Qilin ransomware has listed the Church of Scientology on its dark web leak site, claiming responsibility for a breach and publishing 22 screenshots as proof of access. The group has not disclosed how much data it allegedly stole or how the breach took place.
Analysis of the leaked screenshots
The screenshots shared by Qilin point to internal access within Advanced Organisation Saint Hill UK (AOSH UK), one of the Church’s major hubs. Multiple documents show visa processing records for religious staff, including named individuals applying for UK Religious Worker visas.
Several approvals outline exact amounts allocated for immigration costs, including £2,600, £4,500 and £1,800 per person. One consolidated summary shows over £11,500 approved for multiple visa applications in a single funding cycle. These documents include dates, internal sign-offs, staff names, and departmental references, suggesting access to internal HR and finance workflows.
Another large portion of the leaked material relates to operational spending, mailing campaigns, and event logistics. One set of files details a £30,000 budget request for weekly letters, mass mailers to 4,000 recipients, calendar shipping, and holiday card distribution to 12,000 people.
Additional records authorise £6,351 for international mail fulfillment and postage. Event logistics documents list AV equipment purchases and rentals worth £6,000 for large-scale events, as well as £1,550 for TV screens, stands, and speakers for New Year’s activities. These approvals provide visibility into campaign planning, procurement, and internal financial controls.
Security planning appears heavily represented in the exposed data. Two separate spreadsheets outline security budgets for 2024 and 2025 with combined totals approaching £100,000. The entries include patrol and bomb detection dog services, executive protection teams, additional vehicles, local security contractors, ambulances, radios, fencing, metal detectors, perimeter construction, and gate handling.
Individual line items show allocations such as £74,326 for executive protection teams, £29,217 for local perimeter security, and thousands more for dog search operations, logistics vehicles, and temporary surveillance installations. Each entry includes responsible officers and approval status, which indicates that this data originated from structured internal budget systems rather than random files.
Several screenshots also expose financial invoices and banking details. One invoice from a Czech firm billed €12,565 for 75 hours of self-improvement and communication counselling, complete with IBAN and SWIFT details of the recipient account. Other internal purchase orders show funds set aside for admin supplies, religious materials, and document processing systems used within the organisation.
Personal and member-related data is also visible. One “Saint Hill Services Questionnaire” contains a handwritten full name, service selections, and intent to join specific internal programs. A separate handwritten intake form lists travel history, prior course participation, local organisation, and internal case history.
Another spreadsheet titled “Latinoles Clear Band November 2025” lists dozens of individuals from Argentina, Brazil, Chile, and Colombia, showing full names, phone numbers, processing levels, balances, travel history, and internal status notes. If authentic, this exposes sensitive personal data linked to religious participation and internal classification.
There is also material linked to internal governance. One ethics report references internal payment arrangements between members and includes a signed verification. These types of documents are not normally public and indicate access to administrative or compliance-related storage.
Taken together, the screenshots do not show login portals or credentials. Instead, they show structured access to internal document repositories containing finance, HR, security, and member management material. If genuine, this would indicate a compromise at the file server, shared drive, or document management level rather than a single individual endpoint.
About Qilin Ransomware
Qilin Ransomware, also known earlier as Agenda, surfaced in mid-2022 and operates under a ransomware-as-a-service (RaaS) model. The group is widely believed to be Russian-based or Russian speaking, based on underground forum activity and victim targeting patterns.
Like most modern extortion groups, Qilin runs a double extortion model that combines file encryption with data theft. Victims are pressured to pay to recover systems and to stop leaked data from being published.
Qilin affiliates typically gain access through stolen credentials, exposed remote services, or phishing. Once inside, they move laterally, extract large volumes of data, disable recovery systems, and then deploy ransomware at scale. Victims who refuse to pay are listed on Qilin’s leak portal with sample files published as leverage.
Over the past two years, Qilin has been linked to attacks across healthcare, manufacturing, public services, and infrastructure sectors. In the UK, the group gained global attention after an attack that disrupted medical diagnostics services. In June 2025, UK authorities confirmed the death of a patient linked to Qilin ransomware’s June 2024 attack on the NHS.
Internationally, it has also claimed victims in logistics, professional services, and large enterprise environments. By 2025, threat tracking groups list Qilin among the more active ransomware operations worldwide.
Status of the Scientology Claim
At this stage, the alleged breach of the Church of Scientology remains unverified. The only public evidence consists of the screenshots published by Qilin on its leak site. No independent forensic confirmation has been issued, and no data archives have been publicly released for external validation. The screenshots do appear internally consistent across budgeting, form templates, signatures, and departmental naming conventions tied to AOSH UK.
Hackread.com has contacted the Church of Scientology for comment. If confirmed, the scope of exposure would include sensitive financial planning, security operations, staff immigration records, and personal information of members.
Until confirmation is received or additional data is released, the incident remains a claim supported only by attacker-supplied material. Further updates will follow as the situation develops.