German naval defense firm Atlas Elektronik listed on TheGentlemen ransomware leak site

On 28 June 2026, Atlas Elektronik — the Bremen-based German manufacturer of naval-defense electronics and a wholly owned subsidiary of ThyssenKrupp Marine Systems (TKMS) — was added to the dark-web leak site of the extortion group TheGentlemen, which claimed to have compromised the company in a double-extortion attack dated to around 25 June 2026. As of the listing, Atlas Elektronik had not publicly confirmed any intrusion, and the scope, volume, and sensitivity of any data taken remained unverified.

What is claimed

The entry was surfaced through ransomware-tracking feeds that monitor extortion leak sites rather than through any company statement or regulator filing. TheGentlemen operates a classic double-extortion model — exfiltrating data before deploying its cross-platform locker, then threatening publication on a Tor-based leak site to pressure payment. Beyond the leak-site posting itself, no ransom figure, record count, or breakdown of the affected systems has been independently corroborated, and this entry should be read as an unconfirmed claim pending any confirmation from Atlas Elektronik or German authorities.

Why the target matters

Atlas Elektronik, founded in 1902, builds sonar suites for submarines and surface vessels, heavyweight torpedoes, mine-countermeasure systems, unmanned underwater and surface vehicles, and coastal-surveillance technology for navies in Germany and allied states. As a defense contractor handling export-controlled technical data and military-procurement-sensitive material, any genuine compromise would engage obligations under Germany's transposition of the EU NIS2 directive, the GDPR for any personal data, and defense-sector and export-control reporting regimes — making a confirmed breach materially more serious than a typical corporate ransomware listing.

The threat actor

TheGentlemen is a ransomware-as-a-service operation first advertised on underground forums in September 2025 that has scaled unusually fast, with security vendors including Check Point Research, Halcyon, and SOCRadar documenting hundreds of claimed victims across manufacturing, energy, and other sectors worldwide within its first year. Researchers have noted the group's reliance on perimeter-device exploitation for initial access and lateral-movement tooling capable of spreading across networks. The Atlas Elektronik listing fits its established pattern of targeting industrial and critical-infrastructure organizations, though — as with all leak-site claims — verification ultimately depends on the victim's own disclosure.

Sources

ransomware.livehttps://www.ransomware.live/country/DEU

compliancehub.wikihttps://compliancehub.wiki/june-2026-breach-cluster-insurance-driving-school-defense-2026/

thehackernews.comhttps://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html

research.checkpoint.comhttps://research.checkpoint.com/2026/thus-spoke-the-gentlemen/

socradar.iohttps://socradar.io/blog/dark-web-profile-the-gentlemen-ransomware/

en.wikipedia.orghttps://en.wikipedia.org/wiki/Atlas_Elektronik

Related incidents

RansomwareContainedOctober 27, 2023

Boeing LockBit ransomware via Citrix Bleed (2023)

LockBit operators exploited the Citrix Bleed vulnerability (CVE-2023-4966) to enter Boeing's parts and distribution business. Boeing did not pay; LockBit leaked roughly 45 GB of data, including Citrix logs, email backups, supplier lists, and 2020 pricing data.

Victim: Boeing — Parts and Distribution business

RansomwareContainedAugust 1, 2022

Continental AG LockBit ransomware (Germany, 2022)

LockBit operators infiltrated parts of German auto-parts giant Continental AG's IT systems in August 2022. Containment was initially declared, but in November the group put 40 terabytes of stolen Continental data on its dark-web leak site, offered for sale or destruction for $50 million.

Victim: Continental AG

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

RansomwareContainedJune 23, 2026

Bajaj Auto hit by ransomware attack on its IT systems

Indian automaker Bajaj Auto disclosed that a ransomware attack detected on the morning of 23 June 2026 affected systems at the company and its technology subsidiary, prompting containment measures and regulatory filings with CERT-In and SEBI.

Victim: Bajaj Auto