The VanHelsing ransomware-as-a-service (RaaS) operation has publicly released the source code for its Windows encryptor builder, affiliate panel, and data leak site after a former developer attempted to sell the tools on a dark web forum.
The leak was triggered early this morning after a user known as ‘th30c0der’ posted on the RAMP cybercrime forum offering the VanHelsing source code, including Tor site keys, web panel, chat system, file server, and blog database, for $10,000. According to the post, the package included builders for both Windows and Linux ransomware variants.
VanHelsing, which launched in March 2025, has since claimed at least eight victims, as reported by Ransomware.live. The group has promoted its ability to target a wide range of systems, including Windows, Linux, BSD, ARM, and ESXi environments.
Shortly after the attempted sale, the VanHelsing operators responded by releasing the source code themselves. “Today we are announcing that we are publishing the old source codes and will soon come back with the new and improved version of the locker (VanHelsing 2.0),” they posted on RAMP, accusing th30c0der of being a former developer trying to scam buyers.
Cybersecurity researcher Emanuele De Lucia was the first to report the incident. BleepingComputer later confirmed that the leaked archive includes legitimate source code for the Windows encryptor builder, the affiliate management panel, and the Tor-hosted data leak site. Notably, the Linux builder and associated databases appear to be missing from the release.
The leaked Windows builder code is disorganized, with Visual Studio project files placed in the ‘Release’ folder, which is typically reserved for compiled binaries, making it more difficult to use without modification. However, the release does include the source code for the affiliate panel, which connects to the builder through an API, meaning cybercriminals could repurpose the system with some technical effort.
In addition to the encryptor, the leak includes a decryptor, loader, and early-stage code for a master boot record (MBR) locker designed to overwrite the MBR with a custom bootloader that displays a ransom message.
