A little known extortion crew that calls itself D1R claims it broke into Synopsys, one of the world's leading makers of chip design software, and used what it stole to reach data belonging to two of Synopsys's biggest customers: British chip designer ARM and German engineering group Bosch. The group listed all three as victims on its data leak site on 13 July 2026. None of the three companies has confirmed a breach, and IntelFusions has not independently verified the claims.
What makes the claim notable is not the size of any single leak but the supply chain angle. In its own leak site messaging, D1R brags that Synopsys data handed it a roadmap into the wider technology sector, taunting that Bosch got, in the group's words, third partied. If even partly true, it would be a reminder that a compromise at a single design tools vendor can cascade into the semiconductor and automotive firms that depend on it.
Who is D1R
D1R is a small and relatively new name on the ransomware scene, without the track record of established crews. That matters when weighing its boasts. Emerging groups routinely inflate or recycle claims to build a reputation, and leak site posts are marketing, not proof. We are treating these listings as unverified allegations until one of the named firms or a credible third party says otherwise.
Why the target set stands out
Synopsys sits at the heart of modern chip development, and its electronic design automation tools are used to design the processors that end up in phones, cars, and data centers. ARM licenses the processor designs behind most of the world's smartphones, and Bosch is a top tier automotive and industrial supplier. A genuine intrusion touching that trio would be a serious intellectual property and supply chain concern, which is precisely why an unproven claim against them deserves careful, skeptical scrutiny rather than amplification.
What is actually known
At this stage the verifiable facts are limited. D1R has listed Synopsys, ARM, and Bosch on its leak site and published messaging asserting the data originated with Synopsys. There is no confirmed victim statement, no independent analysis of the leaked material, and no public detail on how any initial access was obtained. IntelFusions is monitoring for corroboration and will update if any of the companies respond.
What organizations should do
Companies that rely on third party design or engineering tools should treat this as a prompt to review vendor access, to segment and monitor the connections those tools hold into internal networks, and to rehearse how they would respond if a supplier, rather than their own perimeter, turned out to be the point of failure. The D1R listings sit within a busy stretch of leak site activity, alongside the recent Qilin surge of 31 victims across 15 countries and access broker driven intrusions such as the DragonForce campaign that exploited a Citrix flaw. You can follow our tracking of this group on the D1R threat actor profile.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.