Quick Summary
Executive Summary
Greg Crosslin, an organization based in the United States, has been listed as a victim on the Play ransomware group’s dark web portal, published on June 17, 2026. The listing was identified through SOCRadar’s Dark Web Monitoring service. Although the specific sector for the entity is not recorded, the addition places it among Play’s steady stream of recent North American victims. In the 60 days preceding this listing, Play has claimed 17 other victims. The group primarily targets the transportation and logistics, construction, and business services sectors, with a strong concentration of victims in the United States.
Technical Analysis
Initial access correlation against SOCRadar’s stealer-log telemetry showed no records for Greg Crosslin. However, a null result does not confirm the absence of credential exposure. Credentials may have been used under alternate corporate domains, personal email aliases, or exist in feeds not covered by the query. For ransomware groups like Play, infostealer-harvested credentials are a common initial access vector. CTI teams should continue monitoring and implement proactive credential-hygiene measures, rather than interpreting a null query as exoneration.