📡 FLYBOYS FLIGHT CENTER DATA BREACH

🎯 Organization: FlyBoys Flight Center (USA)

📂 Leak volume: 5.41 GB

📅 Incident date: July 2024

🦠 Attacker: Medusa ransomware group

📄 Content: According to the source, the archive contains training programs, courses, certificates, financial reports, and other internal documentation.

📌 Publication status: The data was published on Medusa's leak site in July 2024. A 5.41 GB file archive is currently in open access.

🔐 TOKOPARTS.COM DATA BREACH — 79 GB

🎯 Organization: Tokoparts (PT Suku Cadang Oto Sejahtera) — Indonesian auto parts supplier

📂 Volume: 79 GB, 29,425 files

📅 Data period: 2020–2026

📂 What leaked:

• Financial reports: P&L, balance sheets for 2024–2025, consolidation package for Mitsubishi Corporation (April 10, 2026)
• Banking data: BCA and MUFG statements, all transactions
• Taxes: SPT PPh 21,23,26 filings, VAT (PPN) for 2022–2024
• Customer database: 463 corporate clients, 11,272 invoices, AR outstanding 10.5 billion IDR (87% overdue)
• Orders: 33,041 orders from 381 buyers (66 fields per record)
• Delivery documents: 15,000+ photos of delivery slips (signatures, addresses, couriers) — latest dated April 7, 2026
• Supplier pricing: Toyota, Honda, Mitsubishi, Mercedes-Benz, Shell, Denso, Isuzu, Mazda, and others
• Active NDAs: with Mitsubishi Corp (valid until June 2026), with MUC Consulting (perpetual term)
• Personal data: passport of President Director (Japanese national), KTP IDs, bank account details of supplier directors, data of 20+ Tokoparts employees
• SAP HANA, WMS, supply chain data, business plans, forecasts

⚠️ Note: All three NDAs were active at the time of the breach. Data includes documents submitted to Mitsubishi Corporation just days before publication.

📌 Status: 79 GB archive is publicly available.

🔐 BEST PRICE FINANCIAL SERVICES DATA BREACH
📅 Incident date: July 23–25, 2025

🦠 Attacker: Everest ransomware group

🎯 Affected organization: Best Price Financial Services — a UK-based independent financial services provider, regulated by the Financial Conduct Authority (FCA). The company offers life insurance, income protection, critical illness coverage, and operates an online price comparison tool.

📂 What leaked (based on initial publication):

• Internal documents (screenshots published on dark web leak site)
• Potentially client data, internal communications, financial records

⚠️ Important note: The full dataset has been published.

📌 Publication status: The victim was added to Everest's dark web leak site on July 25, 2025.

⚖️ Regulatory consequences: As an FCA-regulated financial services provider, the company handles sensitive client financial data. A full leak could trigger regulatory fines and client compensation claims.

🔐 CITIZENS BANK DATA BREACH
📅 Incident date: April 2026

🦠 Attacker: Everest ransomware group

🎯 Organization affected: Citizens Bank (major U.S. bank, corporate HQ in Providence, Rhode Island)

👥 Customers affected (bank's statement): "several thousand"
📊 Attackers' claim: ~3.4 million records (bank calls this figure "generally inaccurate")

📂 What leaked (per Citizens Bank's official statement):

• Customer names
• Home addresses
• Bank account numbers (data found on a paper check)

❌ Social Security numbers (SSN) — NOT compromised

Customer class-action lawsuits claim that credit card numbers and passport numbers may also have been affected, but there is no official confirmation from the bank.

📌 Publication status:
The publication timer on Everest's leak site has been reset twice. As of now, no public links to the stolen data have been released.

🔄 Note: The breach occurred at a third-party vendor, not within Citizens Bank's own network.

🔐 NISSAN MOTOR CORPORATION DATA BREACH
📅 Incident date: January 10, 2026 (attackers' public disclosure)

🦠 Attacker: Everest ransomware group

🎯 Organization affected: Nissan Motor Corporation (Japanese automaker, North American operations – USA and Canada)

👥 Affected (attackers' claim): 900–910 GB of data (17+ million VIN numbers)

Based on DataBreach.com analysis of leaked files:
• 17,119,482 VIN numbers
• 4,193,509 full names
• 4,055,146 postal addresses
• 2,685,720 phone numbers
• 2,045,754 email addresses
• 2,736 dates of birth

⚠️ IMPORTANT NOTE:

The breach occurred at a third-party vendor (GCSSD) that serviced Nissan and Infiniti dealerships in North America — not at Nissan itself.

🔐 INCIDENT: ITARCHITECHS.COM

📅 Attacker's claim date: February 10, 2026 (Clop group)
📅 Data publication date: February 14, 2026

🎯 Compromised domain: ITARCHITECHS.COM

🏢 About the company: Technology services provider / IT company based in the United States.

📦 Total leaked archive size: 52.2 GB

📂 What leaked:

• Contracts and commercial proposals
• Financial documentation
• Internal corporate documents
• Employee personal data
• Technical documentation and configurations
• Client information
• Operational data

⚠️ Leak status: Fully published. As of now, 52.2 GB of data is publicly available.

🔐 INCIDENT: HUDSON EXECUTIVE CAPITAL LP

📅 Attacker's claim date: February 10, 2026 (Clop group)

🎯 Compromised domain: HUDSONEXECUTIVE.COM

🏢 About the company: Hudson Executive Capital LP — SEC-registered investment adviser based in New York, USA. Specializes in strategic investments across Financials, Healthcare, Technology, and Media sectors.

📦 Total leaked archive size: Not specified (detailed corporate compliance dump)

📂 What leaked (based on detailed analysis of published data):

The attackers have released a detailed dump of the corporate compliance department folder — practically a complete copy of Hudson Executive Capital's internal documentation.

1. Full Compliance Control Structure (Crown Jewel)
Documents revealing how the company monitors employees and reports to regulators (SEC, FINRA):

Personal Trading / Code of Ethics:

Detailed logs of employee trading requests for approval (HEC - Employee Trading Requests)

Employee personal brokerage account statements (with account numbers)

Annual holdings certifications — showing what employees owned and traded

CEO Partners:

Folder dedicated to former CEOs serving as fund advisors

Personal data including affiliations, signed conflict of interest certificates, conflict clearances for deal participation

Passport copies / photos (CEO Partners - Photos)

Policies & Procedures:

Complete archive of internal policies: Code of Ethics, Compliance Manual, AML Policy, Cybersecurity Policy, Business Continuity Plan — the blueprint of their compliance system

Internal Investigations and Incidents:

"Memos to File" and "Violation of compliance policy" folders

Contains memos about unintentional information disclosure, trading errors, potential internal rule violations (e.g., trading on spouse's personal account)

2. Confidential Correspondence and External Communications
Email files (.msg) revealing sensitive discussions:

Marketing Material Approvals:

Email chains where CEO or CCO approve investor presentations and fact sheets (Marketing Review folders) — revealing what and how they told investors

Regulator and Auditor Communications:

Correspondence with SEC, FINRA, Walkers lawyers (Cayman Islands) regarding AML, FATCA, Private Funds Law

Draft responses to FINRA requests

3. Investment Structure and Financial Information
SPV and Fund Details:

HEC SPV I, II, III, IV folders containing incorporation documents, PPMs (Private Placement Memorandums), side letters with investors — revealing deal structures and terms for specific LPs

Valuation of Private Assets:

Compliance - Committee - Valuation folder containing memos and Excel models explaining how private portfolio companies (e.g., Flexis, Paige) were valued — revealing how the fund calculates NAV

Deal-Specific Correspondence and Documents:

PDF presentations and working models for Pluto, Akoya, HeartFlow, Mindmaze (from user Sai.Nanduri files) — operational analysis of current and potential deals

4. Operational and Technical Information
Cybersecurity:

Penetration test reports, phishing campaign results, external scan results, cybersecurity briefs — essentially a map of their vulnerabilities

Data Privacy:

GDPR and Cayman Islands Data Privacy Law (DPL) documents

SPAC Website Backups:

Complete backup of their corporate websites (archive copies) in the Website\SPAC websites folder

👽💫

🔐 INCIDENT: Proactive Medical Inc

📅 Attacker's claim date: February 10, 2026 (Clop group)

🦠 Attacker: CLOP (Clop) ransomware group — Russian-speaking RaaS group

🎯 Compromised domain: PROACTIVEMEDICAL.COM

🏢 About the company: Proactive Medical Products / Proactive Medical Inc. — medical equipment and healthcare products. Headquarters: Lindenhurst, New York, USA. Proactive Medical Products was founded in 2008, specializing in patient care products that help prevent and treat conditions such as bedsores and infections.

📦 Publication status: 1.08 TB — data published in full

📂 WHAT LEAKED — DETAILED ANALYSIS
🚨 Scale: Catastrophic
Full copies of work folders, including system directories, were exposed in the breach. This is a classic sign of total encryption and theft, not a single email account compromise.

1. HIGHLY SENSITIVE CLIENT AND PARTNER DATA
What leaked Examples / Details
Direct contracts and purchase orders TWIN MED PO# PO057528_files, FEDEX SHIPPING LABEL SO#114439_files, Invoice for Order #21... — complete transaction data
Patient data (indirect) POD_files (Proof of Delivery) and BOL FOR PALLETS folders — delivery addresses violate medical confidentiality (HIPAA)
2. COMPLETE BUSINESS AND REPUTATIONAL DAMAGE
What leaked Details
Trade secrets Customer Price List, BENT METAL DME AND MANUALS (training materials, product assembly instructions)
Competitor data Folders named McKesson, Medline, AdaptHealth inside CUSTOMERS - yossi — pricing policy and strategy
Internal documentation HR DEPARTMENT - UPDATED (employee personal data), Payroll Reports (salaries), FDA (regulatory documents), Instruction Manuals (intellectual property)
3. EMPLOYEE AND MANAGEMENT PERSONAL DATA
What leaked Details
Employee work folders Folders by name: JANET, BRIAN, KRISTINA Stuff, PATRICIA, MIKE, YOSSI — personal correspondence, notes
Document scans scans\Yossi\Yossi iphone\DCIM — photos from employee's phone
Personal files Music, videos (movies\Game of Thrones), workout programs (Workout\P90X) — employees used work computers for personal purposes, expanding the scope of the leak

📝 VERDICT
This is not just a "document leak."

This is a digital copy of the entire enterprise.

From this archive, one could reconstruct all commercial, financial, operational, and personnel activities of Proactive Medical Products, as well as a significant portion of their relationships with partners.

## 🔐 INCIDENT: Smith IP Services

📅 Attacker’s Claim Date: February 10, 2026 (CL0P group)

🦠 Attacker: CL0P ransomware group

🎯 Compromised Domain: SMITHIPSERVICES.COM

🏢 About the Company: Smith IP Services — a U.S.-based company specializing in Intellectual Property (IP)

📦 Total size of the leaked archive: 97 GB

## 📂 WHAT WAS LEAKED :

✅ Thousands of patent applications
(US, Europe, China, Brazil, Australia, Canada, Argentina, Mexico, and others)
✅ Trademarks in dozens of countries
✅ Correspondence with clients — including strategy, financials, and legal recommendations
✅ Patent assignment records
✅ Internal company documents (HR, payroll, etc.)
✅ Personal files of employees

---

## 🧾 STATUS

The leak is complete and total — not only current cases have been compromised, but also archived files and those previously transferred to other law firms.

The archive allows for a full reconstruction of the commercial, financial, and patent activities of the IP firm and its clients.

⚠️ Leak status: Published

🔐 INCIDENT: ENVIRONMENTAL CORPORATION OF AMERICA (ECA)

📅 Attacker's claim date: January 2026

🦠 Attacker: CLOP (Clop) ransomware group — Russian-speaking RaaS group

🎯 Compromised domain: ECA-USA.COM

🏢 About the company:

Environmental Corporation of America (ECA) — technology and aerospace industry company

Headquarters: USA

📂 WHAT LEAKED :

✅ Client data - Contracts, purchase orders (PO), invoices, shipping/delivery information
✅ Aerospace industry -Technical documentation, specifications, drawings (ITAR/EAR sensitive data)
✅ Finance - Pricing, payment data, salaries, financial reports
✅ HR / Personnel - Employee personal data, document scans, resumes
✅ Internal documentation - Policies, procedures, internal correspondence
✅ IP / Intellectual Property - Patents, technological developments, source code

⚠️ SECTOR RISK — CRITICAL
The aerospace industry is particularly vulnerable due to:
* High value of intellectual property
* Export control regulations (ITAR / EAR)

ITAR (International Traffic in Arms Regulations) — sensitive defense-related data. Leak of ITAR-controlled information can have national security implications and result in massive regulatory fines.

🚨 Leak status: Published

📋 INFORMATIONAL: THE CLOP GROUP

Context of CLOP Activity in 2025–2026
The CLOP (Clop) ransomware group is one of the most active and dangerous Russian-speaking RaaS (Ransomware-as-a-Service) groups. They specialize in mass-scale attacks using zero-day vulnerabilities in popular enterprise software:

Target Software Number of Victims Period
MOVEit Transfer ~2,773 organizations 2023
GoAnywhere MFT 100+ organizations 2023
Accellion FTA Dozens of organizations 2020–2021
Oracle E-Business Suite Dozens of organizations 2025
In 2025, CLOP exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) , stealing data from dozens of organizations worldwide.

Confirmed victims of that campaign include:

* Harvard University
* The Washington Post
* Logitech
* Schneider Electric
* Emerson
* American Airlines (Envoy Air)
* GlobalLogic (data breach of 10,500+ employees)

CLOP's tactic: "Double extortion" — data theft + threat of public release. The group gives victims a limited window for negotiations, after which they publish the stolen data in open access on their Tor leak site.

Why the Presence of Microsoft 365 Is Important Context, Not Proof of a Breach

CLOP is not just a ransomware operator — it is a group engaged in data theft and extortion. Their target model is to infiltrate the victim's network by any means and exfiltrate as much information as possible. If the victim's network includes Microsoft 365, then gaining access to it is a "gold mine": C-level emails, Teams discussions of deals, SharePoint, OneDrive.

In 2026, there are at least three documented methods to gain full access to Microsoft 365 without hacking Microsoft's own servers:

1. Session Interception via Compromised Routers (APT28)
In April 2026, an operation by Russian hackers (GRU) was confirmed: between 18,000 and 40,000 routers were compromised worldwide. The technique — DNS spoofing and adversary-in-the-middle (AiTM). An employee thinks they are logging into Outlook, but in reality, they are sending their login, password, and MFA token directly to the hackers. This works even with two-factor authentication enabled.

2. Device Code Phishing (OAuth 2.0 Attack)
A user receives a phishing email asking them to go to the legitimate Microsoft site https://aka.ms/devicelogin and enter a short code. Once they do, they authorize a malicious application (e.g., "Microsoft Security Scanner"). The hackers receive a Refresh Token and gain full access to the victim's email, Teams, and files. The user voluntarily and legitimately completes the MFA process.

3. Vulnerabilities in "Edge" File Transfer Systems (MOVEit, GoAnywhere)
This is classic CLOP. They don't break into Microsoft 365 directly. Instead, they compromise a vendor or an adjacent system (e.g., a corporate portal), and from there "move laterally" into Microsoft 365 using legitimate integrations.

4. What "Victim Uses Microsoft 365" Means — An Indicator of the Scale of Damage
The presence of Microsoft 365 at a victim organization is not proof that the breach occurred through it. However, it is a critically important indicator for assessing potential damage.

In the context of the "What leaked" section:

Scenario - What leaked?
* Victim does NOT use M365 Only server files (standard documents)
* Victim DOES use M365 In addition to server folders — all corporate correspondence (Outlook), chat history (Teams), files from OneDrive and SharePoint
Thus, "uses Microsoft 365" is not evidence of the hack itself — it is a marker of potential catastrophe. If CLOP gains access to a victim's network that includes M365, the volume of the leak increases exponentially due to cloud-based communications.

🔐 INCIDENT: Go Kall IT is a privately owned Managed IT
5 Star Civil, CC Aggregates, IDR Builds (Cloudy Drives)
📅 Attacker’s Claim Date: February , 2026

🦠 Attacker: CL0P ransomware group

🎯 Compromised Domain: gokallit.com (Cloudy Drives)
Go Kall IT is a privately owned Managed IT

🏢 About the leak Company: A group of construction companies operating in Texas (USA), including 5 Star Civil (earthwork and utility contractor), CC Aggregates (aggregate producer and supplier), and IDR Builds (residential and commercial construction company).

📦 Total size of the leaked archive: 1.36 TB

📂 WHAT WAS LEAKED :
✅ Complete financial records:

* Payroll Journals for 2016–2023
* Bank Statements for 2019–2025
* Federal Income Tax returns for 2015–2024
* Property Tax documents for 2016–2025
* Texas Franchise Tax for 2018–2022
* Audit reports for 2018–2023
* Credit agreements and factoring contracts

✅ HR and personnel records:

* Employee Folders (current and terminated employees)
* Tool Agreements (liability agreements for tools)
* CDL driver files (commercial trucking)

✅ Trade secrets and project documentation:

* Bid folders with sections «01-PLANS (BID SET)», «A-5STAR ESTIMATE», «D-QUOTES» (subcontractor quotes), «E-PRICELIST» (price lists)
* Projects for 2022, 2023, 2024, including Travis Club, Veramendi, Cottonwood, Crystal Falls, Maverick, and dozens of others
* Drone documentation: DRONE VIDEO, DRONE PROJECTS (topographic surveys, orthophoto plans)
* Video records of construction progress

✅ Heavy equipment database:

* Complete records for heavy machinery (Track Hoes, Wheel Loaders, Skid Steers, Water Trucks, Back Hoes, Compaction Rollers, Dump Trucks, and others)
* For each unit — contracts, repair invoices, maintenance logs

✅ Legal and judicial documents:

* Lawsuits folder, including «Bell, Monty» case
* Land Leases, Land Purchases, Land Sales — ranches, quarries, agricultural land
* AMSOL Bankruptcy documents

✅ Insurance documentation:

* Certificates of Insurance
* Claims audits
* Fleet, equipment, and worker’s compensation insurance

✅ Client correspondence:

* Correspondence including strategy, financial discussions, and legal recommendations
* Prime and subcontractor agreements

✅ Internal company documents:

* HR orders, job descriptions
* Safety documents (MSHA & Safety, Toolbox Talks)
* Internal policies and manuals

✅ Personal employee files:

* Employee photos (including PICTURES folder with subfolders EQUIP PICS, COMPANY PHOTOS, CHRISTMAS PARTIES, FAMILY DAY)
* Resumes and application forms

🧾 Note
The leak affects not only current company projects but also archived files, including documents from previous years and files transferred between contractors. Folders labeled «00 NOT AWARDED or NO BID» were discovered, containing bid documentation for projects the companies did not win, but which still contain commercial information from subcontractors and price lists.

The archive allows for a full reconstruction of the commercial, financial, and project activities of the construction companies and their partners.

🧾 STATUS
The leak is complete and total — the full 1.36 TB cloud storage file structure has been published. Not only current company cases have been compromised, but also archived files and documents previously transferred to other contractors and subcontractors.

⚠️ Leak status: Published

💫 👽

🔐 INCIDENT: itRobotics

📅 Date of attacker's claim: January 25, 2026

🦠 Attacker: CL0P ransomware group

🎯 Compromised domain: itrobotics.com

🏢 About the company: itRobotics is an engineering company specializing in the development and manufacture of non-destructive testing (NDT) equipment for the oil and gas industry. Core areas: eddy current testing (ECT/ECTAS), magnetic flux leakage (MFL), calibration and maintenance of inspection equipment for coiled tubing. Clients include Schlumberger (SLB), Tenaris, Baker Hughes, Weatherford, NOV, AlMansoori and others.

📦 Total leaked archive size: 220 GB

---

### 📂 WHAT WAS LEAKED

The following categories of data were identified:

Full technical documentation (Know‑How) — CRITICAL LEAK:

- 3D models and drawings in SolidWorks (parts, enclosures, assemblies).
- Circuit diagrams and PCB files (Pulsonix, Advanced Circuits, PCB Universe). Including boards for ATEX/CE equipment ("DAQ Box", "Ovality System", "Half Ring").
- Source code of FPGA firmware and LabVIEW 2011 software (ECTAS, CoilScan systems). This is the "heart" of their instruments.

Project documentation related to customers (Confidential):

- Schlumberger (SLB): Extensive correspondence (folders From Mansoor, To Mansoor), detailed repair reports (Repair Reports), diagnostic logs (Diagnostic Reports), packing lists and calibration files for many years.
- Tenaris, Quality Tubing, Global Tubing: Complete inspection dossiers, including field notes, raw calibration data (CALIBRATION...), binary files of tool run results.
- Baker Hughes: The Baker‑Hughes CTCM folder presumably contains customer‑specific documentation.

Internal quality system (ISO 9001):

- All SOPs (Standard Operating Procedures), control procedures, non‑conformance reports (NCR), validation reports.
- Component certificates (RoHS, ATEX, CE).
- Complete employee personal folders (Jim Westlake, Zhiyong Wang, Darrin, Matias Brusco and others), including resumes, correspondence, work notes, and possibly personal data.

Logistics and correspondence:

- Thousands of packing lists and shipping reports from 2011‑2025, revealing the full supply chain and customer base.
- Email correspondence (folders business@onesupport.com, Communications), containing discussions of contracts, technical issues and field tests.

Penetration testing toolset (Irony):

- The presence of folders such as Ransomware note.txt (in one of the screenshots), Lockbit, Nemesis and other attack tools may indicate that the machine was used not only for development.

### 🧾 NOTE (from the analyst):

The files show an ideally organized engineering company with a strict folder structure. This means that the attackers gained access not to a "pile of trash", but to a structured knowledge base. The leak includes intellectual property (source code and schematics), which could cause critical damage to itRobotics' business, as their products could be copied by competitors. Especially dangerous is the loss of calibration insights and repair logs for SLB, as this could undermine the trust of a key customer. The leak occurred in January 2026. The 220 GB volume indicates that not only documents but also likely code repositories and CAD libraries were exfiltrated.

### ⚠️ STATUS:

Leak status: Published / Data is published.

💫 👽

🔐 INCIDENT: Broad Reach Retail Partners, LLC
📅 Date of attackers' claim: February 10, 2026 (the Clop group claimed responsibility; the publication of the file dump has been confirmed by analysis)
🦠 Attackers: CL0P ransomware group

🎯 Compromised domain: brrp.local (Broad Reach Retail Partners' internal domain)

🏢 About the company: Broad Reach Retail Partners, LLC — a US private commercial real estate company (headquartered in Millersville, Maryland). Founded in 2006. Manages 68 shopping centers totaling over 6 million square feet. Specializes in acquiring, managing, leasing, and redeveloping shopping centers. Headcount: 10–50 employees. Estimated annual revenue: $1.7M–$10M.

📦 Total leaked archive size: 440 MB (judging by the file structure — a compressed copy of the cloud/network drive of several employees)

📂 WHAT WAS LEAKED

The following data categories were discovered:

- Personal folders of at least 6 employees with usernames: ajones@brrp.local, cretag@brrp.local, drogers@brrp.local, eroberts@brrp.local, ktodd@brrp.local, wstanwick@brrp.local
- Banking and payment documents — wire notifications with fraud alerts, executed purchase and sale agreements, interest-bearing account details
- Complete due diligence for the Fairview Centre property (Cleveland, Ohio) — environmental reports (Phase I ESA), Property Condition Assessment (PCA), zoning analysis, roof condition report, void analysis
- All lease agreements and lease abstracts for dozens of tenants including: Giant Eagle, Dollar Tree, PNC Bank, Goldfish Swim School, Onyx Health Club, UPS Store, and others
- Financial reports — general ledgers (GL) for all months of 2024, rent rolls, CAM reconciliations, accounts receivable, pre-acquisition tax estimates
- Seller due diligence — including internal accounting, reserves, tenant improvement allowances
- Insurance loss runs for 2020–2025
- Employee health and dental insurance data (handouts with rate tables)
- Folders for other real estate assets — Henderson Pointe (including soft cost tracker), development projects in Canton (GA), Davenport (FL), Worcester (MA)
- Internal SOPs and instructions — including CentreStack recover deleted files SOP.docx (indicating possible use of the CentreStack cloud service)

🧾 ANALYST'S NOTE:

> *This is not just a "document leak" — it is a complete snapshot of the company's operational activities. The attackers gained access to banking details, current and planned transactions, tenant negotiations, and employee insurance data. Particularly dangerous is the presence of files containing wire fraud alerts — hackers could use these to precisely substitute payment details in future transactions. Also notable is the absence of a public acknowledgment of the incident by the company, more than three months after the attackers' claim.*

⚠️ STATUS:
Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).

💫 👽 ❄️

🔐 Dhanarak Asset Development Co., Ltd.

📅 Date of attackers' claim: February 10, 2026

🦠 Attackers: CL0P ransomware group

🎯 Compromised domain: dad.co.th

🏢 About the company: Dhanarak Asset Development Co., Ltd. (DAD) is a state-owned enterprise, fully owned by the Ministry of Finance of Thailand. The company was established to develop, manage, and operate government facilities, primarily the Chaeng Watthana government office complex in Bangkok. DAD is responsible for implementing the "Smart City" concept within this complex, including access control systems, smart parking, and a unified super-application.

📦 Total leaked archive size: 694 Gb

📂 WHAT WAS LEAKED

* The following data categories have been confirmed:
* Contracts and commercial proposals
* Financial documentation
* Internal corporate documents
* Employee personal data
* Technical documentation and configurations
* Customer information
* Operational data

🧾 NOTE:

Data is in the Thai language.

⚠️ STATUS:

Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).

💫 👽

🔐 INCIDENT: Conwest Developments

📅 Date of attackers' claim: February 7, 2026

🦠 Attackers: CL0P ransomware group

🎯 Compromised domain: conwest.com

🏢 About the company: Conwest Developments is a Canadian private real estate development company founded in 1985. Headquarters are located in Vancouver, British Columbia. The company specializes in commercial, industrial, and residential projects in the Greater Vancouver region. Employee count: 100–250. Annual revenue: $10–50 million.

📦 Total leaked archive size: 450 MB

📂 WHAT WAS LEAKED

* Personal folders of at least 5 employees
* Video reports and visual data (drone or site inspection footage)
* Technical and project documentation (construction drawings)
* Permitting documentation and codes
* Financial and tax documents — BC Hydro bills, payment receipts
* Legal documents and agreements
* Correspondence and presentations for investors/boards
* Rezoning and land development documents
* Environmental and regulatory requirements

🧾 ANALYST'S NOTE:

The leak constitutes a complete copy of the cloud storage of several key Conwest employees. Documents submitted for permit approval (Issued_for_Permit) contain precise engineering solutions.

⚠️ STATUS:

Leak status: Published

💫 👽

🔐 INCIDENT: Augustea SpA
📅 Date of attackers' claim: February 7, 2026

🦠 Attacking group: CL0P ransomware group

🎯 Compromised domain: augustea.com

🏢 About the company:
Augustea SpA is a traditional shipping company from Naples, Italy, whose history dates back to 1629. The company operates a modern fleet of about 50 vessels, tugs, and barges, employing approximately 630 people. The group is also known for its activities in Malta.

📂 WHAT WAS LEAKED (attackers' claims)

• Contracts and commercial proposals
• Financial documentation
• Internal corporate documents
• Employee personal data
• Technical documentation and configurations
• Customer information
• Operational data

🧾 Analyst's note:

Leak via a third-party service

⚠️ Status:
Leak status: Claimed / Data partially published

💫 👽

🔐 INCIDENT: Labinf Sistemi S.r.l.
📅 Date of attackers' claim: February 7, 2026

🦠 Attacking group: CL0P ransomware group

🎯 Compromised domain: labinf.it

🏢 About the company:
Labinf Sistemi S.r.l. is an Italian IT company and software developer founded in 1978 and based in Chivasso, Italy. The company provides comprehensive integrated IT solutions, including ERP systems (open-source iDempiere), cloud computing, cybersecurity, network infrastructure design, and custom software development for private companies and public institutions.

📦 Total size of the leaked archive: 80,3 Gb

📂 WHAT WAS LEAKED (attackers' claims)

• Contracts and commercial proposals
• Financial documentation
• Internal corporate documents
• Employee personal data
• Technical documentation and configurations
• Customer information
• Operational data

🧾 Analyst's note:

The leak is categorized under the technology sector.

⚠️ Status:
Leak status: Claimed / Data partially published

💫 👽

🔐 INCIDENT: AIG Healthcare

📅 Date of attackers' claim: March 11, 2026

🦠 Attacking group: CL0P ransomware group

🎯 Compromised domain: aighealthcare.in

🏢 About the company:
AIG Healthcare is an Indian healthcare company.

📂 WHAT WAS LEAKED (attackers' claims)

• Contracts and commercial proposals
• Financial documentation
• Internal corporate documents
• Employee personal data
• Technical documentation and configurations
• Customer information
• Operational data

🧾 Analyst's note:

Leak via a third-party service

⚠️ Status:
Leak status: Claimed / Data partially published

💫 👽

🔐 INCIDENT: AIG Business Solutions Pvt. Ltd.

📅 Date Reported: February 10, 2026

🦠 Attacking Group: Clop ransomware group

🎯 Compromised Domain: aigbusiness.com

🏢 About the company: AIG Business Solutions Pvt. Ltd. is a business solutions provider headquartered in India.

📂 WHAT WAS LEAKED (attackers' claims)

• Contracts and commercial proposals
• Financial documentation
• Internal corporate documents
• Employee personal data
• Technical documentation and configurations
• Customer information
• Operational data

⚠️ Status:
Leak status: Claimed / Data partially published

💫 👽