Thyssenkrupp Marine Systems Data Breach

Alleged

Ransomware claim involving Thyssenkrupp Marine Systems.

Published: Jun 28, 2026 TheGentlemen
Threat Level
High
Confidence: High

Quick Summary

Company
Thyssenkrupp Marine Systems
Industry
Manufacturing
Threat Actor
TheGentlemen
Date of Incident
Jun 28, 2026
Status
Alleged

Executive Summary

Thyssenkrupp Marine Systems (TKMS) GmbH, along with its subsidiary Atlas Elektronik, has been targeted by the TheGentlemen ransomware group. SOCRadar’s Dark Web Monitoring service identified the listing of TKMS as a victim on the group’s dark web portal on June 28, 2026. The company operates within the manufacturing sector. This listing places TKMS among a growing number of victims claimed by TheGentlemen in recent times. In the 60 days preceding this listing, TheGentlemen had claimed 145 other victims. The group frequently targets organizations in the business services, manufacturing, and healthcare sectors, with a geographical concentration in the United States, Germany, and India. Previous targets of TheGentlemen with similar profiles, such as German manufacturers, include Vera Chimie Management and Jyharn Electronic. TKMS’s profile as a German manufacturing entity aligns with TheGentlemen’s documented preference for industrial targets in frequently breached countries.

Technical Analysis

Analysis of initial access vectors using SOCRadar’s stealer-log telemetry revealed an exposure related to the domain zoominfo.com, a third-party data broker, rather than TKMS’s corporate domains. The sampled data included approximately two dozen credential records, primarily external user accounts authenticating to ZoomInfo’s services between June 26 and June 28, 2026. These records did not correspond to TKMS or Atlas Elektronik corporate identities, and the risk identified was account takeover on the third-party platform. This finding does not provide definitive information about TKMS’s internal credential exposure. Ransomware groups like TheGentlemen often use credentials harvested from infostealers as an initial access vector, sourcing them from underground marketplaces to gain access to systems like Microsoft 365, VPNs, or remote-access portals before deploying ransomware. While this incident does not confirm the specific use of credentials by TheGentlemen against TKMS, CTI teams should continue monitoring TKMS’s corporate domains and implement proactive credential hygiene measures.

Is Your Organization Exposed on the Dark Web?

Enter your company domain to get a free dark web exposure report instantly.