SOCRadar® Cyber Intelligence Inc. | ALPHV/BlackCat Ransomware Attack on Tipalti, Threatening Tipalti’s Customers


Dec 04, 2023
3 Mins Read

ALPHV/BlackCat Ransomware Attack on Tipalti, Threatening Tipalti’s Customers

The first days of December 2023 were rattled by ALPHV/BlackCat ransomware group, known for its sophisticated cyberattacks and recent interesting attack methods. The latest in their series of high-profile breaches is the alleged infiltration on Tipalti, a leading FinTech company specializing in automated payment processing services. However, not just Tipalti is affected; data belonging to its customers is also threatened with data leaks. Customers include video game Roblox, streaming platform Twitch, and previously Twitter, X.

The Tipalti Data Breach

On September 8th, 2023, ALPHV/BlackCat claimed to have allegedly accessed Tipalti’s systems, extracting over 265GB of sensitive business data. This breach compromised Tipalti and its high-profile clients, including gaming giant Roblox, and Twitch. The stolen data encompasses a range of confidential information, posing significant threats to the entities involved.

Tipalti, valued at $8.3 billion and a key player in financial operations, faced severe repercussions following the breach. The company’s customers, featuring prominent names like Roblox, Twitch, and potentially X (formerly Twitter), found themselves at risk of data leaks and extortion.

ALPHV’s statement on their .onion leak blog
ALPHV’s statement on their .onion leak blog

The intended impact on Roblox’s stock price was particularly alarming, showcasing the ransomware group’s strategic targeting. Again, the inclusion of large companies like Twitch and X in Tipalti’s client portfolio, and the fact that these platforms contain many users, could emerge as a significant cyber threat for both the mentioned organizations and their users.

In response to the breach, Tipalti has acknowledged the claims and is conducting a thorough investigation. Their commitment to safeguarding customer data remains adamant despite not detecting any information loss initially.

An X user’s tweet about Tipalti’s mail (X)
An X user’s tweet about Tipalti’s mail (X)

In the e-mail sent to customers, they continue to state that they have not yet encountered a breach.

ALPHV/BlackCat Ransomware Group’s Tactics

ALPHV/BlackCat, known for its aggressive and controversial methods, has a history of targeting large corporations and institutions. Their approach often involves preemptive exposure of victims before negotiations like typical ransomware operations, but ALPHV is trying new methods to get paid. They recently even filed a SEC complaint alleging that one of their victims failed to report a data breach to authorities.

The ALPHV group, which works with the RaaS model, also works with dangerous affiliates such as Scattered Spider, and poses a serious danger by constantly updating its tactics in extortion.

For detailed information about the group, check out our Dark Web Profile.


The ALPHV/BlackCat ransomware attack on Tipalti is a significant event in the ransomware landscape, underscoring the ever-present need for enhanced security measures. As digital threats evolve, so must our defenses, reminding us that vigilance and proactive protection are indispensable in today’s interconnected world.

One such proactive approach is to take precautions against ransomware groups’ TTPs and not leave open doors for them. For this, you can check it with Ransomware Check within SOCRadar’s Attack Surface Management module.

SOCRadar Ransomware Check
SOCRadar Ransomware Check

Of course, even if you are sure of your organizational cyber security stance, you may still be in danger within the supply chain, so you can add such organizations to your follow-up list in the Supply Chain Intelligence tab on the SOCRadar Platform and receive early alerts.

Supply Chain Intelligence
Supply Chain Intelligence