SafePay Ransomware Group Leaks 237GB of Data from Global Crane Manufacturer Favelle Favco
On 16 April, the SafePay cyber extortion group listed Favelle Favco, a Malaysia-based heavy crane manufacturer with operations in Australia, as a ransomware victim on its darknet leak site. The hackers published a 237GB dataset, exposing sensitive corporate and personal information.
The leaked files include:
- Passport and driver’s license scans of Australian employees
- Internal and customer correspondence
- Financial data and technical specifications of Favelle Favco’s cranes
- Maintenance records and documents related to a 2025 crane collapse in Melbourne’s Derrimut suburb
Favelle Favco, which operates in Malaysia, Australia, the Middle East, Europe, and the U.S., specializes in high-capacity cranes, including the Kroll K10000 the world’s largest tower crane and the Favelle Favco M2480DX, the largest luffing tower crane. The company has played a role in constructing 12 of the world’s 14 tallest buildings and employs over 508 people globally.
SafePay, first detected in October 2024, has claimed over 450 victims across 11 countries, including Australia, the U.S., the U.K., and Germany. Unlike many ransomware groups, SafePay denies operating as a ransomware-as-a-service (RaaS) provider. Recent Australian targets include NSW-based dental practice Smile Team Orthodontics (March 2025) and IT distributor Ingram Micro (July 2025), the latter exposing 42,000 individuals’ personal data.
Favelle Favco has not responded to requests for comment.
Favelle Favco Cranes (M) Sdn Bhd cybersecurity rating report: https://www.rankiteo.com/company/favelle-favco-cranes-m-sdn-bhd
"id": "FAV1776831845",
"linkid": "favelle-favco-cranes-m-sdn-bhd",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Heavy Machinery/Manufacturing',
'location': 'Malaysia (HQ), Australia, Middle East, '
'Europe, U.S.',
'name': 'Favelle Favco',
'size': '508+ employees globally',
'type': 'Corporation'}],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Passport scans',
'Driver’s license scans',
'Internal correspondence',
'Customer correspondence',
'Financial data',
'Technical specifications',
'Maintenance records']},
'date_detected': '2025-04-16',
'date_publicly_disclosed': '2025-04-16',
'description': 'On 16 April, the SafePay cyber extortion group listed Favelle '
'Favco, a Malaysia-based heavy crane manufacturer with '
'operations in Australia, as a ransomware victim on its '
'darknet leak site. The hackers published a 237GB dataset, '
'exposing sensitive corporate and personal information. The '
'leaked files include passport and driver’s license scans of '
'Australian employees, internal and customer correspondence, '
'financial data, technical specifications of Favelle Favco’s '
'cranes, maintenance records, and documents related to a 2025 '
'crane collapse in Melbourne’s Derrimut suburb.',
'impact': {'brand_reputation_impact': 'Potential damage due to data leak',
'data_compromised': '237GB of sensitive corporate and personal '
'data',
'identity_theft_risk': 'High (passport and driver’s license scans '
'exposed)'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion',
'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'SafePay'},
'references': [{'date_accessed': '2025-04-16',
'source': 'Darknet leak site (SafePay)'}],
'threat_actor': 'SafePay',
'title': 'SafePay Ransomware Group Leaks 237GB of Data from Global Crane '
'Manufacturer Favelle Favco',
'type': 'Ransomware'}