protocols and implement stricter verification procedures for any unsolicited requests for access or information. The incident underscores the growing sophistication of cybercriminal groups and the urgent need for adaptive security measures in an increasingly connected global economy.