The ransomware-as-a-service operation VanHelsing has made public the source code of its affiliate panel, data leak blog, and Windows encryptor builder. This happened after a former developer attempted to sell the code on the RAMP cybercrime forum.
This was reported by BleepingComputer. VanHelsing started in March 2025 and targets systems running Windows, Linux, BSD, ARM, and ESXi. Since its launch, the group has had some success, with eight known victims according to Ransomware.live.
Early this morning, a user with the pseudonym ‘th30c0der’ attempted to sell the source code. He offered the Tor keys, the control panel, a chat function, a file server, and the database for $10,000.
VanHelsing 2.0 coming soon
According to security researcher Emanuele De Lucia, the VanHelsing operators decided to publish the code themselves. They stated that th30c0der is a former developer who is trying to scam others. In their message, they also said they would return soon with an improved version: VanHelsing 2.0.
However, the leaked data is less complete than what th30c0der claims to possess. For example, the Linux builder and databases, which would be valuable to law enforcement agencies and security researchers, are missing.
BleepingComputer has gained access to the leaked files and confirms that the Windows builder and the source code for the affiliate panel and data leak platform are genuine. The source code of the builder is messy: the Visual Studio project files are located in the Release folder, which is normally intended for compiled files.
Although functional, using the builder requires additional steps. The system connects to the affiliate panel at IP address 31.222.238[.]208 to retrieve data. Because the source code for this panel is also included in the leak, malicious actors could modify the code or run their own version to get the builder working.
The archive also contains the source code of the Windows encryptor, which can be used to build a standalone version, as well as a decryptor and a loader. The files also reveal that the group was working on an MBR locker that replaces the master boot record and displays a lock message at startup.
Ransomware source code leaked more often
This is not the first time that the source code of a ransomware builder has been leaked. In June 2021, something similar happened with Babuk, which led to widespread use on VMware ESXi servers, among others. In March 2022, Conti’s source code was made public after a data breach. And in September of the same year, the builder of LockBit was leaked, presumably by a dissatisfied developer.