Threat-actor trackers
The ransomware and extortion crews behind the breaches we cover — who they are, how active they've been, and every incident we've attributed to them. Each tracker grows automatically as our daily breach ingest picks up new claims.
Most active crews
Akira
Latest: General Doors Breached by Akira Group
Qilin
Latest: Ahorramas Supermarket Chain — May 2026
TheGentlemen
Latest: The Gentlemen Ransomware Gang Suffers Internal Data Leak
Nova
Latest: LTI Services Hit by Nova Ransomware
DragonForce
Latest: Business Record Media Hit by DragonForce Ransomware
LockBit
Latest: JEC Eye Hospitals and Clinics Hit by LockBit Ransomware
Payload
Latest: A-Sonic Logistics Hit by Payload Ransomware
ShinyHunters
Latest: Zara Data of 197K Customers Exposed in ShinyHunters Ransomware Attack
Also tracking
Everest
Latest: Advanced Psychiatry Associates Hit by Everest Ransomware
Incransom
Latest: Life Bridges Non-Profit Claimed by Incransom Ransomware
NightSpire
Latest: Legendary Home Services Breached by NightSpire Ransomware
SafePay
Latest: Verzolla Breached by SafePay Ransomware
Abyss
Latest: Abyss Ransomware Claims Breach of Technic Inc.
Bashe
Latest: Vienna Airport Claimed in Bashe Ransomware Attack
BrainCipher
Latest: Golden State Orthopedics & Spine Breached by BrainCipher
Chaos
Latest: Chaos Ransomware Claims Breach of Universal Plant Services
Claims
Latest: FulcrumSec Claims Ransomware Attack on Arup Group
Collective
Latest: Brightspeed Fiber Broadband Incident — January 2026
DeadLock
Latest: Italian Customs Broker CAD 93 Hit by DeadLock Ransomware
Discloses
Latest: River Financial Corp Discloses Ransomware Incident
Engineering
Latest: Atencio Engineering Ransomware Claim — May 2026
FulcrumSec
Latest: FulcrumSec Claims Ransomware Attack on Arup Group
Genesis
Latest: IMA Diligence Services Notifies 525K on Legacy Server Breach
Interlock
Latest: Reynella East College Claimed by Interlock Ransomware
Krybit
Latest: Dominican Tourism Police Hit by Krybit Ransomware
Leaks
Latest: World Leaks ransomware hits Hungarian media firm Mediaworks
Morpheus
Latest: Baytech Hit by Morpheus Ransomware with 110GB Data Leak
Nitrogen
Latest: Nitrogen Ransomware Claims Foxconn Breach
PEAR
Latest: Alpha IT AS Breached by PEAR Group
Play
Latest: Corley Manufacturing Hit by Play Ransomware
Residential
Latest: Brittany Residential Ransomware Claim — May 2026
Services
Latest: Bay State Land Services Ransomware Claim — May 2026
Settra
Latest: PChome Taiwan Hit by Settra Ransomware via Infostealer
SpaceBears
Latest: Geske Haus Hit by SpaceBears Ransomware
Stormous
Latest: JAG Group Full Data Dump Claimed by Stormous
Supermercados
Latest: Bandeirante Supermercados Ransomware Claim — May 2026
How these trackers work
Our breach ingest monitors public reporting and ransomware leak sites daily. When an incident is claimed by or attributed to a named group, it's added to that group's tracker automatically. "Claimed by" is not proof — extortion crews sometimes exaggerate or recycle old data — so every entry links to the full write-up with sources.
If an organization you use appears here
Treat your data as circulating. Stolen records get scraped into the same broker-and-dump ecosystem that doxxers and identity thieves search. The fastest way to know your real exposure is a free breach scan — it checks your email against 15.4B+ leaked records in about 15 seconds, including data tied to the groups above.
Both halves of the chain, cleaned once.
A breach put your credentials in 15.4B+ leaked records. Hackers chain that data to your address on 800+ broker sites. GalaxyWarden closes both halves for $19 once — no subscription required.