Play Ransomware Claims MyPillow Breach; CEO Lindell Calls It a Hit Job

The Play ransomware gang (a financially motivated cybercriminal group active since June 2022 that has targeted more than 300 organisations across North America, South America, and Europe, including critical infrastructure sectors) listed MyPillow, Inc. — the bedding company founded by Mike Lindell — on its public extortion portal on May 26, 2026, claiming to have stolen private and personal data including payroll records, tax information, and government identification documents. The gang has set a deadline of May 31, 2026, after which it threatens to publish the full stolen dataset publicly. Mike Lindell, MyPillow's CEO, has denied any breach occurred, calling the listing a politically motivated "hit job" connected to his campaign for Minnesota Governor. Neither the breach nor its denial has been independently verified as of publication.

// 01 Play Ransomware: Technical Profile and Threat Context

Play ransomware (also tracked as PlayCrypt) is a RaaS (Ransomware-as-a-Service — a model where a core development team builds the ransomware software and rents it to affiliate operators who conduct the actual attacks, splitting ransoms with the developers) operation with a documented history of sophisticated intrusion techniques. Unlike ransomware groups that rely primarily on phishing emails, Play has repeatedly demonstrated the ability to exploit public-facing application vulnerabilities to gain initial access — including CVE-2022-41082 (Microsoft Exchange ProxyNotShell) and Fortinet SSL-VPN vulnerabilities — before moving laterally through target networks.

According to a CISA joint advisory (aa23-352a), Play ransomware uses a double-extortion model: encrypting victim files and simultaneously threatening to publish stolen data on their public leak site if the ransom is not paid. This dual pressure tactic has proven effective against organisations with robust backups that could otherwise recover without paying — the threat of public data exposure creates a separate, independent incentive to negotiate.

A significant development documented by Palo Alto Networks Unit 42 in 2025 adds geopolitical complexity: Play ransomware operators were observed collaborating with Jumpy Pisces (also tracked as Andariel and Onyx Sleet — a North Korean threat group that operates under the Reconnaissance General Bureau, North Korea's primary intelligence agency). The collaboration appeared financially motivated rather than ideologically directed, but it means Play affiliates may have access to North Korean TTPs (Tactics, Techniques, and Procedures — the methods threat actors use to conduct attacks), including sophisticated lateral movement techniques.

// 02 The MyPillow Listing: What Play Claims

Play's leak site entry for MyPillow (posted May 26, 2026) claims the gang stole:

• Private and personal confidential data
• Client documents
• Budget information
• Payroll records
• Government IDs
• Tax information
• Finance information

The listing does not specify the volume of data, a specific breach date, or technical details of the intrusion method. Play's standard operational procedure is to post a teaser on the leak site with a deadline (typically 5–7 days), then publish everything if the ransom is not paid. The May 31, 2026 deadline gives MyPillow approximately five days from listing to resolution.

Payroll and government ID data are particularly sensitive breach categories. Payroll records expose employee Social Security numbers, bank account details, and salary information. Government IDs (driver's licences, passports, or employee identification documents) can be used for identity theft, fraudulent tax filings (W-2 and 1040 fraud), and benefit claim fraud.

// 03 Lindell's Response and the Verification Gap

Mike Lindell's public statements on the Play listing are categorical:

• "Nobody's asked us for any ransom" — contradicts Play's standard extortion-first model, where ransom demands are typically delivered privately before or simultaneously with leak site listings
• Claims MyPillow is "the most secure company in this country"
• States the attack is "another hit job by outside sources because I'm running for governor"
• Says MyPillow does not store sensitive data internally, relying instead on third-party providers

However, no independent technical verification supports either the breach claim or the denial. Play's leak sites have historically been accurate — the group does not typically list targets they have not actually compromised, as false listings would undermine their extortion leverage — but exceptions and exaggerations occur. Equally, Lindell's claim that MyPillow uses third-party data storage could be accurate but does not itself rule out a breach: many Play attacks compromise organisations precisely by accessing their third-party cloud or SaaS environments.

The dispute has political dimensions: Lindell is running for Minnesota Governor in 2026 and has a documented history of cybersecurity controversies, including a 2021 FBI investigation related to election security data. His characterisation of the Play listing as politically motivated should be understood in that context — but Play ransomware is primarily a financially motivated criminal organisation with no documented history of politically targeted attacks against specific individuals.

// 04 What Affected Parties Should Do

For MyPillow employees and customers:

• Monitor for identity theft indicators. If you are a MyPillow employee or customer, place a fraud alert with the three major credit bureaus (Equifax, Experian, TransUnion). Play's data typically includes personally identifiable information that can be used for synthetic identity fraud and tax refund theft.

• Watch for W-2 and tax fraud. Payroll data breaches are frequently exploited during tax season for fraudulent tax return filings using stolen SSNs. The IRS Identity Protection PIN (IP PIN) programme — enroll at IRS.gov/IPPIN — adds a layer of protection against this specific threat.

• Change passwords for any MyPillow-related accounts. Even if the breach is unverified, the cost of changing passwords is low relative to the risk if the breach is real.

For security teams tracking the situation:

• Monitor Play's leak site for the May 31 publication. Security intelligence teams tracking Play should watch the site for the posting deadline. If data is published, the breach scope, affected data types, and technical indicators of compromise (IOCs) can be extracted from published samples.

• Review your own exposure to Play ransomware TTPs. CISA advisory aa23-352a provides a comprehensive list of Play's documented IOCs and detection signatures. Ensure your SIEM (Security Information and Event Management — a platform that collects and correlates security log data from across your environment) has rules covering Play's known lateral movement tools, including Cobalt Strike, SystemBC, and the IcedID loader they have historically used for initial access.

• Patch VPN and email server vulnerabilities promptly. Play's documented initial access methods favour public-facing vulnerabilities in VPN appliances and on-premises email servers. Ensure all FortiGate, Cisco, and Microsoft Exchange deployments are fully patched.

// 05 Background: Understanding the Risk

Play ransomware's documented victim list includes healthcare providers, municipal governments, financial institutions, and communications companies across North America and Europe. The group's operational security is strong — they do not typically make attribution errors or list organisations they have not actually compromised, making the MyPillow listing a credible threat even absent technical confirmation.

The collaboration with North Korean Jumpy Pisces operatives documented by Unit 42 is a significant escalation in Play's capability profile. North Korean cyber operators are known for their sophistication in evading endpoint detection and living-off-the-land (using legitimate operating system tools rather than malware to conduct attack activities, avoiding detection by signature-based security tools). If Play affiliates are leveraging North Korean TTPs, their ability to breach targets without leaving detectable traces — and to do so against hardened environments — is meaningfully higher than their pre-collaboration profile suggested.

The deadline of May 31, 2026 (three days from publication) means this situation will resolve quickly in one of two ways: Lindell pays or negotiates a delay, or Play publishes. Security teams monitoring the situation should have intelligence collection workflows in place to capture and analyse any published data for downstream threat indicators affecting other organisations.

// 06 Conclusion

Play ransomware's MyPillow listing is unverified but credible given the gang's track record, with a May 31 deadline for potential data publication. Whether or not this specific claim is accurate, it illustrates the ongoing threat Play poses to organisations across all sectors: the group has attacked 300+ victims, documented North Korean collaboration expands their capability, and the double-extortion model makes even organisations with good backups vulnerable to reputational and legal harm from data exposure. Monitor the deadline, and treat Play ransomware as a priority threat actor for your own defences.