Back to Blog
high severity July 10, 2026 · scope unconfirmed

AFWorkshop Listed by Deadlock Ransomware Group

⚠ Were you caught in this breach?
Check your email against 15.4B+ leaked records in 15 seconds — free, no signup.
Scan my email — free → Instant · no account

AFW an international architectural and design firm based in Singapore. Formerly known as Andy Fisher Workshop, the firm has been operating since 2004. They are a multi-disciplinary practice that works on a variety of large-scale and boutique projects across Asia and beyond.

Severity High
Disclosed July 10, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On July 10, 2026, architectural and design firm AFWorkshop appeared on the leak site of the Deadlock ransomware group. The company, formerly known as Andy Fisher Workshop and based in Singapore, had internal files exfiltrated during a ransomware attack. While the exact number of people whose information was exposed remains unknown, anyone whose personal or professional data was stored in the firm’s systems could be affected.

Confirmed Details of the Breach

Public reporting indicates that Deadlock claims to have stolen internal files from AFWorkshop’s networks. The firm, which has operated since 2004, works on large-scale and boutique projects across Asia. Available reporting describes the incident as a typical ransomware operation in which attackers gain access, exfiltrate data, and later threaten to publish it if demands are not met. No confirmed total of records exposed has been released, and the precise types of information contained in the files have not been publicly detailed beyond the broad description of internal documents.

Why This Matters for You and Your Family

When an architecture or design firm is breached, the files often contain contracts, client contact details, addresses, phone numbers, email accounts, and sometimes copies of identification documents. If your home, office, or project was handled by AFWorkshop, your personal information may now sit in a ransomware leak repository. Credential leaks from such incidents frequently cascade into account takeovers that reach far beyond the original breach. For families this can mean sudden exposure of children’s names, school details, or linked gaming accounts that use the same email addresses or passwords parents reuse at work.

A single leak rarely stays isolated. Once data appears on a ransomware site, it is quickly scraped by other criminals who combine it with information from earlier breaches to build detailed profiles.

The Doxxing and Identity-Chain Risk

Ransomware groups like Deadlock do not need to publish every file to cause harm. Even partial leaks of client lists or project folders can give attackers the starting points for doxxing chains. A leaked work email can be matched to a personal social-media handle, then to a child’s gaming username, then to a home address. These identity chains allow criminals to harass, impersonate, or extort individuals long after the original corporate incident fades from headlines. Children’s gaming accounts are especially vulnerable because parents often share passwords or recovery emails across work, personal, and family use.

Deadlock Ransomware Group Track Record

Public reporting attributes the Deadlock ransomware group with operations that emerged in recent years. The group has targeted organizations across multiple sectors, using a playbook that typically involves initial access through phishing or exploited vulnerabilities, followed by data exfiltration and extortion via leak sites. Their approach combines encryption of victim systems with the public shaming of companies that refuse to pay, a pattern seen in attacks on other mid-sized firms whose client data held personal information.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, with no-subscription cleanup handled by the specialists.
  • Rotate any password you used at AFWorkshop or related professional accounts anywhere it has been reused, and switch on 2FA through an authenticator app rather than text messages.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your information is caught in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same addresses or emails.
  • Let the remediation specialists perform hands-on takedown requests across data brokers and leak sites on your behalf.

The speed with which ransomware data moves from leak sites into broader criminal ecosystems means families cannot afford to wait for confirmation that their information was included. Starting protective steps now limits how far any single breach can reach. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping that connects online handles to real identities, and hands-on remediation by specialists who manage takedowns for you and your entire household, including children’s gaming accounts that are frequently swept into these cascades.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.