A Serious Gang Makes a Serious Claim

Play ransomware has hit more than 900 organizations since emerging in 2022, according to the FBI as of May 2025. The group consistently ranks among the top five ransomware threats to critical infrastructure in the United States. The Register confirmed the MyPillow listing after threat-intelligence firm FalconFeeds shared the dark-web post publicly.

Play's previous victims include the Argentine judiciary, a Swiss IT contractor that leaked 65,000 Swiss federal government files, and Microchip Technology — a semiconductor manufacturer that reported $21.4 million in breach-related costs to regulators. North Korean state hackers have also been caught using Play ransomware in their intrusions, according to Cisco Talos incident responders.

What Play Claims to Have

According to the dark-web post viewed by The Register and Straight Arrow News, Play claims it pulled "private and personal confidential data, clients' documents, budget, payroll, IDs, taxes, finance information" and more from the Minnesota-based bedding company.

The ransom amount has not been disclosed. MyPillow was given until Friday, May 30 to make contact — or the data goes public. As of the time sources were published, MyPillow had not responded to inquiries from The Register, Straight Arrow News, or Futurism.

Lindell Says It's a Hit Job. Is He Right?

Lindell's response was immediate and emphatic. He told Straight Arrow News — the outlet that broke the story Tuesday — "This is another hit job by outside sources because I'm running for governor. I guarantee it. We do not have any breaches in our data at all."

Ransomware groups don't post fake victims to their leak sites — doing so destroys their credibility with extortion targets. Play has every incentive to only list organizations they actually compromised.

That said, claiming you have data and actually proving it are different things. The quantity and quality of the published data — if Play follows through — will settle the question fast.

The Timing and the Reality

Lindell's political-hit argument deserves a fair hearing, even if the cybersecurity question stands independently.

Lindell is running for Minnesota governor in the August 2026 Republican primary against at least nine other candidates, according to Wired. He's broke by his own admission — in April 2025 he publicly stated he didn't have "5 cents to his name" due to a cascade of civil suits and federal investigations. Futurism confirmed this detail.

A Russian-speaking ransomware gang targeting a politically radioactive, financially compromised American company right before a primary is notable. Play has targeted politically adjacent organizations before.

But from a cybersecurity standpoint, the motivation is straightforward: hackers target organizations they believe can pay. A high-profile brand with visible financial distress and compromised leadership is exactly the kind of soft target Play hunts.

The Financial Wreckage Behind the Brand

Lindell himself said MyPillow suffered $400 million in losses due to what he describes as political attacks over the past several years — citing three third-party evaluations that averaged that figure, according to Straight Arrow News.

He has also announced plans to file a claim under Trump's $1.8 billion "Anti-Weaponization Fund", created through a settlement of a lawsuit against the IRS. Critics including attorney Ron Filipkowski have called that fund a slush fund for Trump allies. That's a legitimate debate — but it's also a separate issue from whether Play hacked his company.

On the legal front, Lindell is on the wrong end of two defamation rulings. A federal jury in Colorado found he defamed Eric Coomer, a former Dominion Voting Systems director, ordering Lindell and his platform FrankSpeech to pay $2.3 million, according to Wired. A Minnesota judge also found he made 51 false claims about election technology company Smartmatic, per Straight Arrow News.

The Ransomware Threat

Most outlets are framing this as a quirky story about a polarizing figure facing consequences. That misses the actual threat.

Play's operational reach is significant. This group disabled endpoint security tools using so-called "EDR killers" during intrusions, according to Cisco Talos. They've hit government contractors, semiconductor manufacturers, and judiciary systems across multiple continents. MyPillow — whatever you think of Lindell — employs real people whose payroll data, IDs, and personal financial records may now be in criminal hands.

Left-leaning outlets like Futurism have spent more column inches on Lindell's political history than on the ransomware threat itself. Right-leaning coverage has barely touched the story.

What Comes Next

If Play has what it claims, MyPillow employees face a genuine problem — regardless of what you think about their boss. Their payroll records, tax documents, and personal IDs don't change based on Lindell's politics.

Lindell says he has no money. Play publishes data when they don't get paid.