Metricon homes: Australia’s Largest Home Builder Falls Victim to Qilin Ransomware Attack

Metricon Homes, Australia's premier residential construction company, has become the latest high-profile victim of the prolific Qilin ransomware group in a significant cyberattack that compromised sensitive corporate data.

The Breach: What Happened

On July 21, 2025, the Qilin ransomware operation successfully infiltrated the IT systems of Victoria-based Metricon Homes, claiming to have stolen a substantial 128 gigabytes of highly sensitive data. The breach was discovered three days later on July 24, when the company detected unusual activity in their network environment.

The cybercriminals moved swiftly to establish their presence on the dark web, posting Metricon Homes to their darknet leak site alongside screenshots and documents as proof of the successful breach. According to the attackers, the exfiltrated data consists of more than 98,000 files containing what they describe as "highly sensitive" information.

What Data Was Compromised

The scope of the data theft is particularly concerning for both the company and its stakeholders. Qilin affiliates claim to have accessed:

• Confidential financial documents that could provide competitors with strategic insights
• Proprietary architectural plans representing significant intellectual property
• Internal marketing strategies and business intelligence
• Employee personal information that has already been posted to the dark web

The ransomware group warned that disclosure of this information "could cause significant harm to the company, as it contains materials that may offer competitors a substantial strategic advantage and weaken Metricon's position in the market."

Company Response and Recovery

Metricon Homes has responded swiftly to contain the incident and minimize ongoing damage. CEO Brad Duggan addressed the breach directly, stating: "We take this incident extremely seriously and are working with independent experts to understand exactly what occurred. Our customers, team and partners expect us to protect their data, and we are committed to managing this incident with care, speed and openness."

The company has confirmed that:

• The issue was quickly contained with support from external cybersecurity experts
• There has been no impact to operational safety or construction activities
• Internal systems have been restored and are back in operation
• Payments to suppliers and tradespeople continue as normal
• All relevant authorities have been notified, including the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and law enforcement

About Metricon Homes

Founded in 1976, Metricon Homes has established itself as Australia's largest home builder, operating across Victoria, New South Wales, Queensland, and South Australia. The company has maintained its position as the country's number one home builder for nine consecutive years, making this breach particularly significant for the Australian construction industry.

With nearly five decades of experience and a reputation for quality and innovation, Metricon serves as a critical part of Australia's residential construction sector, making the targeting by cybercriminals especially impactful for the broader economy.

The Qilin Threat: A Rising Ransomware Empire

The attack represents yet another successful operation by the Qilin ransomware-as-a-service group, which has emerged as one of the most prolific and sophisticated cyber criminal organizations globally. According to Ransomware.live tracking data, Qilin ranks as the third most active ransomware syndicate in 2025, with 291 claimed victims, trailing only Akira (348) and Cl0p (404).

The group has experienced explosive growth in 2025, particularly benefiting from the disruption of rival operations. Qilin topped June 2025 with 86 victims, surpassing all rivals in a shifting threat landscape, and led all groups with 74 attacks claimed in April 2025 after gaining affiliates from the RansomHub uncertainty.

Sophisticated Operations and Services

What sets Qilin apart from other ransomware groups is their evolution into what researchers describe as "not just as a ransomware group, but as a full-service cybercrime platform". The group offers unprecedented services to its affiliates, including:

• Legal consultation services: Qilin actively advertises its legal assistance feature, with the group explaining that "If you need legal consultation regarding your target, simply click the 'Call lawyer' button located within the target interface, and our legal team will contact you privately to provide qualified legal support"
• Advanced technical capabilities: Multiple encryption modes and cross-platform compatibility
• Generous affiliate programs: The RaaS operation provides affiliates with all the tools and infrastructure needed to launch attacks, with the Qilin RaaS group receiving 15-20% of ransoms paid

Recent Australian Activities

The group's recent Australian activities include attacks on financial services firm Skeggs Goldstien in June 2025, demonstrating their continued focus on high-value targets across various industries in the region. Interestingly, unlike other ransomware groups that have overwhelmingly targeted construction, professional services, healthcare, and manufacturing sectors, Qilin's claimed victims have been more balanced across sectors, including a higher percentage of financial targets than rivals.

Ransomware.live Intelligence

According to Ransomware.live, a comprehensive ransomware tracking platform created by security researcher Julien Mousqueton, the Metricon Homes attack was part of a broader surge in Qilin activity during July 2025. The platform's data shows that Qilin has been particularly active, with the group posting a deadline of July 25, 2025, for companies to contact them before "their files will be published".

The Ransomware.live tracking system provides crucial intelligence on ransomware group activities, including:

• Real-time victim monitoring: Continuous monitoring and scraping of ransomware group leak sites to identify newly published victims
• Attack attribution: Detailed tracking of which groups are responsible for specific attacks
• Temporal analysis: Discovery dates, estimated attack dates, and deadline tracking
• Infrastructure monitoring: Technical indicators including IP addresses, file hashes, and onion domains used by threat actors

The platform's data reveals that Qilin has maintained consistent pressure on victims, with the group's leak site showing multiple organizations across various sectors and geographic regions. The Metricon listing on their dark web leak site represents a significant escalation in their targeting of critical Australian infrastructure.

This breach highlights the continuing vulnerability of major Australian corporations to sophisticated ransomware attacks, particularly those targeting critical infrastructure and essential services. The construction industry, with its vast networks of suppliers, contractors, and client data, presents an attractive target for cybercriminals seeking to maximize the impact and potential payout from their attacks.

The incident serves as a stark reminder that even well-established companies with significant resources remain vulnerable to evolving cyber threats, emphasizing the critical importance of robust cybersecurity measures and incident response planning.

Industry Implications

As Metricon continues its investigation into the full scope of the breach, the company has committed to directly notifying all affected individuals as details become clearer. The incident underscores the ongoing need for Australian businesses to strengthen their cybersecurity postures and prepare comprehensive response strategies for when - not if - they become targets of sophisticated cybercriminal operations.

For the broader Australian business community, the Metricon breach serves as a sobering reminder that no organization is too large or too established to be safe from the growing threat of ransomware attacks in 2025.