Devman Ransomware Hits cacd.com: 200 GB of Performer IDs, User Data, Financials and Source Code Already Leaked in Aggressive Seven-Day Extortion

December 1, 2025 – 18:40 UTC

In what is shaping up to be one of the most damaging ransomware incidents ever to strike the adult entertainment sector, the Devman ransomware operation has claimed full compromise of CACD Media Ltd, the Delaware-registered company behind the premium adult platform cacd.com and its network of affiliated tube and paysites.

At 09:12 UTC today, Devman updated its dark-web leak site with a new victim entry titled “cacd.com – FULLY OWNED” accompanied by fifteen downloadable proof-pack archives totaling more than 200 GB when extracted. Independent researchers who analyzed the samples confirm the archives contain unredacted passport and driver-license scans of thousands of performers, complete MSSQL dumps of the membership database, Stripe and CCBill transaction logs from 2022–2025, private DM conversations, performer direct-deposit details, AWS access keys, and the entire Git repository history for the platform’s streaming, DRM, and billing systems.

Detailed Attack Chain (Reconstructed Timeline)

• November 18, 2025 – Initial Access
  Attackers scanned for exposed RDP (port 3389) and discovered a Windows 2022 jump-box that had been spun up during a recent data-center migration. The server still used the default Administrator account with password “Cacd2025!” – a credential that was never rotated after go-live.
• November 19–21 – Lateral Movement & Persistence
  From the jump-box the actors dumped LSASS with a publicly available Mimikatz variant, obtained domain admin rights, and deployed Cobalt Strike beacons on three domain controllers and the primary Veeam Backup server.
• November 24 – Backup Sabotage
  Exploited CVE-2024-40711 in Veeam Backup & Replication 12.1.0.1327 (unpatched despite warnings issued in September 2024). This allowed extraction of all stored credentials in plain text and permanent deletion of every off-site backup job. Immutable backups in Wasabi were also deleted after the attackers used stolen IAM keys.
• November 26–27 – Data Exfiltration
  Over 48 hours, 4.8 TB of raw data was exfiltrated via rclone to Mega and an attacker-controlled Amazon S3 bucket in Frankfurt. Compression reduced the final stash to approximately 1.1 TB.
• November 28, 03:17 UTC – Encryption Phase
  Devman’s custom ransomware binary (SHA-256: a3f1e9b8c74d…) was executed via PsExec on 487 Windows VMs and physical hosts. Encryption completed in 8 hours and 41 minutes. The ransomware appends the .devman extension and drops a ransom note named HOW_TO_DECRYPT.txt demanding $150,000 USD in Bitcoin.

Scope of Compromised Data

The published proof packs alone contain:

• Over 19,400 performer identity documents (passports, driver licenses, and 225 selfies holding ID)
• Full membership database (18.7 million rows) with plaintext emails, bcrypt hashes, IP addresses, and subscription history
• Complete 2023–2025 financial ledgers showing revenue split per performer and per country
• Private message archives (estimated 400+ million rows)
• Internal Jira, Confluence, and Bitbucket instances with API tokens
• Source code for the proprietary video streaming stack written in Node.js and Go
• Unredacted contracts containing real names, addresses, and social security numbers of top-earning creators

Devman’s Extortion Model

Unlike double-extortion groups that negotiate for weeks, Devman enforces a strict seven-day policy: pay exactly $150,000 within 168 hours or the entire dataset is released publicly and offered for sale on underground markets. The group has followed through on every previous deadline since its first appearance in July 2025, earning a reputation for ruthless efficiency.

Current Status and Response

As of 18:00 UTC December 1, cacd.com and most affiliated sites remain online, indicating the attackers deliberately spared public-facing web servers to maintain victim revenue (and pressure). Backend administrative panels, encoding farms, and payment-processing servers, however, remain encrypted.

CACD Media Ltd has retained Kroll Cyber Risk and Mandiant for incident response and is cooperating with the FBI’s Internet Crime Complaint Center (IC3) and the Dutch National High Tech Crime Unit due to the European data-center footprint. No public statement has been issued, and customer support lines are reportedly overwhelmed with inquiries.

Broader Implications for the Adult Industry

This breach exposes systemic weaknesses that have plagued the adult sector for years: heavy reliance on legacy Windows environments, widespread use of RDP for remote management, inadequate patching of backup software, and storage of performer identity documents in easily accessible network shares to streamline age-verification workflows.

Regulatory fallout is almost certain. European performers whose biometric data was exposed can file GDPR Article 82 claims seeking up to 4% of global turnover. California-resident users and creators may trigger CCPA litigation. Payment processors and banks that handled transactions may face secondary liability if stolen card data surfaces later.

Who Are Devman?

Devman is believed to be a splinter or rebrand of former Conti and LockBit affiliates who grew frustrated with larger cartels’ bureaucratic negotiation processes. The group operates a lean infrastructure with only two public-facing onions and uses a custom Go-based ransomware payload that is still undetected by most antivirus engines at time of deployment. Victimology shows a preference for mid-sized companies (revenue $50M–$500M) that can afford six-figure ransoms but often lack mature security programs.

With cacd.com now in the crosshairs and only six days remaining on the countdown timer prominently displayed on Devman’s leak site, the adult entertainment industry braces for what could become the most explosive data dump of 2025 if the ransom remains unpaid.