Back to Blog
high severity April 13, 2026 · scope unconfirmed

Lift Listed by dragonforce Ransomware Group

Lift AG is a Swiss lift manufacturer established in 1958, specializing in high-quality elevator solutions for residential and commercial buildings. The company offers a wide range of products including new installations, replacement systems, modernization services, and maintenance contracts. With a commitment to flexibility and customer satisfaction, Lift AG caters to various client needs with tailored solutions. As an independent family business, it prides itself on its experienced team and strong service network across the German-speaking part of Switzerland

⚠ Were you affected?
Free email scanner — we check your address against 15.4B+ leaked records in 15 seconds.
Run free scan →
Severity High
Disclosed April 13, 2026
Affected Unconfirmed
Data exposed Internal files exfiltrated in ransomware attack

On April 13, 2026, Swiss elevator manufacturer Lift AG appeared on the leak site of the dragonforce ransomware group, with internal files exfiltrated during a ransomware attack.

Confirmed Facts from Reporting

Public reporting indicates that dragonforce listed Lift AG on its data leak site, claiming to have stolen internal company files. The Swiss firm, founded in 1958, specializes in elevators and related services for residential and commercial buildings across German-speaking Switzerland. Available reporting describes the exposed material as internal files, though the precise volume and full list of data types remain unclear. No confirmed customer or employee personal data count has been released by the company or the attackers.

April 13, 2026 marks the public listing date. The attack follows the typical ransomware pattern of encryption followed by data exfiltration and extortion pressure. Lift AG has not yet issued a public statement detailing the scope, according to available reporting.

Why This Matters for You and Your Family

When a company like Lift AG that installs and maintains elevators in homes and apartment buildings suffers a breach, the information exposed can easily include contracts, maintenance schedules, contact details, and addresses tied to ordinary customers. If your building uses Lift AG systems, your address, phone number, or email could sit inside those stolen files. Once leaked, such data rarely stays contained. It moves quickly into broader identity theft operations that target regular families rather than corporations.

Internal files often contain spreadsheets or databases that link names to physical locations. For many Swiss households, that location is both home and the place where children play, sleep, and log into online accounts. A single leaked address can serve as the starting point for doxxing attempts that reveal far more than you expect.

The Doxxing and Identity-Chain Implications

Ransomware leaks rarely stop at one company. Attackers publish data that other criminals then combine with earlier breaches. A phone number from a Lift AG maintenance record can link to your email address seen in a past breach, which then connects to a username used on gaming platforms or social media. These identity chains allow attackers to map handles to real people and addresses with surprising speed.

Credential leaks like this one cascade into account takeovers. If a family member reused a password listed in the stolen files, or if an employee’s credentials appear, the risk extends beyond the office. Children’s gaming accounts frequently use the same email domains or recovery phone numbers as household contracts, creating a direct path from corporate breach to personal harassment or financial fraud.

Dragonforce’s Publicly Known Track Record

Public reporting attributes dragonforce with emerging in late 2024 as a ransomware operation that combines double-extortion tactics with aggressive leak-site publication. The group has listed victims ranging from manufacturing firms to service companies, typically following a playbook of initial access through phishing or exploited remote desktop services, followed by exfiltration of sensitive files and demands for payment to prevent release. Their extortion style relies on short deadlines and public shaming on their onion site when payments are not made. Exact prior victim counts remain fluid, as new names appear weekly on ransomware tracking sites.

What to do

  • Run a DoxxScan to map every link between your email addresses, phone numbers, handles, and real-world identity, then use the no-subscription cleanup to remove what you can.
  • Rotate any password you ever used at Lift AG or similar service providers, and enable 2FA through an authenticator app rather than SMS.
  • Enable continuous DoxxScan monitoring across 15.4B+ breach records and 100+ platforms so the next exposure of your information is caught and addressed in hours, not months.
  • Cover the household with DoxxScan family coverage that extends to dependents and children’s gaming accounts that often chain back to the same addresses and recovery details.
  • Let remediation specialists handle takedown requests across data brokers and leak sites for you while you focus on securing accounts at home.

The Lift AG incident shows that data from everyday service companies can quickly feed larger doxxing operations. Staying ahead requires more than changing one password. DoxxScan by GalaxyWarden delivers continuous monitoring across 15.4 billion breach records and over 100 platforms, AI-powered identity-chain mapping that connects scattered handles to real identities, and hands-on remediation by specialists who manage takedowns for the entire household, including children’s gaming accounts. One practical step today can limit how far this breach travels into your life tomorrow.

Share this Post on X Reddit Email
Why this isn’t just another breach checker

A breach leaks your credentials. Then hackers chain those credentials to your address, family, phone, and employer using public broker sites. We’re the only tool built around that chain.

Free checker Tells you the breach happened. End of story. You’re still on 800+ broker sites.
$129+/yr Broker-removal services scrub the address but don’t see the breach — next leak re-exposes you.
GalaxyWarden Maps the chain. Cleans both halves. $19 one-shot. Closed loop.

⚠ Were you in this breach?

Free email scanner. We check your address against 15.4B+ leaked records in 15 seconds — then show you the $19 cleanup that removes you from the broker sites aggregating leaked data.

Check my email — free →
Close the chain attack

Both halves of the chain, cleaned once.

A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.

Clean both halves — $19 →
Free breach scan + 800+ broker letters + 30-day proof · one payment, no subscription
W Warden Plus — ongoing monitoring $9.99/mo
Warden Plus ($9.99/mo or $99/yr): weekly re-scans, breach alerts, AI Concierge, auto re-files on relisted brokers.