Quick Summary
Executive Summary
Thyssenkrupp Marine Systems (TKMS) GmbH, along with its subsidiary Atlas Elektronik, has been targeted by the TheGentlemen ransomware group. SOCRadar’s Dark Web Monitoring service identified the listing of TKMS as a victim on the group’s dark web portal on June 28, 2026. The company operates within the manufacturing sector. This listing places TKMS among a growing number of victims claimed by TheGentlemen in recent times. In the 60 days preceding this listing, TheGentlemen had claimed 145 other victims. The group frequently targets organizations in the business services, manufacturing, and healthcare sectors, with a geographical concentration in the United States, Germany, and India. Previous targets of TheGentlemen with similar profiles, such as German manufacturers, include Vera Chimie Management and Jyharn Electronic. TKMS’s profile as a German manufacturing entity aligns with TheGentlemen’s documented preference for industrial targets in frequently breached countries.
Technical Analysis
Analysis of initial access vectors using SOCRadar’s stealer-log telemetry revealed an exposure related to the domain zoominfo.com, a third-party data broker, rather than TKMS’s corporate domains. The sampled data included approximately two dozen credential records, primarily external user accounts authenticating to ZoomInfo’s services between June 26 and June 28, 2026. These records did not correspond to TKMS or Atlas Elektronik corporate identities, and the risk identified was account takeover on the third-party platform. This finding does not provide definitive information about TKMS’s internal credential exposure. Ransomware groups like TheGentlemen often use credentials harvested from infostealers as an initial access vector, sourcing them from underground marketplaces to gain access to systems like Microsoft 365, VPNs, or remote-access portals before deploying ransomware. While this incident does not confirm the specific use of credentials by TheGentlemen against TKMS, CTI teams should continue monitoring TKMS’s corporate domains and implement proactive credential hygiene measures.