David Brooks
Nike's Crown Jewel in Criminal Hands
I won't sugarcoat it: Nike has a serious problem. Criminal group WorldLeaks claims to have stolen 1.4 terabytes of data from the company, including what could be the brand's most valuable asset: unreleased Jordan Brand designs.
We're talking about 188,347 files covering the period 2020-2026. Among them, according to samples published by the attackers: designs for the Jordan SP27 collection (not yet launched), tech packs with complete technical specifications, bills of materials and costs, and internal documentation on manufacturing processes.
My verdict is clear: if this data reaches the counterfeit market, Nike will face perfect replicas of products before they even hit stores.
Who Is WorldLeaks and Why Should You Care
Cybercrime's Most Dangerous Rebrand
WorldLeaks isn't a new group. It's the rebrand of Hunters International, which itself emerged from the ashes of Hive, dismantled by authorities in 2023.
But here's the twist: in November 2024, Hunters International announced they were shutting down. They cited that the ransomware business had become "unpromising, low-converting, and extremely risky."
On January 1, 2025, they were reborn as WorldLeaks with a completely different model.
The New Model: Encryption-Free Extortion
Here's what makes WorldLeaks especially dangerous:
| Traditional Ransomware | WorldLeaks (New Model) |
|---|---|
| Encrypts files + steals data | ONLY steals data |
| Demands payment to decrypt | Demands payment to NOT publish |
| Leaves systems inoperable | Systems keep running |
| Easy to detect | Harder to detect |
| Greater legal pressure | Smaller technical footprint |
What most guides won't tell you is that this model is more profitable for criminals. They don't need to deal with the technical complexities of encryption, they leave no obvious evidence of their presence, and companies have fewer incentives to report because "technically" their operations weren't disrupted.
What Exactly Was Stolen From Nike
The 1.4TB Breakdown
According to samples published by WorldLeaks before removing Nike's entry from their site:
Jordan Brand Intellectual Property:
- Schematics for the SP27 collection (upcoming releases)
- Tech packs with complete technical specifications
- Bills of Materials (materials lists and costs)
Operations and Supply Chain:
- "Garment Making Process" documents
- "Training Resource - Factory" materials
- Factory audits
- Manufacturing partner information
Internal Documentation:
- Strategic presentations
- Folders labeled "Women's Sportswear" and "Men's Sportswear"
The Value of What Was Stolen
To put this in perspective: Jordan Brand generates over $7 billion annually for Nike. It represents 13% of the company's total revenue.
Jordan designs are trade secrets. Every pair of sneakers you see in stores went through years of development, prototyping, and adjustments. Having access to complete tech packs means being able to create replicas indistinguishable from the original.
Timeline of the Attack
| Date | Event |
|---|---|
| January 22, 2026 | WorldLeaks lists Nike on their dark web leak site |
| January 24, 2026 | Announced deadline for releasing the data |
| January 26, 2026 | Nike publicly confirms it's investigating the incident |
| Post-January 26 | WorldLeaks REMOVES Nike's entry from their site |
That last point is crucial. The removal of the entry suggests one of two things:
- Nike is actively negotiating
- Nike already paid to have the documents removed
Nike's Response: Calculated Silence
Nike's official statement was minimalist:
"We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation."
They didn't confirm or deny the criminals' claims. They didn't specify what data was stolen. They didn't comment on whether they're negotiating or have paid.
After X months covering corporate cyberattacks, I recognize this strategy: say as little as possible while negotiating in the background.
The Context: A Wave of Attacks on Luxury Brands
Nike isn't alone. 2025-2026 has been devastating for fashion and luxury brands:
| Brand | Date | Attacker | Impact |
|---|---|---|---|
| Under Armour | January 2026 | Everest Ransomware | 72.7 million accounts |
| Louis Vuitton | July 2025 | ShinyHunters | UK, Korea, Turkey customers |
| Dior | May 2025 | Third party | Asia (Korea, China) |
| Gucci (Kering) | 2025 | ShinyHunters | Names, addresses, spending |
| Marks & Spencer | April 2025 | Scattered Spider | £300 million in losses |
Under Armour deserves special attention: the Everest group leaked 343 GB of data including names, emails, birthdates, and purchase history of 72.7 million users. A class action lawsuit is already underway in Texas.
Why Fashion Brands Are Targets
If you ask me directly, there are five reasons:
- High-value customers: Celebrities, executives, diplomats
- Premium data: Information worth more on the dark web
- Outdated infrastructure: Legacy systems not updated
- Global supply chains: Multiple entry points
- Reputational pressure: Brands willing to pay to avoid scandals
The Counterfeit Problem: Why This Is Catastrophic for Nike
Nike Is Already the World's Most Counterfeited Brand
Before this breach, Nike already faced a massive problem:
- 83-92% of all counterfeit seizures come from China
- Putian, China: An entire city specialized in counterfeiting Nike since the 80s
- Nike won a $1.8 billion judgment against Chinese counterfeiters (unenforceable)
- The global counterfeit market exceeds $1.2 trillion
Now imagine what happens when counterfeiters have access to:
- Exact technical specifications
- Original material lists
- Designs for products not yet released
I won't sugarcoat it: replicas could hit the market before the originals.
Statistics You Should Know
Cost of Data Breaches in 2025-2026
| Metric | Value |
|---|---|
| Average breach cost (global) | $4.44 million |
| Average breach cost (U.S.) | $10.22 million |
| Average time to detect | 181-195 days |
| Average time to contain | 60-65 days |
| Total breach cycle | 241 days |
Ransomware and Extortion: 2024-2026 Trends
| Metric | Data |
|---|---|
| % of companies paying ransom | 25-37% (vs 85% in 2019) |
| Average payment | $1 million (down 50% vs 2024) |
| % that DON'T recover data after paying | 84% |
| % attacked again after paying | 69% |
That last statistic is particularly revealing: paying guarantees nothing. And if you pay, you have almost a 70% chance of being attacked again.
What This Means for Businesses
Lessons from the Nike Case
1. Intellectual Property Is the New Target
It's no longer just about customer data. Attackers are going after high-value assets: designs, formulas, strategies, source code. This requires rethinking which data to protect with the highest priority.
2. Encryption-Free Extortion Is Harder to Detect
If your systems keep running normally, how do you know you're being robbed? Traditional ransomware detection tools don't work here.
3. Silence Isn't a Strategy
Nike is playing the silence game, but eventually they'll have to explain what happened. Companies that communicate proactively tend to fare better in the long run.
What You Can Do Today
If you run a company with valuable intellectual property:
- Audit your DLP (Data Loss Prevention): Would you detect massive data exfiltration?
- Segment your network: Product designs shouldn't be on the same network as email
- Monitor outbound traffic: Exfiltrating 1.4TB leaves traces if you know where to look
- Have a response plan: Don't improvise when the fire is already burning
Impact on Nike Stock
Surprisingly, Nike shares remained relatively flat after the announcement:
- Current price: ~$63.09
- Average analyst target: $76.38 (21% below)
- 30-day return: +3.5%
Why no panic selling? The market had already priced in other Nike problems: competition from Chinese brands, internal restructuring, and layoffs of 775 employees at distribution centers.
The breach is a serious problem, but not the only one the company faces.
My Verdict
After analyzing this case, my conclusion is clear:
Nike has three possible scenarios:
- Best case: They negotiated, the data was deleted, and they strengthen their security without anything leaking
- Middle case: Some data leaks, Jordan SP27 counterfeits appear before launch, damage contained
- Worst case: Everything leaks, designs for 6 years of future products are exposed, Jordan Brand's competitive advantage evaporates
The fact that WorldLeaks removed the entry suggests we're in scenario 1 or in active negotiation. But even if Nike paid, the data has already been copied. The question isn't whether it will leak, but when.
For businesses reading this: the encryption-free extortion model is the future of corporate cybercrime. It's stealthier, more profitable for attackers, and harder to detect. If you don't have visibility into what's leaving your network, you're already losing.
The era of protecting only the perimeter is over. Now you have to assume you've already been infiltrated and act accordingly.
