π INCIDENT: HUDSON EXECUTIVE CAPITAL LP
π Attacker's claim date: February 10, 2026 (Clop group)
π― Compromised domain: HUDSONEXECUTIVE.COM
π’ About the company: Hudson Executive Capital LP β SEC-registered investment adviser based in New York, USA. Specializes in strategic investments across Financials, Healthcare, Technology, and Media sectors.
π¦ Total leaked archive size: Not specified (detailed corporate compliance dump)
π What leaked (based on detailed analysis of published data):
The attackers have released a detailed dump of the corporate compliance department folder β practically a complete copy of Hudson Executive Capital's internal documentation.
1. Full Compliance Control Structure (Crown Jewel)
Documents revealing how the company monitors employees and reports to regulators (SEC, FINRA):
Personal Trading / Code of Ethics:
Detailed logs of employee trading requests for approval (HEC - Employee Trading Requests)
Employee personal brokerage account statements (with account numbers)
Annual holdings certifications β showing what employees owned and traded
CEO Partners:
Folder dedicated to former CEOs serving as fund advisors
Personal data including affiliations, signed conflict of interest certificates, conflict clearances for deal participation
Passport copies / photos (CEO Partners - Photos)
Policies & Procedures:
Complete archive of internal policies: Code of Ethics, Compliance Manual, AML Policy, Cybersecurity Policy, Business Continuity Plan β the blueprint of their compliance system
Internal Investigations and Incidents:
"Memos to File" and "Violation of compliance policy" folders
Contains memos about unintentional information disclosure, trading errors, potential internal rule violations (e.g., trading on spouse's personal account)
2. Confidential Correspondence and External Communications
Email files (.msg) revealing sensitive discussions:
Marketing Material Approvals:
Email chains where CEO or CCO approve investor presentations and fact sheets (Marketing Review folders) β revealing what and how they told investors
Regulator and Auditor Communications:
Correspondence with SEC, FINRA, Walkers lawyers (Cayman Islands) regarding AML, FATCA, Private Funds Law
Draft responses to FINRA requests
3. Investment Structure and Financial Information
SPV and Fund Details:
HEC SPV I, II, III, IV folders containing incorporation documents, PPMs (Private Placement Memorandums), side letters with investors β revealing deal structures and terms for specific LPs
Valuation of Private Assets:
Compliance - Committee - Valuation folder containing memos and Excel models explaining how private portfolio companies (e.g., Flexis, Paige) were valued β revealing how the fund calculates NAV
Deal-Specific Correspondence and Documents:
PDF presentations and working models for Pluto, Akoya, HeartFlow, Mindmaze (from user Sai.Nanduri files) β operational analysis of current and potential deals
4. Operational and Technical Information
Cybersecurity:
Penetration test reports, phishing campaign results, external scan results, cybersecurity briefs β essentially a map of their vulnerabilities
Data Privacy:
GDPR and Cayman Islands Data Privacy Law (DPL) documents
SPAC Website Backups:
Complete backup of their corporate websites (archive copies) in the Website\SPAC websites folder
π½π«
π Attacker's claim date: February 10, 2026 (Clop group)
π― Compromised domain: HUDSONEXECUTIVE.COM
π’ About the company: Hudson Executive Capital LP β SEC-registered investment adviser based in New York, USA. Specializes in strategic investments across Financials, Healthcare, Technology, and Media sectors.
π¦ Total leaked archive size: Not specified (detailed corporate compliance dump)
π What leaked (based on detailed analysis of published data):
The attackers have released a detailed dump of the corporate compliance department folder β practically a complete copy of Hudson Executive Capital's internal documentation.
1. Full Compliance Control Structure (Crown Jewel)
Documents revealing how the company monitors employees and reports to regulators (SEC, FINRA):
Personal Trading / Code of Ethics:
Detailed logs of employee trading requests for approval (HEC - Employee Trading Requests)
Employee personal brokerage account statements (with account numbers)
Annual holdings certifications β showing what employees owned and traded
CEO Partners:
Folder dedicated to former CEOs serving as fund advisors
Personal data including affiliations, signed conflict of interest certificates, conflict clearances for deal participation
Passport copies / photos (CEO Partners - Photos)
Policies & Procedures:
Complete archive of internal policies: Code of Ethics, Compliance Manual, AML Policy, Cybersecurity Policy, Business Continuity Plan β the blueprint of their compliance system
Internal Investigations and Incidents:
"Memos to File" and "Violation of compliance policy" folders
Contains memos about unintentional information disclosure, trading errors, potential internal rule violations (e.g., trading on spouse's personal account)
2. Confidential Correspondence and External Communications
Email files (.msg) revealing sensitive discussions:
Marketing Material Approvals:
Email chains where CEO or CCO approve investor presentations and fact sheets (Marketing Review folders) β revealing what and how they told investors
Regulator and Auditor Communications:
Correspondence with SEC, FINRA, Walkers lawyers (Cayman Islands) regarding AML, FATCA, Private Funds Law
Draft responses to FINRA requests
3. Investment Structure and Financial Information
SPV and Fund Details:
HEC SPV I, II, III, IV folders containing incorporation documents, PPMs (Private Placement Memorandums), side letters with investors β revealing deal structures and terms for specific LPs
Valuation of Private Assets:
Compliance - Committee - Valuation folder containing memos and Excel models explaining how private portfolio companies (e.g., Flexis, Paige) were valued β revealing how the fund calculates NAV
Deal-Specific Correspondence and Documents:
PDF presentations and working models for Pluto, Akoya, HeartFlow, Mindmaze (from user Sai.Nanduri files) β operational analysis of current and potential deals
4. Operational and Technical Information
Cybersecurity:
Penetration test reports, phishing campaign results, external scan results, cybersecurity briefs β essentially a map of their vulnerabilities
Data Privacy:
GDPR and Cayman Islands Data Privacy Law (DPL) documents
SPAC Website Backups:
Complete backup of their corporate websites (archive copies) in the Website\SPAC websites folder
π½π«
π INCIDENT: Proactive Medical Inc
π Attacker's claim date: February 10, 2026 (Clop group)
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: PROACTIVEMEDICAL.COM
π’ About the company: Proactive Medical Products / Proactive Medical Inc. β medical equipment and healthcare products. Headquarters: Lindenhurst, New York, USA. Proactive Medical Products was founded in 2008, specializing in patient care products that help prevent and treat conditions such as bedsores and infections.
π¦ Publication status: 1.08 TB β data published in full
π WHAT LEAKED β DETAILED ANALYSIS
π¨ Scale: Catastrophic
Full copies of work folders, including system directories, were exposed in the breach. This is a classic sign of total encryption and theft, not a single email account compromise.
1. HIGHLY SENSITIVE CLIENT AND PARTNER DATA
What leaked Examples / Details
Direct contracts and purchase orders TWIN MED PO# PO057528_files, FEDEX SHIPPING LABEL SO#114439_files, Invoice for Order #21... β complete transaction data
Patient data (indirect) POD_files (Proof of Delivery) and BOL FOR PALLETS folders β delivery addresses violate medical confidentiality (HIPAA)
2. COMPLETE BUSINESS AND REPUTATIONAL DAMAGE
What leaked Details
Trade secrets Customer Price List, BENT METAL DME AND MANUALS (training materials, product assembly instructions)
Competitor data Folders named McKesson, Medline, AdaptHealth inside CUSTOMERS - yossi β pricing policy and strategy
Internal documentation HR DEPARTMENT - UPDATED (employee personal data), Payroll Reports (salaries), FDA (regulatory documents), Instruction Manuals (intellectual property)
3. EMPLOYEE AND MANAGEMENT PERSONAL DATA
What leaked Details
Employee work folders Folders by name: JANET, BRIAN, KRISTINA Stuff, PATRICIA, MIKE, YOSSI β personal correspondence, notes
Document scans scans\Yossi\Yossi iphone\DCIM β photos from employee's phone
Personal files Music, videos (movies\Game of Thrones), workout programs (Workout\P90X) β employees used work computers for personal purposes, expanding the scope of the leak
π VERDICT
This is not just a "document leak."
This is a digital copy of the entire enterprise.
From this archive, one could reconstruct all commercial, financial, operational, and personnel activities of Proactive Medical Products, as well as a significant portion of their relationships with partners.
π Attacker's claim date: February 10, 2026 (Clop group)
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: PROACTIVEMEDICAL.COM
π’ About the company: Proactive Medical Products / Proactive Medical Inc. β medical equipment and healthcare products. Headquarters: Lindenhurst, New York, USA. Proactive Medical Products was founded in 2008, specializing in patient care products that help prevent and treat conditions such as bedsores and infections.
π¦ Publication status: 1.08 TB β data published in full
π WHAT LEAKED β DETAILED ANALYSIS
π¨ Scale: Catastrophic
Full copies of work folders, including system directories, were exposed in the breach. This is a classic sign of total encryption and theft, not a single email account compromise.
1. HIGHLY SENSITIVE CLIENT AND PARTNER DATA
What leaked Examples / Details
Direct contracts and purchase orders TWIN MED PO# PO057528_files, FEDEX SHIPPING LABEL SO#114439_files, Invoice for Order #21... β complete transaction data
Patient data (indirect) POD_files (Proof of Delivery) and BOL FOR PALLETS folders β delivery addresses violate medical confidentiality (HIPAA)
2. COMPLETE BUSINESS AND REPUTATIONAL DAMAGE
What leaked Details
Trade secrets Customer Price List, BENT METAL DME AND MANUALS (training materials, product assembly instructions)
Competitor data Folders named McKesson, Medline, AdaptHealth inside CUSTOMERS - yossi β pricing policy and strategy
Internal documentation HR DEPARTMENT - UPDATED (employee personal data), Payroll Reports (salaries), FDA (regulatory documents), Instruction Manuals (intellectual property)
3. EMPLOYEE AND MANAGEMENT PERSONAL DATA
What leaked Details
Employee work folders Folders by name: JANET, BRIAN, KRISTINA Stuff, PATRICIA, MIKE, YOSSI β personal correspondence, notes
Document scans scans\Yossi\Yossi iphone\DCIM β photos from employee's phone
Personal files Music, videos (movies\Game of Thrones), workout programs (Workout\P90X) β employees used work computers for personal purposes, expanding the scope of the leak
π VERDICT
This is not just a "document leak."
This is a digital copy of the entire enterprise.
From this archive, one could reconstruct all commercial, financial, operational, and personnel activities of Proactive Medical Products, as well as a significant portion of their relationships with partners.
## π INCIDENT: Smith IP Services
π Attackerβs Claim Date: February 10, 2026 (CL0P group)
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: SMITHIPSERVICES.COM
π’ About the Company: Smith IP Services β a U.S.-based company specializing in Intellectual Property (IP)
π¦ Total size of the leaked archive: 97 GB
## π WHAT WAS LEAKED :
β Thousands of patent applications
(US, Europe, China, Brazil, Australia, Canada, Argentina, Mexico, and others)
β Trademarks in dozens of countries
β Correspondence with clients β including strategy, financials, and legal recommendations
β Patent assignment records
β Internal company documents (HR, payroll, etc.)
β Personal files of employees
---
## π§Ύ STATUS
The leak is complete and total β not only current cases have been compromised, but also archived files and those previously transferred to other law firms.
The archive allows for a full reconstruction of the commercial, financial, and patent activities of the IP firm and its clients.
β οΈ Leak status: Published
π Attackerβs Claim Date: February 10, 2026 (CL0P group)
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: SMITHIPSERVICES.COM
π’ About the Company: Smith IP Services β a U.S.-based company specializing in Intellectual Property (IP)
π¦ Total size of the leaked archive: 97 GB
## π WHAT WAS LEAKED :
β Thousands of patent applications
(US, Europe, China, Brazil, Australia, Canada, Argentina, Mexico, and others)
β Trademarks in dozens of countries
β Correspondence with clients β including strategy, financials, and legal recommendations
β Patent assignment records
β Internal company documents (HR, payroll, etc.)
β Personal files of employees
---
## π§Ύ STATUS
The leak is complete and total β not only current cases have been compromised, but also archived files and those previously transferred to other law firms.
The archive allows for a full reconstruction of the commercial, financial, and patent activities of the IP firm and its clients.
β οΈ Leak status: Published
π INCIDENT: ENVIRONMENTAL CORPORATION OF AMERICA (ECA)
π Attacker's claim date: January 2026
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: ECA-USA.COM
π’ About the company:
Environmental Corporation of America (ECA) β technology and aerospace industry company
Headquarters: USA
π WHAT LEAKED :
β Client data - Contracts, purchase orders (PO), invoices, shipping/delivery information
β Aerospace industry -Technical documentation, specifications, drawings (ITAR/EAR sensitive data)
β Finance - Pricing, payment data, salaries, financial reports
β HR / Personnel - Employee personal data, document scans, resumes
β Internal documentation - Policies, procedures, internal correspondence
β IP / Intellectual Property - Patents, technological developments, source code
β οΈ SECTOR RISK β CRITICAL
The aerospace industry is particularly vulnerable due to:
* High value of intellectual property
* Export control regulations (ITAR / EAR)
ITAR (International Traffic in Arms Regulations) β sensitive defense-related data. Leak of ITAR-controlled information can have national security implications and result in massive regulatory fines.
π¨ Leak status: Published
π Attacker's claim date: January 2026
π¦ Attacker: CLOP (Clop) ransomware group β Russian-speaking RaaS group
π― Compromised domain: ECA-USA.COM
π’ About the company:
Environmental Corporation of America (ECA) β technology and aerospace industry company
Headquarters: USA
π WHAT LEAKED :
β Client data - Contracts, purchase orders (PO), invoices, shipping/delivery information
β Aerospace industry -Technical documentation, specifications, drawings (ITAR/EAR sensitive data)
β Finance - Pricing, payment data, salaries, financial reports
β HR / Personnel - Employee personal data, document scans, resumes
β Internal documentation - Policies, procedures, internal correspondence
β IP / Intellectual Property - Patents, technological developments, source code
β οΈ SECTOR RISK β CRITICAL
The aerospace industry is particularly vulnerable due to:
* High value of intellectual property
* Export control regulations (ITAR / EAR)
ITAR (International Traffic in Arms Regulations) β sensitive defense-related data. Leak of ITAR-controlled information can have national security implications and result in massive regulatory fines.
π¨ Leak status: Published
π INFORMATIONAL: THE CLOP GROUP
Context of CLOP Activity in 2025β2026
The CLOP (Clop) ransomware group is one of the most active and dangerous Russian-speaking RaaS (Ransomware-as-a-Service) groups. They specialize in mass-scale attacks using zero-day vulnerabilities in popular enterprise software:
Target Software Number of Victims Period
MOVEit Transfer ~2,773 organizations 2023
GoAnywhere MFT 100+ organizations 2023
Accellion FTA Dozens of organizations 2020β2021
Oracle E-Business Suite Dozens of organizations 2025
In 2025, CLOP exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) , stealing data from dozens of organizations worldwide.
Confirmed victims of that campaign include:
* Harvard University
* The Washington Post
* Logitech
* Schneider Electric
* Emerson
* American Airlines (Envoy Air)
* GlobalLogic (data breach of 10,500+ employees)
Context of CLOP Activity in 2025β2026
The CLOP (Clop) ransomware group is one of the most active and dangerous Russian-speaking RaaS (Ransomware-as-a-Service) groups. They specialize in mass-scale attacks using zero-day vulnerabilities in popular enterprise software:
Target Software Number of Victims Period
MOVEit Transfer ~2,773 organizations 2023
GoAnywhere MFT 100+ organizations 2023
Accellion FTA Dozens of organizations 2020β2021
Oracle E-Business Suite Dozens of organizations 2025
In 2025, CLOP exploited a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882) , stealing data from dozens of organizations worldwide.
Confirmed victims of that campaign include:
* Harvard University
* The Washington Post
* Logitech
* Schneider Electric
* Emerson
* American Airlines (Envoy Air)
* GlobalLogic (data breach of 10,500+ employees)
CLOP's tactic: "Double extortion" β data theft + threat of public release. The group gives victims a limited window for negotiations, after which they publish the stolen data in open access on their Tor leak site.
Why the Presence of Microsoft 365 Is Important Context, Not Proof of a Breach
CLOP is not just a ransomware operator β it is a group engaged in data theft and extortion. Their target model is to infiltrate the victim's network by any means and exfiltrate as much information as possible. If the victim's network includes Microsoft 365, then gaining access to it is a "gold mine": C-level emails, Teams discussions of deals, SharePoint, OneDrive.
In 2026, there are at least three documented methods to gain full access to Microsoft 365 without hacking Microsoft's own servers:
1. Session Interception via Compromised Routers (APT28)
In April 2026, an operation by Russian hackers (GRU) was confirmed: between 18,000 and 40,000 routers were compromised worldwide. The technique β DNS spoofing and adversary-in-the-middle (AiTM). An employee thinks they are logging into Outlook, but in reality, they are sending their login, password, and MFA token directly to the hackers. This works even with two-factor authentication enabled.
2. Device Code Phishing (OAuth 2.0 Attack)
A user receives a phishing email asking them to go to the legitimate Microsoft site https://aka.ms/devicelogin and enter a short code. Once they do, they authorize a malicious application (e.g., "Microsoft Security Scanner"). The hackers receive a Refresh Token and gain full access to the victim's email, Teams, and files. The user voluntarily and legitimately completes the MFA process.
3. Vulnerabilities in "Edge" File Transfer Systems (MOVEit, GoAnywhere)
This is classic CLOP. They don't break into Microsoft 365 directly. Instead, they compromise a vendor or an adjacent system (e.g., a corporate portal), and from there "move laterally" into Microsoft 365 using legitimate integrations.
4. What "Victim Uses Microsoft 365" Means β An Indicator of the Scale of Damage
The presence of Microsoft 365 at a victim organization is not proof that the breach occurred through it. However, it is a critically important indicator for assessing potential damage.
In the context of the "What leaked" section:
Scenario - What leaked?
* Victim does NOT use M365 Only server files (standard documents)
* Victim DOES use M365 In addition to server folders β all corporate correspondence (Outlook), chat history (Teams), files from OneDrive and SharePoint
Thus, "uses Microsoft 365" is not evidence of the hack itself β it is a marker of potential catastrophe. If CLOP gains access to a victim's network that includes M365, the volume of the leak increases exponentially due to cloud-based communications.
Why the Presence of Microsoft 365 Is Important Context, Not Proof of a Breach
CLOP is not just a ransomware operator β it is a group engaged in data theft and extortion. Their target model is to infiltrate the victim's network by any means and exfiltrate as much information as possible. If the victim's network includes Microsoft 365, then gaining access to it is a "gold mine": C-level emails, Teams discussions of deals, SharePoint, OneDrive.
In 2026, there are at least three documented methods to gain full access to Microsoft 365 without hacking Microsoft's own servers:
1. Session Interception via Compromised Routers (APT28)
In April 2026, an operation by Russian hackers (GRU) was confirmed: between 18,000 and 40,000 routers were compromised worldwide. The technique β DNS spoofing and adversary-in-the-middle (AiTM). An employee thinks they are logging into Outlook, but in reality, they are sending their login, password, and MFA token directly to the hackers. This works even with two-factor authentication enabled.
2. Device Code Phishing (OAuth 2.0 Attack)
A user receives a phishing email asking them to go to the legitimate Microsoft site https://aka.ms/devicelogin and enter a short code. Once they do, they authorize a malicious application (e.g., "Microsoft Security Scanner"). The hackers receive a Refresh Token and gain full access to the victim's email, Teams, and files. The user voluntarily and legitimately completes the MFA process.
3. Vulnerabilities in "Edge" File Transfer Systems (MOVEit, GoAnywhere)
This is classic CLOP. They don't break into Microsoft 365 directly. Instead, they compromise a vendor or an adjacent system (e.g., a corporate portal), and from there "move laterally" into Microsoft 365 using legitimate integrations.
4. What "Victim Uses Microsoft 365" Means β An Indicator of the Scale of Damage
The presence of Microsoft 365 at a victim organization is not proof that the breach occurred through it. However, it is a critically important indicator for assessing potential damage.
In the context of the "What leaked" section:
Scenario - What leaked?
* Victim does NOT use M365 Only server files (standard documents)
* Victim DOES use M365 In addition to server folders β all corporate correspondence (Outlook), chat history (Teams), files from OneDrive and SharePoint
Thus, "uses Microsoft 365" is not evidence of the hack itself β it is a marker of potential catastrophe. If CLOP gains access to a victim's network that includes M365, the volume of the leak increases exponentially due to cloud-based communications.
π INCIDENT: Go Kall IT is a privately owned Managed IT
5 Star Civil, CC Aggregates, IDR Builds (Cloudy Drives)
π Attackerβs Claim Date: February , 2026
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: gokallit.com (Cloudy Drives)
Go Kall IT is a privately owned Managed IT
π’ About the leak Company: A group of construction companies operating in Texas (USA), including 5 Star Civil (earthwork and utility contractor), CC Aggregates (aggregate producer and supplier), and IDR Builds (residential and commercial construction company).
π¦ Total size of the leaked archive: 1.36 TB
π WHAT WAS LEAKED :
β Complete financial records:
* Payroll Journals for 2016β2023
* Bank Statements for 2019β2025
* Federal Income Tax returns for 2015β2024
* Property Tax documents for 2016β2025
* Texas Franchise Tax for 2018β2022
* Audit reports for 2018β2023
* Credit agreements and factoring contracts
β HR and personnel records:
* Employee Folders (current and terminated employees)
* Tool Agreements (liability agreements for tools)
* CDL driver files (commercial trucking)
β Trade secrets and project documentation:
* Bid folders with sections Β«01-PLANS (BID SET)Β», Β«A-5STAR ESTIMATEΒ», Β«D-QUOTESΒ» (subcontractor quotes), Β«E-PRICELISTΒ» (price lists)
* Projects for 2022, 2023, 2024, including Travis Club, Veramendi, Cottonwood, Crystal Falls, Maverick, and dozens of others
* Drone documentation: DRONE VIDEO, DRONE PROJECTS (topographic surveys, orthophoto plans)
* Video records of construction progress
β Heavy equipment database:
* Complete records for heavy machinery (Track Hoes, Wheel Loaders, Skid Steers, Water Trucks, Back Hoes, Compaction Rollers, Dump Trucks, and others)
* For each unit β contracts, repair invoices, maintenance logs
β Legal and judicial documents:
* Lawsuits folder, including Β«Bell, MontyΒ» case
* Land Leases, Land Purchases, Land Sales β ranches, quarries, agricultural land
* AMSOL Bankruptcy documents
β Insurance documentation:
* Certificates of Insurance
* Claims audits
* Fleet, equipment, and workerβs compensation insurance
β Client correspondence:
* Correspondence including strategy, financial discussions, and legal recommendations
* Prime and subcontractor agreements
β Internal company documents:
* HR orders, job descriptions
* Safety documents (MSHA & Safety, Toolbox Talks)
* Internal policies and manuals
β Personal employee files:
* Employee photos (including PICTURES folder with subfolders EQUIP PICS, COMPANY PHOTOS, CHRISTMAS PARTIES, FAMILY DAY)
* Resumes and application forms
π§Ύ Note
The leak affects not only current company projects but also archived files, including documents from previous years and files transferred between contractors. Folders labeled Β«00 NOT AWARDED or NO BIDΒ» were discovered, containing bid documentation for projects the companies did not win, but which still contain commercial information from subcontractors and price lists.
The archive allows for a full reconstruction of the commercial, financial, and project activities of the construction companies and their partners.
π§Ύ STATUS
The leak is complete and total β the full 1.36 TB cloud storage file structure has been published. Not only current company cases have been compromised, but also archived files and documents previously transferred to other contractors and subcontractors.
β οΈ Leak status: Published
π« π½
5 Star Civil, CC Aggregates, IDR Builds (Cloudy Drives)
π Attackerβs Claim Date: February , 2026
π¦ Attacker: CL0P ransomware group
π― Compromised Domain: gokallit.com (Cloudy Drives)
Go Kall IT is a privately owned Managed IT
π’ About the leak Company: A group of construction companies operating in Texas (USA), including 5 Star Civil (earthwork and utility contractor), CC Aggregates (aggregate producer and supplier), and IDR Builds (residential and commercial construction company).
π¦ Total size of the leaked archive: 1.36 TB
π WHAT WAS LEAKED :
β Complete financial records:
* Payroll Journals for 2016β2023
* Bank Statements for 2019β2025
* Federal Income Tax returns for 2015β2024
* Property Tax documents for 2016β2025
* Texas Franchise Tax for 2018β2022
* Audit reports for 2018β2023
* Credit agreements and factoring contracts
β HR and personnel records:
* Employee Folders (current and terminated employees)
* Tool Agreements (liability agreements for tools)
* CDL driver files (commercial trucking)
β Trade secrets and project documentation:
* Bid folders with sections Β«01-PLANS (BID SET)Β», Β«A-5STAR ESTIMATEΒ», Β«D-QUOTESΒ» (subcontractor quotes), Β«E-PRICELISTΒ» (price lists)
* Projects for 2022, 2023, 2024, including Travis Club, Veramendi, Cottonwood, Crystal Falls, Maverick, and dozens of others
* Drone documentation: DRONE VIDEO, DRONE PROJECTS (topographic surveys, orthophoto plans)
* Video records of construction progress
β Heavy equipment database:
* Complete records for heavy machinery (Track Hoes, Wheel Loaders, Skid Steers, Water Trucks, Back Hoes, Compaction Rollers, Dump Trucks, and others)
* For each unit β contracts, repair invoices, maintenance logs
β Legal and judicial documents:
* Lawsuits folder, including Β«Bell, MontyΒ» case
* Land Leases, Land Purchases, Land Sales β ranches, quarries, agricultural land
* AMSOL Bankruptcy documents
β Insurance documentation:
* Certificates of Insurance
* Claims audits
* Fleet, equipment, and workerβs compensation insurance
β Client correspondence:
* Correspondence including strategy, financial discussions, and legal recommendations
* Prime and subcontractor agreements
β Internal company documents:
* HR orders, job descriptions
* Safety documents (MSHA & Safety, Toolbox Talks)
* Internal policies and manuals
β Personal employee files:
* Employee photos (including PICTURES folder with subfolders EQUIP PICS, COMPANY PHOTOS, CHRISTMAS PARTIES, FAMILY DAY)
* Resumes and application forms
π§Ύ Note
The leak affects not only current company projects but also archived files, including documents from previous years and files transferred between contractors. Folders labeled Β«00 NOT AWARDED or NO BIDΒ» were discovered, containing bid documentation for projects the companies did not win, but which still contain commercial information from subcontractors and price lists.
The archive allows for a full reconstruction of the commercial, financial, and project activities of the construction companies and their partners.
π§Ύ STATUS
The leak is complete and total β the full 1.36 TB cloud storage file structure has been published. Not only current company cases have been compromised, but also archived files and documents previously transferred to other contractors and subcontractors.
β οΈ Leak status: Published
π« π½
π INCIDENT: itRobotics
π Date of attacker's claim: January 25, 2026
π¦ Attacker: CL0P ransomware group
π― Compromised domain: itrobotics.com
π’ About the company: itRobotics is an engineering company specializing in the development and manufacture of non-destructive testing (NDT) equipment for the oil and gas industry. Core areas: eddy current testing (ECT/ECTAS), magnetic flux leakage (MFL), calibration and maintenance of inspection equipment for coiled tubing. Clients include Schlumberger (SLB), Tenaris, Baker Hughes, Weatherford, NOV, AlMansoori and others.
π¦ Total leaked archive size: 220 GB
---
### π WHAT WAS LEAKED
The following categories of data were identified:
Full technical documentation (KnowβHow) β CRITICAL LEAK:
- 3D models and drawings in SolidWorks (parts, enclosures, assemblies).
- Circuit diagrams and PCB files (Pulsonix, Advanced Circuits, PCB Universe). Including boards for ATEX/CE equipment ("DAQ Box", "Ovality System", "Half Ring").
- Source code of FPGA firmware and LabVIEW 2011 software (ECTAS, CoilScan systems). This is the "heart" of their instruments.
Project documentation related to customers (Confidential):
- Schlumberger (SLB): Extensive correspondence (folders From Mansoor, To Mansoor), detailed repair reports (Repair Reports), diagnostic logs (Diagnostic Reports), packing lists and calibration files for many years.
- Tenaris, Quality Tubing, Global Tubing: Complete inspection dossiers, including field notes, raw calibration data (CALIBRATION...), binary files of tool run results.
- Baker Hughes: The BakerβHughes CTCM folder presumably contains customerβspecific documentation.
Internal quality system (ISO 9001):
- All SOPs (Standard Operating Procedures), control procedures, nonβconformance reports (NCR), validation reports.
- Component certificates (RoHS, ATEX, CE).
- Complete employee personal folders (Jim Westlake, Zhiyong Wang, Darrin, Matias Brusco and others), including resumes, correspondence, work notes, and possibly personal data.
Logistics and correspondence:
- Thousands of packing lists and shipping reports from 2011β2025, revealing the full supply chain and customer base.
- Email correspondence (folders business@onesupport.com, Communications), containing discussions of contracts, technical issues and field tests.
Penetration testing toolset (Irony):
- The presence of folders such as Ransomware note.txt (in one of the screenshots), Lockbit, Nemesis and other attack tools may indicate that the machine was used not only for development.
### π§Ύ NOTE (from the analyst):
The files show an ideally organized engineering company with a strict folder structure. This means that the attackers gained access not to a "pile of trash", but to a structured knowledge base. The leak includes intellectual property (source code and schematics), which could cause critical damage to itRobotics' business, as their products could be copied by competitors. Especially dangerous is the loss of calibration insights and repair logs for SLB, as this could undermine the trust of a key customer. The leak occurred in January 2026. The 220 GB volume indicates that not only documents but also likely code repositories and CAD libraries were exfiltrated.
### β οΈ STATUS:
Leak status: Published / Data is published.
π« π½
π Date of attacker's claim: January 25, 2026
π¦ Attacker: CL0P ransomware group
π― Compromised domain: itrobotics.com
π’ About the company: itRobotics is an engineering company specializing in the development and manufacture of non-destructive testing (NDT) equipment for the oil and gas industry. Core areas: eddy current testing (ECT/ECTAS), magnetic flux leakage (MFL), calibration and maintenance of inspection equipment for coiled tubing. Clients include Schlumberger (SLB), Tenaris, Baker Hughes, Weatherford, NOV, AlMansoori and others.
π¦ Total leaked archive size: 220 GB
---
### π WHAT WAS LEAKED
The following categories of data were identified:
Full technical documentation (KnowβHow) β CRITICAL LEAK:
- 3D models and drawings in SolidWorks (parts, enclosures, assemblies).
- Circuit diagrams and PCB files (Pulsonix, Advanced Circuits, PCB Universe). Including boards for ATEX/CE equipment ("DAQ Box", "Ovality System", "Half Ring").
- Source code of FPGA firmware and LabVIEW 2011 software (ECTAS, CoilScan systems). This is the "heart" of their instruments.
Project documentation related to customers (Confidential):
- Schlumberger (SLB): Extensive correspondence (folders From Mansoor, To Mansoor), detailed repair reports (Repair Reports), diagnostic logs (Diagnostic Reports), packing lists and calibration files for many years.
- Tenaris, Quality Tubing, Global Tubing: Complete inspection dossiers, including field notes, raw calibration data (CALIBRATION...), binary files of tool run results.
- Baker Hughes: The BakerβHughes CTCM folder presumably contains customerβspecific documentation.
Internal quality system (ISO 9001):
- All SOPs (Standard Operating Procedures), control procedures, nonβconformance reports (NCR), validation reports.
- Component certificates (RoHS, ATEX, CE).
- Complete employee personal folders (Jim Westlake, Zhiyong Wang, Darrin, Matias Brusco and others), including resumes, correspondence, work notes, and possibly personal data.
Logistics and correspondence:
- Thousands of packing lists and shipping reports from 2011β2025, revealing the full supply chain and customer base.
- Email correspondence (folders business@onesupport.com, Communications), containing discussions of contracts, technical issues and field tests.
Penetration testing toolset (Irony):
- The presence of folders such as Ransomware note.txt (in one of the screenshots), Lockbit, Nemesis and other attack tools may indicate that the machine was used not only for development.
### π§Ύ NOTE (from the analyst):
The files show an ideally organized engineering company with a strict folder structure. This means that the attackers gained access not to a "pile of trash", but to a structured knowledge base. The leak includes intellectual property (source code and schematics), which could cause critical damage to itRobotics' business, as their products could be copied by competitors. Especially dangerous is the loss of calibration insights and repair logs for SLB, as this could undermine the trust of a key customer. The leak occurred in January 2026. The 220 GB volume indicates that not only documents but also likely code repositories and CAD libraries were exfiltrated.
### β οΈ STATUS:
Leak status: Published / Data is published.
π« π½
π INCIDENT: Broad Reach Retail Partners, LLC
π Date of attackers' claim: February 10, 2026 (the Clop group claimed responsibility; the publication of the file dump has been confirmed by analysis)
π¦ Attackers: CL0P ransomware group
π― Compromised domain:
π’ About the company: Broad Reach Retail Partners, LLC β a US private commercial real estate company (headquartered in Millersville, Maryland). Founded in 2006. Manages 68 shopping centers totaling over 6 million square feet. Specializes in acquiring, managing, leasing, and redeveloping shopping centers. Headcount: 10β50 employees. Estimated annual revenue: $1.7Mβ$10M.
π¦ Total leaked archive size: 440 MB (judging by the file structure β a compressed copy of the cloud/network drive of several employees)
π WHAT WAS LEAKED
The following data categories were discovered:
- Personal folders of at least 6 employees with usernames:
- Banking and payment documents β wire notifications with fraud alerts, executed purchase and sale agreements, interest-bearing account details
- Complete due diligence for the Fairview Centre property (Cleveland, Ohio) β environmental reports (Phase I ESA), Property Condition Assessment (PCA), zoning analysis, roof condition report, void analysis
- All lease agreements and lease abstracts for dozens of tenants including: Giant Eagle, Dollar Tree, PNC Bank, Goldfish Swim School, Onyx Health Club, UPS Store, and others
- Financial reports β general ledgers (GL) for all months of 2024, rent rolls, CAM reconciliations, accounts receivable, pre-acquisition tax estimates
- Seller due diligence β including internal accounting, reserves, tenant improvement allowances
- Insurance loss runs for 2020β2025
- Employee health and dental insurance data (handouts with rate tables)
- Folders for other real estate assets β Henderson Pointe (including soft cost tracker), development projects in Canton (GA), Davenport (FL), Worcester (MA)
- Internal SOPs and instructions β including
π§Ύ ANALYST'S NOTE:
> *This is not just a "document leak" β it is a complete snapshot of the company's operational activities. The attackers gained access to banking details, current and planned transactions, tenant negotiations, and employee insurance data. Particularly dangerous is the presence of files containing wire fraud alerts β hackers could use these to precisely substitute payment details in future transactions. Also notable is the absence of a public acknowledgment of the incident by the company, more than three months after the attackers' claim.*
β οΈ STATUS:
Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).
π« π½ βοΈ
π Date of attackers' claim: February 10, 2026 (the Clop group claimed responsibility; the publication of the file dump has been confirmed by analysis)
π¦ Attackers: CL0P ransomware group
π― Compromised domain:
brrp.local (Broad Reach Retail Partners' internal domain)π’ About the company: Broad Reach Retail Partners, LLC β a US private commercial real estate company (headquartered in Millersville, Maryland). Founded in 2006. Manages 68 shopping centers totaling over 6 million square feet. Specializes in acquiring, managing, leasing, and redeveloping shopping centers. Headcount: 10β50 employees. Estimated annual revenue: $1.7Mβ$10M.
π¦ Total leaked archive size: 440 MB (judging by the file structure β a compressed copy of the cloud/network drive of several employees)
π WHAT WAS LEAKED
The following data categories were discovered:
- Personal folders of at least 6 employees with usernames:
ajones@brrp.local, cretag@brrp.local, drogers@brrp.local, eroberts@brrp.local, ktodd@brrp.local, wstanwick@brrp.local- Banking and payment documents β wire notifications with fraud alerts, executed purchase and sale agreements, interest-bearing account details
- Complete due diligence for the Fairview Centre property (Cleveland, Ohio) β environmental reports (Phase I ESA), Property Condition Assessment (PCA), zoning analysis, roof condition report, void analysis
- All lease agreements and lease abstracts for dozens of tenants including: Giant Eagle, Dollar Tree, PNC Bank, Goldfish Swim School, Onyx Health Club, UPS Store, and others
- Financial reports β general ledgers (GL) for all months of 2024, rent rolls, CAM reconciliations, accounts receivable, pre-acquisition tax estimates
- Seller due diligence β including internal accounting, reserves, tenant improvement allowances
- Insurance loss runs for 2020β2025
- Employee health and dental insurance data (handouts with rate tables)
- Folders for other real estate assets β Henderson Pointe (including soft cost tracker), development projects in Canton (GA), Davenport (FL), Worcester (MA)
- Internal SOPs and instructions β including
CentreStack recover deleted files SOP.docx (indicating possible use of the CentreStack cloud service)π§Ύ ANALYST'S NOTE:
> *This is not just a "document leak" β it is a complete snapshot of the company's operational activities. The attackers gained access to banking details, current and planned transactions, tenant negotiations, and employee insurance data. Particularly dangerous is the presence of files containing wire fraud alerts β hackers could use these to precisely substitute payment details in future transactions. Also notable is the absence of a public acknowledgment of the incident by the company, more than three months after the attackers' claim.*
β οΈ STATUS:
Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).
π« π½ βοΈ
π Dhanarak Asset Development Co., Ltd.
π Date of attackers' claim: February 10, 2026
π¦ Attackers: CL0P ransomware group
π― Compromised domain: dad.co.th
π’ About the company: Dhanarak Asset Development Co., Ltd. (DAD) is a state-owned enterprise, fully owned by the Ministry of Finance of Thailand. The company was established to develop, manage, and operate government facilities, primarily the Chaeng Watthana government office complex in Bangkok. DAD is responsible for implementing the "Smart City" concept within this complex, including access control systems, smart parking, and a unified super-application.
π¦ Total leaked archive size: 694 Gb
π WHAT WAS LEAKED
* The following data categories have been confirmed:
* Contracts and commercial proposals
* Financial documentation
* Internal corporate documents
* Employee personal data
* Technical documentation and configurations
* Customer information
* Operational data
π§Ύ NOTE:
Data is in the Thai language.
β οΈ STATUS:
Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).
π« π½
π Date of attackers' claim: February 10, 2026
π¦ Attackers: CL0P ransomware group
π― Compromised domain: dad.co.th
π’ About the company: Dhanarak Asset Development Co., Ltd. (DAD) is a state-owned enterprise, fully owned by the Ministry of Finance of Thailand. The company was established to develop, manage, and operate government facilities, primarily the Chaeng Watthana government office complex in Bangkok. DAD is responsible for implementing the "Smart City" concept within this complex, including access control systems, smart parking, and a unified super-application.
π¦ Total leaked archive size: 694 Gb
π WHAT WAS LEAKED
* The following data categories have been confirmed:
* Contracts and commercial proposals
* Financial documentation
* Internal corporate documents
* Employee personal data
* Technical documentation and configurations
* Customer information
* Operational data
π§Ύ NOTE:
Data is in the Thai language.
β οΈ STATUS:
Leak status: Published / Data has been published (the file dump has been confirmed and analyzed; the folder structure and file list are publicly available).
π« π½
π INCIDENT: Conwest Developments
π Date of attackers' claim: February 7, 2026
π¦ Attackers: CL0P ransomware group
π― Compromised domain: conwest.com
π’ About the company: Conwest Developments is a Canadian private real estate development company founded in 1985. Headquarters are located in Vancouver, British Columbia. The company specializes in commercial, industrial, and residential projects in the Greater Vancouver region. Employee count: 100β250. Annual revenue: $10β50 million.
π¦ Total leaked archive size: 450 MB
π WHAT WAS LEAKED
* Personal folders of at least 5 employees
* Video reports and visual data (drone or site inspection footage)
* Technical and project documentation (construction drawings)
* Permitting documentation and codes
* Financial and tax documents β BC Hydro bills, payment receipts
* Legal documents and agreements
* Correspondence and presentations for investors/boards
* Rezoning and land development documents
* Environmental and regulatory requirements
π§Ύ ANALYST'S NOTE:
The leak constitutes a complete copy of the cloud storage of several key Conwest employees. Documents submitted for permit approval (Issued_for_Permit) contain precise engineering solutions.
β οΈ STATUS:
Leak status: Published
π« π½
π Date of attackers' claim: February 7, 2026
π¦ Attackers: CL0P ransomware group
π― Compromised domain: conwest.com
π’ About the company: Conwest Developments is a Canadian private real estate development company founded in 1985. Headquarters are located in Vancouver, British Columbia. The company specializes in commercial, industrial, and residential projects in the Greater Vancouver region. Employee count: 100β250. Annual revenue: $10β50 million.
π¦ Total leaked archive size: 450 MB
π WHAT WAS LEAKED
* Personal folders of at least 5 employees
* Video reports and visual data (drone or site inspection footage)
* Technical and project documentation (construction drawings)
* Permitting documentation and codes
* Financial and tax documents β BC Hydro bills, payment receipts
* Legal documents and agreements
* Correspondence and presentations for investors/boards
* Rezoning and land development documents
* Environmental and regulatory requirements
π§Ύ ANALYST'S NOTE:
The leak constitutes a complete copy of the cloud storage of several key Conwest employees. Documents submitted for permit approval (Issued_for_Permit) contain precise engineering solutions.
β οΈ STATUS:
Leak status: Published
π« π½
π INCIDENT: Augustea SpA
π Date of attackers' claim: February 7, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: augustea.com
π’ About the company:
Augustea SpA is a traditional shipping company from Naples, Italy, whose history dates back to 1629. The company operates a modern fleet of about 50 vessels, tugs, and barges, employing approximately 630 people. The group is also known for its activities in Malta.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
Leak via a third-party service
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π Date of attackers' claim: February 7, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: augustea.com
π’ About the company:
Augustea SpA is a traditional shipping company from Naples, Italy, whose history dates back to 1629. The company operates a modern fleet of about 50 vessels, tugs, and barges, employing approximately 630 people. The group is also known for its activities in Malta.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
Leak via a third-party service
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π INCIDENT: Labinf Sistemi S.r.l.
π Date of attackers' claim: February 7, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: labinf.it
π’ About the company:
Labinf Sistemi S.r.l. is an Italian IT company and software developer founded in 1978 and based in Chivasso, Italy. The company provides comprehensive integrated IT solutions, including ERP systems (open-source iDempiere), cloud computing, cybersecurity, network infrastructure design, and custom software development for private companies and public institutions.
π¦ Total size of the leaked archive: 80,3 Gb
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
The leak is categorized under the technology sector.
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π Date of attackers' claim: February 7, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: labinf.it
π’ About the company:
Labinf Sistemi S.r.l. is an Italian IT company and software developer founded in 1978 and based in Chivasso, Italy. The company provides comprehensive integrated IT solutions, including ERP systems (open-source iDempiere), cloud computing, cybersecurity, network infrastructure design, and custom software development for private companies and public institutions.
π¦ Total size of the leaked archive: 80,3 Gb
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
The leak is categorized under the technology sector.
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π INCIDENT: AIG Healthcare
π Date of attackers' claim: March 11, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: aighealthcare.in
π’ About the company:
AIG Healthcare is an Indian healthcare company.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
Leak via a third-party service
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π Date of attackers' claim: March 11, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: aighealthcare.in
π’ About the company:
AIG Healthcare is an Indian healthcare company.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
π§Ύ Analyst's note:
Leak via a third-party service
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π INCIDENT: AIG Business Solutions Pvt. Ltd.
π Date Reported: February 10, 2026
π¦ Attacking Group: Clop ransomware group
π― Compromised Domain: aigbusiness.com
π’ About the company: AIG Business Solutions Pvt. Ltd. is a business solutions provider headquartered in India.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π Date Reported: February 10, 2026
π¦ Attacking Group: Clop ransomware group
π― Compromised Domain: aigbusiness.com
π’ About the company: AIG Business Solutions Pvt. Ltd. is a business solutions provider headquartered in India.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π INCIDENT: Bureaux Solutions
π Date of attackers' claim: January 21, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: bureaux.fr
π’ About the company:
Bureaux Solutions is a French company providing office solutions for businesses. Their services include renting fully equipped workspaces, meeting rooms, and virtual offices. The company serves startups, freelancers, and large enterprises, offering flexible and affordable solutions. Bureaux operates in several locations across France and in Belgium.
π¦ Total size of the leaked archive: ~ 90 Gb
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π Date of attackers' claim: January 21, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: bureaux.fr
π’ About the company:
Bureaux Solutions is a French company providing office solutions for businesses. Their services include renting fully equipped workspaces, meeting rooms, and virtual offices. The company serves startups, freelancers, and large enterprises, offering flexible and affordable solutions. Bureaux operates in several locations across France and in Belgium.
π¦ Total size of the leaked archive: ~ 90 Gb
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Customer information
β’ Operational data
β οΈ Status:
Leak status: Claimed / Data partially published
π« π½
π INCIDENT: BOYDEN
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: boyden.com
π’ ABOUT THE COMPANY:
Boyden is an American company in the field of executive search and management consulting. The company was founded in 1946, and its headquarters are located in Tarrytown, New York. The number of employees is approximately 1,000.
π WHAT IS KNOWN ABOUT THE LEAK:
In mid-February 2026, the Clop group claimed responsibility for a cyberattack on Boyden's infrastructure. Information about the incident was published on the group's darknet site.
π§Ύ ANALYST'S NOTE:
At the time of analysis, there is no data on the volume of the leaked archive or the types of compromised files. It is important to note that in May 2024 (long before the current Clop attack), another group, Medusa, released a data dump of Boyden amounting to 79.3 GB and demanded a ransom. The current Clop attack may be either a new data theft or an attempt at repeat extortion using old vulnerabilities.
The data that the Clop group released in connection with the leak relates to Media World (Hong Kong) and Stones International, not to Boyden. Boyden appears only as a counterparty in a few files. Only a file containing a list or structure of files has been published, not the actual data.
β οΈ STATUS:
Leak status: Claimed / Data not published β the attack has been confirmed, but the files have not been made publicly available.
π«₯ πΊ
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: boyden.com
π’ ABOUT THE COMPANY:
Boyden is an American company in the field of executive search and management consulting. The company was founded in 1946, and its headquarters are located in Tarrytown, New York. The number of employees is approximately 1,000.
π WHAT IS KNOWN ABOUT THE LEAK:
In mid-February 2026, the Clop group claimed responsibility for a cyberattack on Boyden's infrastructure. Information about the incident was published on the group's darknet site.
π§Ύ ANALYST'S NOTE:
At the time of analysis, there is no data on the volume of the leaked archive or the types of compromised files. It is important to note that in May 2024 (long before the current Clop attack), another group, Medusa, released a data dump of Boyden amounting to 79.3 GB and demanded a ransom. The current Clop attack may be either a new data theft or an attempt at repeat extortion using old vulnerabilities.
The data that the Clop group released in connection with the leak relates to Media World (Hong Kong) and Stones International, not to Boyden. Boyden appears only as a counterparty in a few files. Only a file containing a list or structure of files has been published, not the actual data.
β οΈ STATUS:
Leak status: Claimed / Data not published β the attack has been confirmed, but the files have not been made publicly available.
π«₯ πΊ
π INCIDENT: RBD CONSTRUCTION
π Attacker's claim date: February 10, 2026
π¦ Attacker group: CL0P ransomware group
π― Compromised domain: rbdconstruction.com
π’ About the company:
RBD Construction is an American construction company specializing in steel structures and industrial construction. It executes projects for Amazon, Lockheed Martin, Nucor, and US military facilities (LRAFB).
π¦ Total size of the leaked archive: 1.32 Tb
π WHAT WAS LEAKED:
β’ Contracts and bidding documentation (2017-2025)
β’ Financial documentation (bank statements, taxes, invoices)
β’ Internal corporate documents (reports, meeting minutes, budgets)
β’ Employee personal data (passports, W-4, I-9, H-2B visas)
β’ Technical documentation (AutoCAD/Tekla drawings, software configurations)
β’ Client information (contracts, NDAs, subcontractors)
β’ Operational data (construction schedules, logistics)
π§Ύ ANALYST NOTE:
1. Critical data exposure: The company stored everything in plaintext, including banking information, contractor W-9 forms, employee I-9 and W-4 forms, as well as passport data of foreign workers under the H-2B program. The lack of encryption or data segregation is a gross violation of compliance requirements (SOC2, GDPR for European clients).
2. Industrial espionage as a key threat: The presence of a complete history of controlled drawings (Controlled files, REV 1/2/3, Archived) and bidding documentation spanning 8 years allows competitors to reconstruct the company's pricing policies, estimating norms, and technical solutions for major projects (including Amazon, Nucor, and defense contracts).
β οΈ Status:
Fully published β the file listing contains the complete structure of the corporate server with all key data categories.
π« π½
π Attacker's claim date: February 10, 2026
π¦ Attacker group: CL0P ransomware group
π― Compromised domain: rbdconstruction.com
π’ About the company:
RBD Construction is an American construction company specializing in steel structures and industrial construction. It executes projects for Amazon, Lockheed Martin, Nucor, and US military facilities (LRAFB).
π¦ Total size of the leaked archive: 1.32 Tb
π WHAT WAS LEAKED:
β’ Contracts and bidding documentation (2017-2025)
β’ Financial documentation (bank statements, taxes, invoices)
β’ Internal corporate documents (reports, meeting minutes, budgets)
β’ Employee personal data (passports, W-4, I-9, H-2B visas)
β’ Technical documentation (AutoCAD/Tekla drawings, software configurations)
β’ Client information (contracts, NDAs, subcontractors)
β’ Operational data (construction schedules, logistics)
π§Ύ ANALYST NOTE:
1. Critical data exposure: The company stored everything in plaintext, including banking information, contractor W-9 forms, employee I-9 and W-4 forms, as well as passport data of foreign workers under the H-2B program. The lack of encryption or data segregation is a gross violation of compliance requirements (SOC2, GDPR for European clients).
2. Industrial espionage as a key threat: The presence of a complete history of controlled drawings (Controlled files, REV 1/2/3, Archived) and bidding documentation spanning 8 years allows competitors to reconstruct the company's pricing policies, estimating norms, and technical solutions for major projects (including Amazon, Nucor, and defense contracts).
β οΈ Status:
Fully published β the file listing contains the complete structure of the corporate server with all key data categories.
π« π½
πΊ
π INCIDENT: CFDT
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: cfdt.fr
π’ ABOUT THE COMPANY: CFDT (ConfΓ©dΓ©ration FranΓ§aise DΓ©mocratique du Travail) is the largest trade union in France by number of members. Founded in 1964. It represents workers across various sectors, including healthcare, social services, finance, education, and public services.
π WHAT WAS LEAKED:
According to analysis:
- Names and contact details of trade union members
- Trade union membership data
- Employee accounts: 23 employees
- User accounts: 735 users
- Third-party credentials: 9 records
- External attack surface: 116 nodes
The exact list of compromised file types and the total volume of the leak have not been established at this time.
π§Ύ NOTE:
- CFDT has begun notifying affected union members and is working with cybersecurity experts to assess the damage
- The attack is part of a broader Clop campaign in February 2026 β the group has claimed to have breached at least 25 organizations worldwide
- The leak poses a particular risk given the sensitive nature of trade union membership data (participation in collective bargaining, labor activity information)
π§Ύ STATUS:
β οΈ Leak status: Published (attack has been claimed, data has not been publicly released β the group is demanding a ransom)
π
π INCIDENT: CFDT
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: cfdt.fr
π’ ABOUT THE COMPANY: CFDT (ConfΓ©dΓ©ration FranΓ§aise DΓ©mocratique du Travail) is the largest trade union in France by number of members. Founded in 1964. It represents workers across various sectors, including healthcare, social services, finance, education, and public services.
π WHAT WAS LEAKED:
According to analysis:
- Names and contact details of trade union members
- Trade union membership data
- Employee accounts: 23 employees
- User accounts: 735 users
- Third-party credentials: 9 records
- External attack surface: 116 nodes
The exact list of compromised file types and the total volume of the leak have not been established at this time.
π§Ύ NOTE:
- CFDT has begun notifying affected union members and is working with cybersecurity experts to assess the damage
- The attack is part of a broader Clop campaign in February 2026 β the group has claimed to have breached at least 25 organizations worldwide
- The leak poses a particular risk given the sensitive nature of trade union membership data (participation in collective bargaining, labor activity information)
π§Ύ STATUS:
β οΈ Leak status: Published (attack has been claimed, data has not been publicly released β the group is demanding a ransom)
π
πΊ
π INCIDENT: SPOHN ASSOCIATES
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: spohnassociates.com
π’ ABOUT THE COMPANY: Spohn Associates is an American company specializing in architectural solutions, including acoustics, navigation systems, sun protection, as well as equipment for skate parks and playgrounds. The company provides design, project management, and installation services.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
π§Ύ NOTE:
- The attack is part of a larger Clop campaign in February 2026, when the group claimed to have hacked at least 25 organizations worldwide.
- According to DNS analysis, the domain spohnassociates.com uses arsmtp.com mail servers and includes SPF records from edgepilot.com.
β οΈ STATUS:
Leak status: Published (attack has been confirmed, data has not been publicly released β the group is demanding a ransom)
π« π½
π INCIDENT: SPOHN ASSOCIATES
π Attackers' claim date: February 10, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: spohnassociates.com
π’ ABOUT THE COMPANY: Spohn Associates is an American company specializing in architectural solutions, including acoustics, navigation systems, sun protection, as well as equipment for skate parks and playgrounds. The company provides design, project management, and installation services.
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
π§Ύ NOTE:
- The attack is part of a larger Clop campaign in February 2026, when the group claimed to have hacked at least 25 organizations worldwide.
- According to DNS analysis, the domain spohnassociates.com uses arsmtp.com mail servers and includes SPF records from edgepilot.com.
β οΈ STATUS:
Leak status: Published (attack has been confirmed, data has not been publicly released β the group is demanding a ransom)
π« π½
π INCIDENT: INTEGRITEK
π Attackers' claim date: January 21, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: integritek.net
π’ ABOUT THE COMPANY: Integritek is an American IT company specializing in managed IT services. The company provides solutions in IT support, cybersecurity, cloud services, and disaster recovery. Integritek focuses on business process optimization, security enhancement, and IT risk reduction, offering a tailored approach to each client.
π¦ Total volume of leaked archive: 2.63 Tb (Terabytes)
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
π§Ύ NOTE:
* On January 21, 2026, the Clop group publicly announced a cyberattack on Integritek's infrastructure and threatened to publish the stolen data.
* The date the attack was detected in open sources is January 25, 2026.
* Integritek updated its Privacy Policy on March 18, 2026, which may be indirectly related to the incident (legal recommendation following the leak).
* The company is based in the US and operates in the IT services sector, making the leak particularly sensitive due to potential access to client infrastructure and data.
* The leak may contain data from Perpetual Financial Group and Garner Group.
β οΈ STATUS:
Leak status: Published (attack confirmed, data leak claimed, volume β 2.63 Tb)
π« π½
π Attackers' claim date: January 21, 2026
π¦ Attacking group: CL0P ransomware group
π― Compromised domain: integritek.net
π’ ABOUT THE COMPANY: Integritek is an American IT company specializing in managed IT services. The company provides solutions in IT support, cybersecurity, cloud services, and disaster recovery. Integritek focuses on business process optimization, security enhancement, and IT risk reduction, offering a tailored approach to each client.
π¦ Total volume of leaked archive: 2.63 Tb (Terabytes)
π WHAT WAS LEAKED (attackers' claims)
β’ Contracts and commercial proposals
β’ Financial documentation
β’ Internal corporate documents
β’ Employee personal data
β’ Technical documentation and configurations
β’ Client information
β’ Operational data
π§Ύ NOTE:
* On January 21, 2026, the Clop group publicly announced a cyberattack on Integritek's infrastructure and threatened to publish the stolen data.
* The date the attack was detected in open sources is January 25, 2026.
* Integritek updated its Privacy Policy on March 18, 2026, which may be indirectly related to the incident (legal recommendation following the leak).
* The company is based in the US and operates in the IT services sector, making the leak particularly sensitive due to potential access to client infrastructure and data.
* The leak may contain data from Perpetual Financial Group and Garner Group.
β οΈ STATUS:
Leak status: Published (attack confirmed, data leak claimed, volume β 2.63 Tb)
π« π½