Back to Blog
high severity July 01, 2026 · scope unconfirmed

Bd Listed by medusalocker Ransomware Group

Organization with 772 emails extracted. Domain: bd.zh.ch

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed July 01, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On July 1, 2026, the Swiss government-linked domain bd.zh.ch appeared on the MedusaLocker ransomware group’s leak site with 772 email addresses and internal files now publicly available for download.

Confirmed Facts from Reporting

Public reporting indicates the organization suffered a ransomware attack in which attackers exfiltrated internal files before encrypting systems. The leak site lists the victim under the entry “Bd” and provides a direct link to the stolen data. Available reporting describes 772 unique email addresses extracted from the victim’s environment. No confirmed total number of affected individuals has been published, and the precise volume of documents remains undisclosed beyond the statement that internal files were taken.

The domain bd.zh.ch belongs to a public administration entity in the canton of Zurich, Switzerland. Ransomware.live, a widely referenced tracker of extortion activity, first indexed the listing on the stated date. As of this writing the data remains accessible on the MedusaLocker onion site.

Why This Matters for You and Your Family

When a government-linked body loses control of internal files and hundreds of email addresses, the information can spread far beyond the original target. Internal files often contain spreadsheets, contracts, or notes that list names, addresses, dates of birth, or financial details of ordinary residents who interacted with the agency. Once those records reach public forums or dark-web markets, anyone whose data appears can face increased risk of identity theft, phishing, or unwanted contact.

Your family’s exposure is not limited to the initial breach. A single email address tied to a government service can unlock other accounts if you reuse passwords. Children’s school records, medical appointments, or after-school activity registrations frequently share the same contact details, turning one leak into a household-wide problem.

The Doxxing and Identity-Chain Implications

Attackers rarely stop at the first dataset. Public reporting shows that ransomware groups and subsequent buyers routinely combine newly released emails with information already circulating on 100-plus platforms. This creates an identity chain: an email leads to a username, the username appears in a gaming account, the gaming account links to a Discord handle, and the handle reveals a home address or phone number.

Credential leaks like this one cascade into account takeovers. A compromised government email can be used to reset passwords on retail sites, banks, or social media. Children’s gaming accounts are especially vulnerable because they often use parent email addresses and weak or reused passwords. Once an attacker controls the gaming profile, they can harvest friends lists, chat logs, and any personal details shared during play, feeding the next link in the doxxing chain.

MedusaLocker’s Publicly Known Track Record

Public reporting attributes MedusaLocker’s emergence to late 2019. The group has since hit hospitals, schools, municipalities, and private companies across multiple continents. Notable prior victims include healthcare providers and local government agencies whose patient or citizen records were later published when ransom demands went unpaid.

The typical playbook begins with initial access gained through phishing, remote desktop protocol brute-force, or exploited vulnerabilities. After gaining a foothold, operators exfiltrate selected directories, deploy encryption across the network, and post samples on their leak site. Extortion follows a double-pressure model: demands are sent to the victim organization while a public countdown clock runs on the dark-web portal. If payment is not received, additional data batches are released in stages.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the included no-subscription cleanup of data broker listings tied to the breach.
  • Rotate the password used at bd.zh.ch anywhere it is reused and enable two-factor authentication through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4 billion breach records and 100-plus platforms so the next exposure surfaces in hours instead of months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts, which frequently chain back to the same parent email or address.
  • Let remediation specialists handle ongoing takedown requests for any personal records that surface on data broker or paste sites following this incident.

The speed with which leaked government data moves from a ransomware site into criminal ecosystems leaves little room for delay. Starting with a clear picture of your current exposure and maintaining continuous oversight offers the most practical protection for you and your family. DoxxScan by GalaxyWarden delivers that combination of continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage including children’s gaming accounts.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.