Quick Summary
AllegedExecutive Summary
Global Software Partner S.L., a company based in Spain identified by the domain gsp.es, has been listed on the Krybit ransomware group’s dark web portal. The listing was published on July 1, 2026, and detected by SOCRadar’s Dark Web Monitoring service. The company operates in the transportation and logistics sector, which is one of Krybit’s frequently targeted industries. Its location in Spain places it within Europe, a region where Krybit shows significant activity. In the 60 days preceding this listing, Krybit claimed 34 other victims, with a notable focus on the technology, business services, and transportation and logistics sectors, primarily in Germany, Taiwan, and Italy.
Technical Analysis
SOCRadar’s analysis of stealer-log telemetry revealed a credential exposure for the gsp.es domain. The sample contained approximately 25 credential records, all of which were identified as external user accounts (customer, partner, vendor, or consumer logins), with no direct corporate employee credentials found. Log activity extended into early July 2026. This finding indicates persistent external exposure but does not confirm employee endpoint compromise or direct corporate intrusion. For ransomware groups like Krybit, credentials harvested from infostealers are a common initial access vector. These credentials are used to access systems like Microsoft 365, VPNs, or remote access portals before deploying ransomware. While this specific evidence does not confirm Krybit’s use of these credentials, the observed portal exposure warrants continued monitoring. CTI teams are advised to pair such findings with checks for corporate domain exposure rather than relying solely on the absence of employee credentials as reassurance.