Skip to content
Zero-dayResolved

MOVEit Transfer mass exploitation (Cl0p)

Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to mass-extort over 2,700 organizations, including the BBC, British Airways, and the U.S. Department of Energy.

Part of campaigncl0p mass exploitation
Victim
Progress Software MOVEit Transfer (2,700+ downstream)
Loss
$12.15B
records
95.0M
users
95.0M

In late May 2023, the Russia-speaking extortion crew Cl0p weaponized CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer β€” managed file-transfer software widely used by banks, governments, payroll providers, and law firms to move sensitive data between organizations.

What happened

Cl0p ran the campaign as a mass-exploitation event rather than targeting individual victims: scanners hammered every exposed MOVEit Transfer instance on the public internet, dropped a webshell ("LEMURLOOT"), and exfiltrated databases. Patches landed on 31 May 2023, but by then most victims had already been breached.

Rather than encrypt data, Cl0p chose pure data extortion: organizations were listed on the group's leak site with deadlines, and those who refused to pay saw chunks of their data published over the following months.

Impact

  • 2,700+ organizations confirmed breached, with Emsisoft tracking the long tail through 2024.
  • Estimated 95 million individuals had personal information exposed β€” including U.S. Medicare beneficiaries (via Maximus), UK pension recipients (via Zellis), and German bank customers.
  • Notable named victims: BBC, British Airways, Boots, Aer Lingus, Shell, Sony, Deloitte, EY, PwC, the U.S. Department of Energy, Johns Hopkins University, Maximus.
  • Estimated aggregate cost: $12+ billion (IBM/Ponemon-derived).

Why it matters

MOVEit illustrates upstream supply-chain risk at its purest: a vulnerability in one product, exploited at internet scale, propagating downstream into thousands of organizations that never directly chose MOVEit but depended on a payroll, accounting, or claims-processing partner that did. The campaign also marked the operational maturity of pure data-extortion as a ransomware alternative β€” no encryption, no downtime, just leverage.

Financial impact

Reported costs in USD

Total reported loss
12.15B
USD Β· $12,150,000,000
Ransom paid
$100.0M
  • Ransom paid$100.0M
  • Business loss$4.50B
  • Remediation$7.00B
  • Fines & settlements$550.0M

Timeline

  1. Cl0p begins mass exploitation of CVE-2023-34362, an SQL injection zero-day in MOVEit Transfer.

  2. Progress Software publishes an emergency advisory and patches.

  3. CISA publishes advisory AA23-158A. Cl0p posts the first victims on its leak site.

  4. British Airways, the BBC, and Boots disclose impact via Zellis (a UK payroll provider using MOVEit).

  5. Maximus, a U.S. federal services contractor, discloses breach of up to 11 million records.

  6. Final victim count tops 2,700 organizations and ~95 million individuals worldwide.

Sources

  1. cisa.govhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
  2. progress.comhttps://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
  3. emsisoft.comhttps://www.emsisoft.com/en/blog/45044/unpacking-the-moveit-breach-statistics-and-analysis/

Related incidents

Zero-dayContained

NAIC confirms data breach after Oracle PeopleSoft zero-day exploited by ShinyHunters

The National Association of Insurance Commissioners disclosed on 23 June 2026 that attackers exploited an Oracle PeopleSoft zero-day to access part of its environment, and by 25 June the extortion group ShinyHunters had published the stolen data online, claiming more than 3.1 terabytes.

Victim
National Association of Insurance Commissioners (NAIC)
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers β€” ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B