Menu

The House Always Wins? Not Against Ransomware: IGT Hit by Qilin Group

IGT ransomware negotiations fail. 10GB of gaming and employee data leaked by Qilin. Is your Las Vegas business at risk? See the 3-step mitigation plan.

 

The House Always Wins? Not Against Ransomware: IGT Hit by Qilin Group

21,000 files leaked from gaming giant – Las Vegas casino supply chain at critical risk

 

🎰 CRITICAL ALERT: Gaming Supply Chain Breach

International Game Technology (IGT) – the cornerstone vendor for Las Vegas casino floors and lottery systems – has been compromised by Qilin ransomware. 10GB of data (21,000+ files) published on dark web after failed ransom negotiations. If your casino uses IGT systems, your data may be exposed.

 

The Breach: When the House Loses

In the high-stakes world of gaming, International Game Technology (IGT) is usually the one dealing the cards. The company powers slot machines, lottery systems, and gaming platforms across Las Vegas casinos from MGM Grand to Caesars Palace, Red Rock to The Venetian.

However, as of February 12, 2026, the house has lost a major hand. After a total breakdown in ransom negotiations, the Qilin (Agenda) ransomware group published 10GB of data—totaling over 21,000 sensitive files—allegedly stolen from the gaming giant.

Is This Critical for Las Vegas?

Absolutely. For Las Vegas businesses, IGT is a cornerstone vendor for casino floors and lottery systems. This leak isn’t just a corporate headline; it’s a direct threat to the integrity of the local gaming supply chain. If you operate slots, sports betting kiosks, or lottery terminals powered by IGT, your vendor connection may have exposed sensitive operational data, employee credentials, or customer information.

What Was Leaked: The Data Inventory

Confirmed Data Exposure:

Volume: 10.1 GB total data size, organized into 21,000+ individual files
File Types: Corporate documents, technical specifications, internal communications, employee data, vendor contracts, system architecture diagrams
Potential PII: Employee personally identifiable information (names, addresses, SSNs), vendor contact details, casino operator credentials
Intellectual Property: Gaming system designs, slot machine configurations, lottery platform specifications, proprietary algorithms
Partner Exposure: Casino operator integration details, third-party vendor relationships, service account credentials for IGT partner portals
Distribution: Data mirrored across multiple dark web repositories, TOR sites, and underground forums – publicly accessible to cybercriminals worldwide

Technical Details: The Qilin Arsenal

The Qilin group (also known as Agenda ransomware) utilizes a sophisticated “Double Extortion” model. Below are the technical signatures associated with their recent campaign against IGT:

Qilin Attack Methodology:

🚪 Initial Access: Exploit Chain

Qilin likely utilized vulnerabilities in unpatched VPN or RDP gateways for initial access. This matches MITRE ATT&CK technique T1133 (External Remote Services). Common entry vectors include Citrix NetScaler, Fortinet FortiGate, and Cisco VPN vulnerabilities. IGT’s global infrastructure with remote office connections presented multiple attack surfaces.
⚙️ Rust-Based Payload

Qilin’s malware is written in Rust programming language, allowing it to bypass legacy antivirus signatures and target both Windows and Linux/VMware ESXi servers with high efficiency. Rust malware is compiled for each target environment, making detection extremely difficult. The cross-platform capability means Qilin can encrypt slot machine backend servers (often Linux-based) and Windows domain controllers simultaneously.
📤 Double Extortion Model

Step 1: Data exfiltration before encryption – 10.1 GB of sensitive files copied to attacker infrastructure. Step 2: Network encryption – production systems locked with strong encryption. Step 3: Ransom demand – pay to decrypt AND prevent data publication. Step 4: When IGT refused final payment, Qilin published all stolen data publicly as “proof” to future victims that they follow through on threats.
🌐 Dark Web Publication

The 10.1 GB dataset was mirrored across dark web repositories once IGT refused the final ransom demand. Qilin operates a “leak site” on TOR where they showcase victims and publish stolen data. The IGT data is now permanently available to cybercriminals for credential harvesting, competitive intelligence, and secondary attacks against IGT’s casino partners.

 

Qilin Ransomware Technical Profile:

Programming Language: Rust (cross-platform, low detection rates)
Target Platforms: Windows, Linux, VMware ESXi hypervisors
Encryption Method: AES-256 symmetric encryption with RSA-4096 key protection
Exfiltration Tools: Rclone, Mega.nz, custom upload utilities
Privilege Escalation: Exploits Active Directory misconfigurations, stolen credentials
Ransom Payment: Bitcoin, Monero (cryptocurrency only)
Typical Dwell Time: 30-60 days (reconnaissance before encryption)

The Risk: Why Las Vegas Casino CEOs Must Act

In our 24/7 hospitality economy, a breach at a Tier-1 vendor like IGT creates a Supply Chain Contagion. This isn’t just IGT’s problem—it’s yours.

🔗 Supply Chain Attack Vector

If you are a vendor, partner, or operator using IGT-affiliated systems, your corporate data or employee PII may be sitting in this public dump. This incident bypasses your perimeter and hits you through a “trusted” connection. IGT’s customer portal credentials, VPN access tokens, and API keys may all be exposed, allowing attackers to pivot into your casino network using legitimate IGT credentials.

🎰 Gaming Floor Operations Risk

IGT powers thousands of slot machines across Las Vegas. The leaked technical specifications could reveal slot machine configurations, payout algorithms, and backend server architectures. This intellectual property in the wrong hands could enable gaming fraud, machine manipulation, or targeted attacks against specific casino floors. Nevada Gaming Control Board compliance may be at risk if slot system integrity is compromised.

💳 Player Data Exposure

IGT’s sports betting platforms and player loyalty systems process millions of customer transactions. If the breach included integration documentation with casino operators, player account structures, database schemas, or API authentication methods may be exposed. This creates a roadmap for attackers to target downstream casino customer databases.

Las Vegas Gaming Ecosystem Vulnerability:

Strip Properties: Major casinos on The Strip rely heavily on IGT for slot floors, lottery kiosks, and sports betting systems – single vendor concentration creates systemic risk
Tribal Gaming: Nevada tribal casinos operating IGT equipment may face unique compliance challenges given sovereign jurisdiction requirements
Nevada Lottery: State lottery systems powered by IGT could expose player information and revenue tracking data
Regulatory Scrutiny: Nevada Gaming Control Board will likely require breach notifications and security posture reviews from all IGT customers
Competitive Intelligence: Rival gaming equipment manufacturers could gain unfair advantage from leaked proprietary technology and designs

The 3-Step Mitigation Plan for IGT Customers

If your casino or gaming operation uses IGT systems, implement these emergency measures immediately:

1

Force Password Resets on All IGT Integrations

Immediate Action: Immediately rotate all service account credentials that interact with IGT systems, Brightstar portals, IGT customer support logins, API keys, VPN access tokens, and any shared authentication mechanisms.

Assumption: Assume that any credential used to access IGT systems in the last 90 days may be compromised. Change everything. Use strong, unique passwords and enable Multi-Factor Authentication (MFA) on all accounts. Document all changes for Gaming Control Board audit compliance.

2

Audit Identity & Access Logs

Detection: Review Active Directory logs, VPN access records, and security information and event management (SIEM) data for unusual login patterns from remote employees or unknown IP addresses. Qilin often harvests credentials from these leaks for secondary attacks months later.

Focus Areas: Look for after-hours logins, geographic anomalies (employee credentials used from foreign countries), multiple failed authentication attempts followed by success, and access to systems the user doesn’t normally touch. Any IGT-related credentials appearing in the leaked dataset should trigger immediate investigation.

3

Comprehensive Vendor Risk Review

Strategic Assessment: Re-verify the security posture of your entire digital supply chain using the NIST Cybersecurity Framework. Don’t just focus on IGT—audit all critical vendors (payment processors, property management systems, surveillance providers).

Action Items: Request SOC 2 Type II reports from all vendors, verify they have cyber insurance coverage, confirm incident response procedures are documented, and establish clear breach notification timelines. For IGT specifically, request confirmation that your data was NOT included in the leaked dataset and demand evidence of remediation measures taken post-breach.

How CMIT Solutions of Las Vegas Protects Gaming Businesses

At CMIT Solutions, we help Las Vegas gaming and hospitality businesses navigate these vendor-driven crises. We provide proactive monitoring and incident response to ensure that when a major player like IGT gets hit, your business stays in the game.

Gaming Industry Security Services:

Vendor Risk Management: Continuous assessment of your critical suppliers (IGT, Konami, Aristocrat, payment processors) with automated threat intelligence monitoring for breaches
24/7 SOC Monitoring: US-based Security Operations Center watches for supply chain compromises, credential stuffing attacks using leaked credentials, and lateral movement from vendor connections
Dark Web Monitoring: Proactive scanning of dark web leak sites, underground forums, and ransomware group TOR pages for your company data or vendor breach exposure
Network Segmentation: Isolate gaming floor systems (slots, table games, sports betting) from corporate networks to contain vendor-originated breaches
Ransomware Defense: EDR with behavioral detection, immutable backups, and tested disaster recovery procedures designed for 24/7 casino operations
Gaming Control Board Compliance: Documentation and security controls aligned with Nevada Gaming Control Board Regulation 5.170 and Minimum Internal Control Standards (MICS)
Incident Response Planning: Pre-established breach response playbooks specific to gaming operations with regulatory notification procedures and business continuity safeguards

 

🎰 Do You Use IGT Systems?

Don’t wait to find out if your data was in the breach. Get an emergency vendor risk assessment and credential audit in 24 hours.

Request Emergency Security Assessment

Protect Your Casino from Supply Chain Attacks

When your vendors get breached, your business is at risk. Get comprehensive gaming industry cybersecurity from Las Vegas experts.

CMIT Solutions: Trusted by Las Vegas Casinos, Gaming Operators, and Hospitality Groups

📞 702-725-2877

Request Gaming Security Assessment

cmitsolutions.com/lasvegas-nv-1206

 

Key Takeaways for Gaming Operators:

IGT ransomware attack – Qilin group published 10GB (21,000 files) after failed ransom negotiations on February 12, 2026
Supply chain contagion risk – IGT customers’ data, credentials, and system documentation may be exposed in leak
Las Vegas gaming floor impact – Slot machines, lottery systems, sports betting platforms across The Strip powered by IGT
Qilin double extortion – Rust-based malware targets Windows, Linux, ESXi with data exfiltration before encryption
Rotate all IGT credentials immediately – Service accounts, portal logins, API keys, VPN tokens
Audit access logs for anomalies – Look for credential abuse using leaked data in secondary attacks
Comprehensive vendor risk review – Re-verify security posture using NIST Cybersecurity Framework
CMIT Solutions provides vendor risk management and 24/7 monitoring for Las Vegas gaming operations

 

Sources & Additional Reading

Primary Sources:
• SC World: Qilin Ransomware Claims International Game Technology Hack
• BlackFog: Qilin Ransomware Analysis: Impact and Defense 2025

 

Back to Blog

Share:

Related Posts

Las Vegas skyline — guide to choosing the best managed IT services in Las Vegas

Your 2025 Guide: Best Managed IT Services in Las Vegas | SMB Buyer’s Checklist

Your 2025 Guide: Choosing the Best Managed IT Services in Las Vegas…

Read More
From casino breaches to law firm hacks, here’s what 2025 looks like for Las Vegas cybersecurity — and how local SMBs can defend themselves.

Las Vegas Cybersecurity Threats in 2025

Las Vegas Cybersecurity Threats in 2025: What SMBs Must Know & How…

Read More

How Data Backup Protects You from Ransomware (Las Vegas SMB Guide)

How Data Backup Protects You from Ransomware: A Practical Guide for Las…

Read More