Amazon S3 is being used as exfiltration staging infrastructure by the LeakNet ransomware group, with stolen data transferred to attacker-controlled S3 buckets following lateral movement via PsExec; this is an abuse of the legitimate AWS service, not a vulnerability in S3 itself. Organizations should monitor for bulk outbound HTTPS transfers to S3 endpoints from workstations and servers outside approved backup or sync workflows, and review egress filtering rules to restrict or alert on large-scale transfers to S3 destinations not in the approved vendor list.