In January 2025, **Ledger**, a Paris-based crypto-wallet vendor, fell victim to a **Violence-as-a-Service (VaaS) attack** orchestrated by Russia-linked groups **Renaissance Spider** and **The Com**. The co-founder of Ledger was **kidnapped** in France as part of an extortion scheme tied to cryptocurrency theft. The attack was executed via **Telegram-coordinated networks**, leveraging physical violence, arson threats, and ransom demands. This incident was among **17 recorded VaaS attacks since January 2024**, with **13 occurring in France alone**, prompting **Europol to establish a dedicated taskforce** to counter the escalating threat. The attack not only endangered the executive’s life but also exposed Ledger to **reputational damage, operational disruption, and potential financial losses** due to ransom pressures. The incident underscores the convergence of **cyber extortion and physical violence**, targeting high-profile individuals in the crypto sector to exploit digital and real-world vulnerabilities.
Source: https://www.infosecurity-magazine.com/news/leak-site-ransomware-victims-spike/
TPRM report: https://www.rankiteo.com/company/ledgerhq
"id": "led1832718110325",
"linkid": "ledgerhq",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'industry': 'multiple',
'location': 'United Kingdom',
'name': 'Unspecified UK Organizations',
'type': ['manufacturing',
'professional services',
'technology',
'industrials/engineering',
'retail']},
{'industry': 'multiple',
'location': 'Germany',
'name': 'Unspecified German Organizations',
'type': ['manufacturing',
'professional services',
'technology',
'industrials/engineering',
'retail']},
{'industry': 'multiple',
'location': 'Italy',
'name': 'Unspecified Italian Organizations',
'type': ['manufacturing',
'professional services',
'technology',
'industrials/engineering',
'retail']},
{'industry': 'multiple',
'location': 'France',
'name': 'Unspecified French Organizations',
'type': ['manufacturing',
'professional services',
'technology',
'industrials/engineering',
'retail']},
{'industry': 'multiple',
'location': 'Spain',
'name': 'Unspecified Spanish Organizations',
'type': ['manufacturing',
'professional services',
'technology',
'industrials/engineering',
'retail']},
{'industry': 'retail',
'location': 'United Kingdom',
'name': 'M&S (Marks & Spencer)',
'size': 'large enterprise',
'type': 'retail'},
{'industry': 'retail',
'location': 'United Kingdom',
'name': 'Co-op Group',
'size': 'large enterprise',
'type': 'retail/consumer cooperative'},
{'industry': 'cryptocurrency',
'location': 'France',
'name': 'Ledger (Crypto-Wallet Vendor)',
'note': 'Co-founder kidnapped in January 2025 '
'(Violence-as-a-Service attack)',
'type': 'technology/financial services'}],
'attack_vector': ["phishing (CAPTCHA lures / 'ClickFix' attacks)",
'malvertising',
'SEO poisoning',
'credential dumping from backup/restore databases',
'unmanaged system exploitation',
'vishing (voice phishing, e.g., Scattered Spider)',
'initial access brokers (1400+ hacked organizations '
'advertised)',
'Telegram-coordinated physical attacks (kidnapping, arson, '
'extortion)'],
'data_breach': {'data_encryption': 'yes (92% of cases involved file '
'encryption)',
'data_exfiltration': 'yes (92% of ransomware cases)',
'number_of_records_exposed': '2100+ victims (92% with data '
'theft)',
'personally_identifiable_information': 'likely (used for '
'extortion leverage)',
'sensitivity_of_data': 'high (PII, corporate secrets, '
'potential GDPR-regulated data)',
'type_of_data_compromised': ['corporate data',
'personally identifiable '
'information (PII)',
'potential payment data']},
'date_publicly_disclosed': '2025-09-01',
'description': 'European organizations experienced a 13% increase in '
'ransomware attacks over the past year, with the UK being the '
'most affected. The CrowdStrike 2025 European Threat Landscape '
"Report highlights trends such as 'big-game hunting' (BGH) "
'attacks, ransomware groups like Akira and LockBit, and '
"emerging threats like vishing and 'Violence-as-a-Service.' "
'Over 2100 victims were named on extortion leak sites since '
'January 2024, with 92% involving file encryption and data '
'theft. Russian threat actors leverage GDPR compliance to '
'coerce ransom payments. Initial access brokers advertised '
'access to over 1400 hacked European organizations, and '
'tactics included credential dumping, remote encryption, and '
'Linux ransomware on VMware ESXi infrastructure.',
'impact': {'brand_reputation_impact': 'high (public disclosure of 1380+ '
'victims on leak sites)',
'data_compromised': '2100+ victims (92% involved data theft)',
'identity_theft_risk': 'high (PII likely exposed in 92% of cases '
'with data theft)',
'legal_liabilities': 'potential GDPR violations (used as leverage '
'for ransom)',
'operational_impact': 'disruption across manufacturing, '
'professional services, technology, '
'industrials/engineering, and retail sectors',
'systems_affected': ['VMware ESXi infrastructure (Linux '
'ransomware)',
'unmanaged systems (used for lateral '
'movement)',
'backup/restore configuration databases '
'(credential dumping)']},
'initial_access_broker': {'backdoors_established': 'likely (used for '
'persistent access)',
'data_sold_on_dark_web': 'yes (access to 1400+ '
'organizations advertised)',
'entry_point': ['unmanaged systems',
'compromised credentials',
'phishing/vishing lures'],
'high_value_targets': ['large enterprises (BGH)',
'manufacturing',
'professional services',
'technology',
'cryptocurrency sector']},
'investigation_status': 'ongoing (report published by CrowdStrike; Europol '
'taskforce active for VaaS threats)',
'lessons_learned': ['Russian-affiliated threat actors exploit GDPR compliance '
'as ransom leverage.',
'Big-game hunting (BGH) targets large enterprises with '
'high-value data.',
'Initial access brokers play a critical role in '
'facilitating attacks (1400+ organizations advertised).',
"Vishing and 'ClickFix' CAPTCHA lures are rising attack "
'vectors.',
'Violence-as-a-Service (VaaS) introduces physical threats '
'(kidnapping, arson) tied to cyber extortion.',
'Unmanaged systems and VMware ESXi infrastructure are '
'high-risk targets for ransomware deployment.'],
'motivation': ['financial gain (ransomware payouts, avg. $3.6M)',
'data theft for extortion',
'cryptocurrency theft (Violence-as-a-Service)',
'geopolitical leverage (exploiting GDPR compliance)'],
'post_incident_analysis': {'corrective_actions': ['Prioritize patching and '
'monitoring of VMware ESXi '
'and unmanaged systems.',
'Develop specific playbooks '
'for Violence-as-a-Service '
'(VaaS) physical threats.',
'Enhance dark web '
'monitoring for initial '
'access broker '
'advertisements.',
'Conduct red team exercises '
'simulating BGH and vishing '
'attacks.',
'Strengthen cross-border '
'collaboration with Europol '
'and other LEAs.'],
'root_causes': ['Exploitation of unmanaged systems '
'for lateral movement.',
'Effective use of vishing and '
"'ClickFix' social engineering "
'tactics.',
'Initial access brokers providing '
'scalable entry points to threat '
'actors.',
'Geopolitical targeting of '
'European firms due to GDPR '
'leverage opportunities.',
'Inadequate segmentation between '
'high-value and unmanaged '
'systems.']},
'ransomware': {'data_encryption': 'yes (92% of cases)',
'data_exfiltration': 'yes (double extortion tactic)',
'ransomware_strain': ['Akira',
'LockBit',
'RansomHub',
'INC',
'Lynx',
'Sinobi']},
'recommendations': ['Enhance monitoring of unmanaged systems and backup '
'databases to prevent credential dumping.',
'Implement multi-factor authentication (MFA) and '
'vishing-resistant protocols (e.g., verification '
'callbacks).',
'Segment networks to limit lateral movement from '
'compromised unmanaged systems.',
'Update VMware ESXi defenses against Linux-based '
'ransomware strains.',
"Train employees on 'ClickFix' CAPTCHA lure tactics and "
'SEO poisoning risks.',
'Collaborate with law enforcement (e.g., Europol) to '
'disrupt Violence-as-a-Service (VaaS) networks.',
'Review GDPR compliance postures to mitigate ransomware '
'leverage risks.',
'Engage third-party threat intelligence (e.g., '
'CrowdStrike) for proactive hunting of initial access '
'brokers.'],
'references': [{'date_accessed': '2025-09-01',
'source': 'CrowdStrike 2025 European Threat Landscape Report'},
{'source': "Infosecurity Magazine - 'Ransomware Payouts Surge "
"to $3.6m Amid Evolving Tactics'"}],
'regulatory_compliance': {'regulations_violated': ['GDPR (potential '
'violations used as ransom '
'leverage)']},
'response': {'law_enforcement_notified': 'yes (Europol involved for '
'Violence-as-a-Service threats)',
'third_party_assistance': ['CrowdStrike (threat intelligence)',
'Europol (Violence-as-a-Service '
'taskforce)']},
'threat_actor': [{'name': 'Akira',
'origin': 'likely Russian-affiliated',
'type': 'ransomware group',
'victims': 167},
{'name': 'LockBit',
'origin': 'likely Russian-affiliated',
'type': 'ransomware group',
'victims': 162},
{'name': 'RansomHub',
'type': 'ransomware group',
'victims': 141},
{'name': 'INC Ransomware',
'type': 'ransomware group',
'victims': 133},
{'name': 'Lynx', 'type': 'ransomware group', 'victims': 133},
{'name': 'Sinobi',
'type': 'ransomware group',
'victims': 133},
{'name': 'Scattered Spider',
'tactics': 'native-language voice phishing',
'targets': ['M&S', 'Co-op Group'],
'type': 'vishing/social engineering group'},
{'name': 'The Com',
'origin': 'Russia-linked',
'platform': 'Telegram',
'tactics': ['physical attacks',
'arson',
'kidnapping',
'extortion'],
'type': 'Violence-as-a-Service (VaaS) group'},
{'name': 'Renaissance Spider',
'origin': 'Russia-based',
'platform': 'Telegram',
'tactics': ['physical attacks', 'cryptocurrency theft'],
'type': 'Violence-as-a-Service (VaaS) group'},
{'name': 'Initial Access Brokers (260+ actors)',
'offerings': 'access to 1400+ hacked European organizations',
'type': 'cybercriminal intermediaries'}],
'title': '13% Increase in Ransomware Attacks on European Organizations '
'(2024-2025)',
'type': ['ransomware',
'data breach',
'extortion',
'vishing',
'physical threats (Violence-as-a-Service)'],
'vulnerability_exploited': ['unmanaged systems (for data theft and ransomware '
'deployment)',
'VMware ESXi infrastructure (Linux ransomware)',
'human vulnerabilities (vishing, native-language '
'social engineering)',
'GDPR compliance leverage (ransom coercion)']}