Quick Summary
AllegedExecutive Summary
Ford Motor Company, S.A. de C.V., a manufacturing entity based in Mexico, was publicly listed as a victim by the Krybit ransomware group on their dark web portal on June 28, 2026. This detection was made possible by SOCRadar’s Dark Web Monitoring service. The organization operates within the manufacturing sector, specifically in the automotive-industrial domain. Krybit has been active in targeting businesses in the business services, public sector, and technology sectors, with recent victims concentrated in Germany, Mexico, and Peru.
Technical Analysis
SOCRadar’s analysis revealed a significant exposure for the `ford.mx` domain through stealer-log telemetry. A sample containing 25 records, predominantly customer-facing credentials from endpoints like `sso.ci.ford.mx` and `login.ford.mx`, was identified. The exposure primarily involved customer account-takeover and supplier risk, with data freshness dating between June 19 and June 27, 2026. No corporate employee credentials were found in this specific sample, but this does not preclude their existence in the broader dataset. The observed credential harvesting aligns with typical initial access methods for ransomware groups like Krybit, where compromised credentials from underground marketplaces are used to access corporate networks. CTI teams are advised to enhance monitoring and implement credential hygiene measures, including a comprehensive review of corporate-domain credentials.