MOVEit Transfer mass exploitation (Cl0p)

In late May 2023, the Russia-speaking extortion crew Cl0p weaponized CVE-2023-34362, a SQL injection zero-day in Progress Software's MOVEit Transfer — managed file-transfer software widely used by banks, governments, payroll providers, and law firms to move sensitive data between organizations.

What happened

Cl0p ran the campaign as a mass-exploitation event rather than targeting individual victims: scanners hammered every exposed MOVEit Transfer instance on the public internet, dropped a webshell ("LEMURLOOT"), and exfiltrated databases. Patches landed on 31 May 2023, but by then most victims had already been breached.

Rather than encrypt data, Cl0p chose pure data extortion: organizations were listed on the group's leak site with deadlines, and those who refused to pay saw chunks of their data published over the following months.

Impact

2,700+ organizations confirmed breached, with Emsisoft tracking the long tail through 2024.
Estimated 95 million individuals had personal information exposed — including U.S. Medicare beneficiaries (via Maximus), UK pension recipients (via Zellis), and German bank customers.
Notable named victims: BBC, British Airways, Boots, Aer Lingus, Shell, Sony, Deloitte, EY, PwC, the U.S. Department of Energy, Johns Hopkins University, Maximus.
Estimated aggregate cost: $12+ billion (IBM/Ponemon-derived).

Why it matters

MOVEit illustrates upstream supply-chain risk at its purest: a vulnerability in one product, exploited at internet scale, propagating downstream into thousands of organizations that never directly chose MOVEit but depended on a payroll, accounting, or claims-processing partner that did. The campaign also marked the operational maturity of pure data-extortion as a ransomware alternative — no encryption, no downtime, just leverage.

Timeline

May 27, 2023

Cl0p begins mass exploitation of CVE-2023-34362, an SQL injection zero-day in MOVEit Transfer.

May 31, 2023

Progress Software publishes an emergency advisory and patches.

June 7, 2023

CISA publishes advisory AA23-158A. Cl0p posts the first victims on its leak site.

June 15, 2023

British Airways, the BBC, and Boots disclose impact via Zellis (a UK payroll provider using MOVEit).

July 19, 2023

Maximus, a U.S. federal services contractor, discloses breach of up to 11 million records.

December 31, 2024

Final victim count tops 2,700 organizations and ~95 million individuals worldwide.

Related incidents

WiperResolvedJune 27, 2017

NotPetya destructive wiper

A destructive wiper disguised as ransomware, propagated via a compromised Ukrainian accounting software update. Estimated $10 billion in global damage — the most economically destructive cyberattack in history.

Victim: M.E.Doc users (Maersk, Merck, FedEx-TNT, Mondelez, Saint-Gobain et al.)
Loss: $10.00B

Supply chainContainedDecember 13, 2020

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim: SolarWinds (Orion customers — ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss: $100.00B

Vulnerability exploitResolvedSeptember 7, 2017

Equifax data breach

An unpatched Apache Struts vulnerability let attackers exfiltrate Social Security numbers, dates of birth, addresses, and driver's license numbers for 147 million U.S., U.K., and Canadian consumers.

Victim: Equifax
Loss: $1.38B
Records: 147.9M

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B