Back to Blog
high severity December 22, 2025 · scope unconfirmed

Friis & Moltke Listed by akira Ransomware Group

Friis & Moltke delivers architecture that serves a diverse client base, ensuring their designs meet both the needs of their client s and the community. We will upload 12gb of corporate data soon. Personal documents (c pr numbers (danish SSNs), passports and other docs), financials, projects, specification and drawings, etc.

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed December 22, 2025
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On December 22, 2025, Danish architecture firm Friis & Moltke appeared on the leak site of the Akira ransomware group. The attackers stated they will soon upload 12GB of corporate data that includes personal documents such as Danish CPR numbers, passports, financial records, project files, specifications, and drawings.

Confirmed Details from Reporting

Public reporting indicates the firm was listed on the Akira ransomware leak portal. The group claims to have exfiltrated internal files during a ransomware incident and has threatened to publish the archive. The exposed material reportedly contains sensitive personal identifiers belonging to clients, employees, or business contacts, alongside standard corporate project documentation. No confirmed victim count has been released, and the precise date of initial compromise remains undisclosed in available reporting.

The leak site posting explicitly lists categories including CPR numbers (Danish SSNs), passports, financial documents, and architectural drawings. Industry research from sources such as DoxxScan™ continuous monitoring indicates that architecture and engineering firms frequently hold copies of client identity documents for permitting and compliance purposes, which explains the breadth of personal data now at risk.

Why This Matters for You and Your Family

When a company that has worked on your home, office, or community project suffers a breach, your personal information can leave with it. A single leaked Danish CPR number combined with a passport scan or address can give identity thieves everything needed to open accounts, file fraudulent taxes, or impersonate you. If you or your family have ever hired an architect, contractor, or design firm, this incident illustrates how your data may already sit in repositories you never knew existed.

Children’s records are not immune. Many families provide guardian details or student information during school renovation projects or community builds. Once those records surface, they can be cross-referenced with gaming usernames or social media handles, creating long-term privacy and safety risks for minors.

The Doxxing and Identity-Chain Risk

A breach of this type rarely stops at one leak. Attackers or opportunistic criminals can chain the exposed CPR numbers, emails, and addresses to usernames found on gaming platforms, social networks, or data-broker profiles. The result is a detailed identity map that enables doxxing, targeted phishing, or even physical stalking. Credential leaks like this one frequently cascade into account takeovers because people reuse the same passwords across work, personal email, and gaming services.

Akira Ransomware Group Track Record

Public reporting attributes the attack to the Akira ransomware group. The group first emerged in 2023 and has since targeted organizations across multiple countries with a double-extortion model: they encrypt victim systems and simultaneously exfiltrate data, then demand payment to prevent publication. Notable prior victims include manufacturing companies, technology service providers, and professional services firms. Their typical playbook involves initial access through compromised remote desktop credentials or phishing, followed by quiet exfiltration over weeks before deploying ransomware and later listing non-paying victims on their leak site with countdown timers.

What to do

  • Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity, then use the no-subscription cleanup to remove what you can.
  • Rotate any password you ever used at Friis & Moltke or related design portals anywhere it is reused, and switch on 2FA through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your data is caught in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same address or parent email.
  • Let remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing day-to-day accounts.

The incident shows that even specialized professional firms can become gateways to your family’s most sensitive identifiers. Taking concrete steps now limits how far criminals can travel down the identity chain. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and more than 100 platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts. Start your DoxxScan trial today to understand exactly what is exposed and begin closing those doors.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.