A previously unseen ransomware crew calling itself Booba Project switched on a dark web leak site this week and immediately named five companies across the United States and Spain, becoming the second brand new extortion brand to surface in as many days.
All five listings went up on 6 July 2026, the group's first day of visible activity. The named organizations are US food distributor Frosty Acres Brands, telecommunications equipment maker Telewave, event production and staging firm Upstaging, and two Spanish technology companies, Nfinite 9000 and Fonsan. None of the five has confirmed an intrusion, and the claims should be treated as unverified extortion allegations posted by the gang itself, not as established breaches.
What is actually known
Booba Project runs the now familiar data extortion playbook: rather than only encrypting files, the crew claims to have stolen internal data and threatens to publish it on its leak site unless the victim pays. The group is also tracked under the handles Booba and Booba Team. It has published no ransom figures, sample data, or technical detail about how it got in, and there is no indication yet of the initial access method. Whether Booba Project is a genuinely new team or a rebrand of an existing operation is not clear from the listings alone.
The victim mix is telling. Instead of a single marquee target, the crew opened with mid market and small businesses across food, telecom, live events, and IT, spread over two countries. That is the profile of a crew casting a wide net for soft targets rather than one chasing a headline.
Part of a wider churn
The debut lands amid a burst of new leak sites. Just a day earlier, another first time crew, Doommageddon opened with a claim against Mercedes-Benz Turk, and low profile operators such as Genesis have been quietly piling up US clinics and small businesses. These smaller brands rarely make national news, but for the organizations named they still carry real costs: data breach notification duties, downtime, legal exposure, and the risk of stolen records surfacing later. IntelFusions tracks the crew on its Booba Project profile.
What the named companies should do
Any organization that finds itself on a leak site should assume data theft is real until proven otherwise: preserve logs, engage incident response, reset credentials, and hunt for unauthorized access and persistence. Because Booba Project has not disclosed an entry vector, defenders should cover the common ransomware on ramps, namely exposed remote access services, unpatched perimeter appliances, and phishing. Paying does not guarantee stolen data is deleted, and each payment funds the next wave of listings.
Booba Project has published no indicators of compromise so far. IntelFusions will update this story if the crew releases samples, ransom demands, or any of the named victims confirms an incident.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.