A 3-billion-dollar German insurance giant has been allegedly breached in a ransomware attack by a Russia-aligned Dragonforce gang.
The Dragonforce ransomware gang has posted bold claims of breaching the German insurance company HanseMerkur on its dark website. Attackers claim to have extracted nearly 97 GB of internal company data.
Such claims via ransomware gang communication channels are a common tactic used by attackers to blackmail victims into paying a ransom.
Ransomware demands are often based on a victim organization's annual revenue, typically ranging from 0.7% to 5%, with an average of roughly 2.82%.
Files released along with Dragonforce post suggest that the data breach might have affected HanseMerkur partner Emirates Insurance, with which the insurance giant collaborates to support portfolios in the UAE.
Among the released files are multiple financial documents, including vouchers, tax notes, and invoices. The company has not yet confirmed the attack.
Headquartered in Hamburg, HanseMerkur is a major German insurance group specializing in private health, travel, and property insurance. The company has offices in Switzerland and Dubai. In 2025, the company boasted €3 billion in revenue.
Cybernews has reached out to HanseMerkur for a comment on the alleged attack, but has not yet received a response.
Attackers aligned with the Kremlin agenda
The gang has previously targeted the UK retail chain Co-op. Also, the gang exfiltrated customer data from another British retailer, Marks & Spencer, which cited the "sophisticated nature" of the incident.
The same attackers claimed a breach on the popular US department store chain Belk. The attackers said they had obtained over 156 gigabytes of company data, ranging from backups to employee profiles.
Mobilelink US, the US’s largest authorized dealer for Cricket Wireless cellular phones and service, was hit at the end of 2025 by an alleged data theft of 5 TB.
According to Halcyon researchers, Dragonforce’s public stance strongly implies “a close alignment – or even allegiance – with the Russian Federation.”
Last year, Group-IB’s researchers said that Dragonforce enforces specific rules prohibiting attacks on hospitals, critical infrastructure, and non-profit organizations in Russia and other countries belonging to the Moscow-led Commonwealth of Independent States.
First spotted in 2023, the Dragonforce gang announced in October last year a new collaborative ransomware-as-a-service (RaaS) alliance with two of the most prominent players on the ransomware scene: Qilin and Lockbit.
The Cybernews dark web monitoring tool Ransomlooker shows that Dragonforce has attacked 185 organizations in 2025, with 130 of those attacks happening in the past six months.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked