Unsafe ransomware group claims Deutsche Bank breach

Leaks employee database records on a dark web leak site as proof of the intrusion

Deutsche Bank
Google search engine
  • Resurgence of Unsafe in 2026, after years of relative quiet, also underscores a recurring industry pattern: ransomware groups rarely disappear permanently; more often, they regroup, retool, and return with greater capability than before.

The Unsafe ransomware group has claimed responsibility for breaching internal systems of Deutsche Bank, posting what appear to be employee database records on a dark web leak site as proof of the intrusion.

The incident, which came to light on July 4, 2026, marks the latest in a series of cybersecurity challenges faced by the German banking giant.

The ransomware group published database extracts that include terminal output screenshots and commands appearing to show exports from multiple internal databases. The leaked material reportedly contains a range of sensitive employee data, including:

  • Employee email addresses
  • Password hashes
  • Physical addresses
  • Internal database records

The nature of the screenshots — showing database queries calling back employee information — suggests that the attackers may have gained direct access to Deutsche Bank’s internal systems rather than obtaining the data through a third party. The leak page displays data timestamped from July 4, 2026, indicating the breach is recent.

Security implications

Even a breach limited to employee data carries significant downstream risks that extend well beyond the initial exposure.

Advertisment

Phishing and social engineering. Armed with internal email addresses, physical addresses, and database records, attackers can craft highly convincing spear-phishing campaigns targeting Deutsche Bank employees. These messages may impersonate internal IT teams, HR departments, or senior executives, making them far more effective than generic phishing attempts.

Credential compromise. The presence of password hashes is particularly troubling. While hashed passwords are not immediately usable, determined attackers can attempt offline cracking — especially against weak or commonly used passwords. If cracked, these credentials could grant unauthorised access to internal portals, VPNs, or cloud services.

Internal reconnaissance. Internal corporate datasets function as a blueprint of an organization’s digital infrastructure. With detailed employee records and database schemas, attackers can map reporting structures, identify privileged users, and pinpoint high-value targets — laying the groundwork for more destructive follow-up attacks.

Deutsche Bank’s history of data breaches

This is not the first time Deutsche Bank has found itself in the crosshairs of major ransomware operations.

In 2023, Deutsche Bank was among the hundreds of organisations worldwide affected by the MOVEit file transfer breach, when the Cl0p ransomware gang exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer application. That supply-chain attack ultimately compromised over 960 organisations globally.

Later that same year, an unknown hacker offered a cache of sensitive files allegedly stolen from Deutsche Bank, with reports linking the incident to the LockBit ransomware gang — one of the most prolific ransomware operations in history before a coordinated law enforcement disruption in early 2024 .

Who is Unsafe ransomware group?

Unsafe operates under a ransomware-as-a-service (RaaS) business model, a framework in which core developers provide malware and infrastructure to affiliate attackers in exchange for a share of ransom proceeds.

The group employs double extortion tactics: victims are not only faced with encrypted systems but are also threatened with the public release of stolen data if payment demands are not met.

According to research by SocRadar, the gang is known to leverage zero-day vulnerabilities across various software platforms to bypass conventional security measures. Their malware arsenal includes established strains such as GrandCrab and Emotet — the latter being a notorious banking trojan-turned-malware-loader that has been used in numerous high-profile campaigns.

Once initial access is achieved, Unsafe systematically impairs security controls and removes forensic indicators from compromised hosts to maintain persistent, undetected access .

The group first emerged in December 2022 but maintained a notably low profile through 2024 and 2025. In 2026, however, Unsafe has resurfaced with significantly increased activity. Its known victim profile skews heavily toward organisations in the United States, Germany, Switzerland, and France, suggesting a deliberate geographic targeting pattern.

Ransomware in 2026

The Unsafe resurgence aligns with broader ransomware trends observed across 2026. The IBM X-Force Threat Intelligence Index reported that the number of active ransomware and extortion groups rose 49 per cent year over year, climbing from 73 groups in 2024 to well over 100 by mid-2026. Ransomware attacks accounted for 42 per cent of all data breach reports during this period.

The financial services sector remains a prime target. Banks and financial institutions hold vast quantities of sensitive data, face intense regulatory scrutiny, and possess the resources to pay substantial ransoms — making them attractive marks for sophisticated ransomware operations. The industrialisation of RaaS has lowered the barrier to entry, enabling even relatively new or previously quiet groups like Unsafe to mount credible attacks against Fortune 500 targets.

As of this writing, Deutsche Bank has not publicly confirmed or denied the breach. If the claims are verified, the bank faces a multi-pronged challenge: containing any ongoing unauthorised access, conducting forensic investigation, notifying affected employees and regulators, and managing reputational fallout in a sector where trust is paramount.