Kochs GmbH Listed by aurora Ransomware Group
[manufacturer] *** — a family-owned German manufacturer of windows, doors, and aluminium façade systems headquartered in Herzogenrath, Nordrhein-Westfalen, with ~240 employees across Germany, the Netherlands, and Hungary. The exposed material includes: 22 GB of payroll database backups (7 MSSQL .bak files, 2016–2023) — every employee's salary, bank IBAN, tax class, social insurance number, pension contributions, and wage garnishments. 2.3 GB of DATEV payroll records (through May 2026) — individual named salary documents, garnishment data, company car records for all three entities. 7 Active D
On June 22, 2026, German manufacturer Kochs GmbH appeared on the leak site of the aurora ransomware group after attackers exfiltrated more than 24 GB of internal files, including detailed payroll records containing employees’ salaries, bank IBANs, social insurance numbers, and tax data.
Confirmed Facts from Reporting
Public reporting indicates that Kochs GmbH, a family-owned company headquartered in Herzogenrath, Nordrhein-Westfalen, produces windows, doors, and aluminium façade systems. The firm employs roughly 240 people across operations in Germany, the Netherlands, and Hungary.
22 GB of payroll database backups in the form of seven MSSQL .bak files covering 2016–2023 were taken. These contain every employee’s salary details, bank IBAN, tax class, social insurance number, pension contributions, and wage garnishments. An additional 2.3 GB of DATEV payroll records through May 2026 include individually named salary documents, garnishment data, and company car records for all three legal entities. The aurora group posted the material on its dark-web leak site, accessible via the onion address hosted on ransomware.live.
Why This Matters for You and Your Family
When a company’s payroll files leave its control, the information can be used to commit identity theft, file fraudulent tax returns, or open accounts in your name. If you or a family member worked at Kochs GmbH or any vendor that shared payroll data with them, your bank details, social insurance number, and exact salary history are now in the hands of criminals. Even if you were not directly employed there, spouses and adult children listed as emergency contacts or beneficiaries can also be exposed through these records.
Payroll data from 2016 to 2023 creates a long historical window that fraudsters prize. A single leaked IBAN combined with a social insurance number is often enough to bypass basic bank security checks. For ordinary families this translates into months or years of cleaning up credit reports, disputing fraudulent charges, and worrying about tax authorities receiving false filings under your name.
The Doxxing and Identity-Chain Implications
Stolen payroll files rarely stay isolated. Attackers cross-reference names, addresses, dates of birth, and bank details with information from earlier breaches. This creates an identity chain that links your work email to personal accounts, phone numbers, and even children’s gaming usernames if the same password or recovery details were reused. Once the chain exists, opportunistic criminals can move from financial fraud to full doxxing—publishing home addresses, children’s names, and daily routines.
Credential leaks like this one cascade into account takeovers on gaming platforms, social media, and email. A child’s Roblox or Minecraft account tied to a parent’s reused password can quickly become part of the same chain, exposing the entire household to harassment or further extortion.
Aurora Ransomware Group’s Track Record
Public reporting attributes the attack to the aurora ransomware group. The group emerged in late 2024 and has since listed dozens of victims, primarily mid-sized European manufacturers and service companies. Its typical playbook begins with initial access through phishing or exploited remote desktop credentials, followed by deployment of ransomware to encrypt systems. After exfiltration, aurora demands payment and, if unmet, publishes samples or full datasets on its leak site to pressure victims. The group’s extortion style combines data leaks with direct threats to notify customers, partners, and regulators.
What to do
- Run a DoxxScan to map every link between your handles, emails, phone numbers, and real identity so you can see exactly what chains exist from this breach.
- Rotate the password used at Kochs GmbH anywhere it is reused, and switch on 2FA through an authenticator app rather than SMS.
- Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next leak that touches your data is caught in hours, not months.
- Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same addresses and passwords.
- Let the remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing accounts.
The incident shows how quickly payroll data from a single manufacturer can threaten the financial and personal safety of ordinary families. Acting promptly on the exposed information gives you the best chance of limiting damage before criminals stitch it into larger identity chains. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4B+ breach records and 100+ platforms, AI-powered identity-chain mapping, hands-on remediation by specialists, and full household coverage that includes children’s gaming accounts—practical protection when leaks like aurora’s appear without warning.
Related breaches
COP® Vertriebs-GmbH Zentrale Listed by qilin Ransomware Group
N/A…
Excel Cell Electronic Listed by thegentlemen Ransomware Group
***.com.tw zoominfo.com/c/excel-cell-electronic-co-ltd/372144382 Excel Cell Electronic Co., Ltd. (EC…
rtngmbh.de Listed by safepay Ransomware Group
Founded in 2015, the company specializes in the construction, installation, maintenance, and rehabil…
A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.
⚠ Were you in this breach?
Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.
Check my email — free →