MyPillow founder Mike Lindell denies ransomware attack by Play gang

At a glance:

• The ransomware group Play claims to have breached MyPillow, stealing payroll, tax, and financial data.
• Mike Lindell denies any breach, labeling the allegations a political "hit job" tied to his gubernatorial campaign.
• The group has set a deadline of Friday to leak the stolen information if the company does not respond.

Allegations of a high-stakes data breach

MyPillow founder Mike Lindell is once again at the center of a cybersecurity storm. According to a report from Straight Arrow News, a media outlet founded by Republican donor Joe Ricketts, the ransomware gang known as Play has claimed responsibility for a significant breach of MyPillow's internal systems. The group asserts that they have exfiltrated a wide array of sensitive company and personal information, creating a precarious situation for the bedding company's operational security.

The alleged stolen data is comprehensive, spanning several critical business functions. Specifically, the Play group claims to have acquired:

• Client documents
• Company budgets
• Payroll records
• Identification documents (IDs)
• Tax filings
• General finance information

Play has issued a public ultimatum via a blog post, threatening to leak the entirety of this data online if MyPillow fails to respond by Friday. This tactic, known as double extortion, is a hallmark of modern ransomware operations where attackers leverage the threat of public exposure to force payment even if the victim has backups of their encrypted files.

A pattern of geopolitical targeting

The involvement of the Play ransomware group is particularly notable given their historical targeting patterns. As noted by Futurism, Play has a track record of operating across multiple borders, with documented attacks in the United States, Brazil, Argentina, Switzerland, and Germany. The group frequently targets organizations and individuals associated with government entities or high-profile political figures, which aligns with Mike Lindell's public persona and political activities.

Lindell has long been a fixture in the American political landscape, serving as a chair for Donald Trump’s 2020 reelection campaign in Minnesota. Following the 2020 election, he became one of the most prominent proponents of theories suggesting the election was stolen, often framing his efforts as a battle against foreign interference. This high visibility likely makes him and his business interests a prime target for threat actors seeking maximum publicity or political leverage.

A history of cybersecurity disputes

This is not the first time Lindell has attempted to position himself as an expert or arbiter of cyber warfare. In 2021, he organized the "Cyber Symposium," an event intended to present evidence that Chinese actors had hacked U.S. voting machines to alter the 2020 election results. To bolster his claims, Lindell launched the "Prove Mike Wrong" challenge, offering a $5 million prize to any cybersecurity professional who could debunk his evidence.

That challenge led to a protracted legal battle with software engineer Robert Zeidman. Zeidman submitted a technical report demonstrating that Lindell's evidence lacked valid voting machine packet capture data—the primary technical requirement to prove votes were sent to Chinese servers. While a private arbitration panel eventually ruled in Zeidman's favor, a federal appeals court later determined that Lindell was not required to pay the $5 million prize. Beyond this, Lindell continues to face a massive defamation lawsuit from Dominion Voting Systems regarding his claims about the 2020 election.

Political framing and financial fallout

In response to the current ransomware claims, Lindell has dismissed the reports as a coordinated political attack. He argues that the timing is intentional, coinciding with his campaign for Governor of Minnesota. "Nobody’s asked us for any ransom," Lindell told Straight Arrow News, insisting that there have been no breaches of MyPillow's data and characterizing the situation as a "hit job" by outside sources.

Lindell has previously highlighted the financial toll of these public and legal battles, claiming in a recent interview that attacks against him have cost the MyPillow brand approximately $400 million. To recoup these losses, he has expressed intent to seek compensation from the $1.8 billion Justice Department "Anti-Weaponization Fund," a fund resulting from a settlement between Donald Trump and the IRS.

As the Friday deadline approaches, the industry is watching to see if the Play group will follow through with the data leak. While Lindell maintains that the breach is a fabrication, the history of the Play group suggests that their claims are often backed by actual exfiltrated data, leaving the MyPillow campaign and corporate entity in a state of uncertainty.