Heading to SLEUTHCON: Vanishing Act, BlackFile, and the Rebrand That Wasn't

I’m excited to be heading to SLEUTHCON this Friday to speak about some of our team’s latest research.

In early 2026, the extortion brand BlackFile (UNC6671) quietly became one of the most impactful and under-reported threat actors of the year. They targeted dozens of organizations and made millions in the process by leveraging stealthy mechanics like live AiTM vishing to bypass MFA and API manipulation to blind SOCs. When victims didn’t pay, they escalated to extreme tactics like corporate swatting.

But the real story is their chaotic disappearance and bizarre resurrection.

In early May, BlackFile operators announced a shutdown and completely vanished mid-negotiation and dropped offline. Days later, a new leak site dubbed “Redact” surfaced. While claimed as a rebrand, our investigation uncovered red flags.

Was BlackFile scared into retirement? Did another actor take over the brand? Or is this just another chaotic rebrand?

In this 10-minute lightning talk, I’ll take you inside the GTIG investigation into UNC6671 to break down the mechanics of their campaigns and show how underground drama can derail a multi-million dollar cybercrime empire.

There are only a few seats left for the in-person event in Arlington, VA, but a virtual stream is also available. Hope to see you there.

• Registration: https://www.sleuthcon.com/registration