Tipalti investigating ransomware attack claims


Roblox and Twitch accounting services provider Tipalti said that the company is aware of claims by ALPHV/BlackCat of a ransomware attack on its systems. Meanwhile, the attackers are threatening to leak Tipalti’s customer data.

Tipalti, whose customers include X (formerly Twitter), Twitch, GoDaddy, Roku, Canva, and Business Insider, released a statement confirming that it’s aware of the ransomware claims.

“Over the past weekend, a ransomware group claimed that they allegedly gained access to confidential information belonging to Tipalti and its customers,” the company said, stressing its focus on security. “We are thoroughly investigating this claim.”

ALPHV/BlackCat ransomware posted Tipalti on its dark web blog on December 3rd, claiming to have breached Tipalti in early September. The group said that it managed to remain undetected for months, allegedly exfiltrating over 265GB of sensitive company data, including information on its employees and customers.

The cybercrooks also threatened to leak the data of Tipalti customers, namely from Roblox, the popular game platform and game creation system, and Twitch, a video live-streaming service.

We’ve repeatedly contacted Roblox and Twitch but have yet to receive a reply from either company.

Meanwhile, ALPHV released a message in the wee hours of December 5th, saying it will soon start contacting affected businesses.

“It makes logical sense to extort those who are likely to pay out bigger amounts first. The next batch of demands will be sent shortly,” the attackers said on their dark web blog.

Who is ALPHV/Black Cat ransomware?

ALPHV/BlackCat ransomware was first observed in 2021. Like many others in the criminal underworld, the group operates a ransomware-as-a-service (RaaS) business, selling malware subscriptions to criminals.

According to an analysis by Microsoft, the threat actors that began deploying it were known to work with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI believes that money launderers for the ALPHV/BlackCat cartel are linked to the Darkside and Blackmatter ransomware cartels, indicating that the group has a well-established network of operatives in the RaaS business.

The gang gained international attention earlier this year after it, together with Scattered Spider hackers, attacked MGM Resorts International and Caesars Entertainment.

According to Ransomlooker, the Cybernews’ ransomware monitoring tool, ALPHV was among the most active gangs in the last 12 months, victimizing over 320 organizations worldwide.