Contact us Buy Me a Coffee

Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are leading to ransomware attacks

Logo

Dollar Tree

dollartree.com
Group Incransom
Discovered 2025-07-30 09:56 UTC
Est. attack date 2025-07-30
Country US

Description:

Dollar Tree, a Fortune 200 Company, operated 16,774 stores across 48 states and five Canadian provinces as of February 3, 2024. Stores operate under the brands of Dollar Tree, Family Dollar, and Dollar Tree Canada. To learn more about the Company, visit www.DollarTree.com. Dollar Tree, Inc. (NASDAQ: DLTR) announced that it acquired designation rights for 170 leases of 99 Cents Only Stores across Arizona, California, Nevada, and Texas. The deal was completed via two transactions in May that were approved by the United States Bankruptcy Court for the District of Delaware. As part of the transactions, Dollar Tree also acquired the North American Intellectual Property of 99 Cents Only Stores and select on-site furniture, fixtures, and equipment. They became a victim of the data breach. 1,2TB sensitive and personal data will be published soon in our blog.
Infostealer activity detected by HudsonRock

Compromised Employees: 2

Compromised Users: 4888

Third Party Employee Credentials: 10

External Attack Surface: 101

Infostealer Distribution

DNS Records:

The following DNS records were found for the victim's domain.

WHOIS Emails
  • domain.operationsweb.com
MX Records
  • mxa-00183e01.gslb.pphosted.com. Proofpoint
  • mxb-00183e01.gslb.pphosted.com. Proofpoint
TXT Records
  • google-site-verification=YjiG7Lkras6ZA8RcnbViaeI-j_Vhn9Sm985bHZT7wlc
  • apple-domain-verification=4IwA8VnXQ27U6kyt
  • workplace-domain-verification=X13XmAZEdaUyh8cQmEOExgTz6gExnD
  • wmxGh5FDPxvCwGJkVNIpiLeQdZiIWOBUN/ea6J5Ug7wFDMGC2+FJJoiF7E24YAJsV+XBitsZjUUo2Fa0wWAM0A==
  • v=spf1 ip4:66.159.249.102 ip4:66.159.251.73 ip4:67.231.157.40 ip4:67.231.149.42 ip4:142.215.34.173 ip4:142.215.34.172 ip4:142.215.34.174 ip4:142.215.34.169 ip4:12.104.201.5 ip4:144.34.125.53 ip4:144.34.126.12 " "ip4:144.34.125.52 ip4:208.72.182.139 ip4:12.129.29.143 ip4:147.160.167.14 ip4:147.154.32.116 include:spf1.worldapp.com a:iadmail.benefitfocus.com a:b.spf.service-now.com" " a:c.spf.service-now.com a:smtp01.sumtotalsystems.com include:_spf.atoracle.com -all
  • _amazonses.dollartree.com F4gYEchh5UCJSi1eZIN4qM0yNDYGM1vu15QOzVkWwjs=
  • st/fb6Uc4uUdNWZS9nmwNayXM1tXHmXcr/gYQfSrOCyn+MH41YBuU1dLiGHyXNsj7iG+owKJPupBdGRXIvB5vA==
  • smartsheet-site-validation=7nEZGjCMFHkslvDjqRmW-Xceq2qiJrSn
  • docusign=2fa25ee2-2c15-4b4e-998e-b084113e19dd
  • MS=ms37343610
Cloud / SaaS Services Detected
Apple Amazon SES/WorkMail Microsoft 365 DocuSign ServiceNow Proofpoint

Leak Screenshot:

Leak Screenshot

Legal Disclaimer: Ransomware.live does not engage in the acquisition, exfiltration, downloading, possession, hosting, access, consultation, redistribution, or disclosure of unlawfully obtained data. This platform indexes only publicly visible information posted by ransomware operators and open web sources without accessing or obtaining the underlying stolen content. The service is provided to support public awareness, legitimate research, and cyber-resilience. No stolen personal or confidential data is collected or distributed via this site.