A church-run sushi supplier, the biggest in the US, may be facing its second major cyberattack in a year, with new leaked data raising questions about another breach.
A ransomware gang named Lynx posted a note on its dark web leak site, claiming to have stolen data from the largest US sushi and seafood provider, the True World Group LCC. Publishing warnings on the dark web is a common tactic to pressure victims into paying ransom.
While the threat actors did not specify the scope of the breach, the post includes images of stolen data, suggesting that they’re in possession of highly sensitive information. The data samples include financial data, invoices showing transactions and sums, as well as employee data.
This isn’t the first time the conglomerate has been attacked. In 2024, True World Holdings LLC informed over 8,500 individuals about a security incident that affected their personal data. Threat actors breached the company’s systems and copied files containing the data of current and former employees.
If the latest breach claims are true, it could indicate a new attack on the conglomerate. While the data seems to be the same as that in the 2024 breach, Cybernews researchers have checked the data samples and noticed that some documents are dated 2025.
“The leaked data could be used by competitors to gather business intelligence data.
Employee data could be used for identity theft, targeted phishing attacks,” our research team explained.
Cybernews has reached out to the company for confirmation, but a response is yet to be received.
True World and its subsidiaries provide food service, manage Japanese restaurants and grocery store chains, own Noble Fish and White Wolf Japanese Patisserie brands, and operate a fleet of fishing vessels. Currently, the company employs around 1000 people worldwide.
The conglomerate is run by the controversial Unification Church, which was founded in South Korea by Sun Myung Moon.
What is Lynx ransomware?
Caught on the radar in mid-2024, the gang is operating as ransomware-as-a-service (RaaS) and is known to target organizations in the finance, architecture, and manufacturing sectors.
Darktrace’s Threat Research teams also uncovered Lynx-related incidents targeting energy and retail sectors across the Middle East and Asia-Pacific (APAC) regions.
According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 196 victims since 2024, and is among the key players in the ransomware scene.
Among its alleged Lynx victims are Dollar Tree, America’s second-largest egg producer, Rose Acre Farms, and a major CBS affiliate, WDEF-TV. INC Ransomware has previously claimed a Canadian cemetery and the city of Gardendale in Alabama.
Unit42 researchers identify that Lynx’s malware shares significant portions of its source code with the INC ransomware variant, indicating the group likely repurposed readily available INC code to craft its own custom strain.
The gang might be linked to Russia, as it is actively recruiting on Russian-speaking underground forums. Also, like many Russia-based cybercrime groups, Lynx explicitly states that it does not target organizations in Russia or other CIS countries.
This is a common tactic used by Russian threat actors to operate without interference from authorities within their home territory. On its leak site, Lynx gang claims that it has a clear intention to avoid undue harm to organizations. It claims to follow ethical policies and not target governmental institutions, hospitals, or non-profit organizations, as “these sectors play vital roles in society.”
“Our operational model encourages dialogue and resolution rather than chaos and destruction,” it says.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked