AWS S3 is the confirmed exfiltration destination in the LeakNet ransomware campaign, with attackers staging stolen data to attacker-controlled S3 buckets as part of the post-exploitation chain (T1537). No AWS platform vulnerability is involved; the risk is misuse of legitimate cloud storage APIs following credential theft or valid account abuse. Organizations should audit S3 bucket policies and CloudTrail logs for unexpected PutObject or CreateMultipartUpload calls from internal hosts or CI/CD service roles not associated with backup or pipeline workloads.