BlackFog, a cybersecurity firm that tracks ransomware activity, named Qilin the most active brand in its State of Ransomware report for June 2026, at 16% of undisclosed attacks and 8% of disclosed. The June ranking marks Qilin's second consecutive monthly lead, after it also led BlackFog's May tally , and it held even as Europol's Operation Saffron disrupted around 25 gangs in May . 1
Qilin's run through that enforcement pressure points at its affiliate-recruitment model. Affiliates are the freelance operators who carry out attacks using a brand's tooling in exchange for a cut. As takedowns strand affiliates from smaller crews, the largest recruiter absorbs them rather than shrinking. Saffron hit the infrastructure of two dozen operations; it did not touch the labour market they draw from, and that is the gap the June figures expose.
