A ransomware crew that calls itself The Gentlemen has named one of Germany's most sensitive industrial targets on its dark web leak site: Thyssenkrupp Marine Systems (TKMS), the shipbuilder that produces submarines and frigates for the German navy and export customers, along with its sonar and naval electronics unit Atlas Elektronik. As with every leak site post, this is an unverified extortion claim rather than a confirmed breach, and TKMS has not publicly acknowledged any incident at the time of writing.
What makes the listing stand out is the target. Most ransomware victims are mid market manufacturers, clinics, and law firms. A naval defense contractor appearing on an extortion blog raises the stakes, both because of the potential sensitivity of any stolen data and because defense suppliers are watched closely by national authorities.
Who is The Gentlemen
The Gentlemen is a relatively new crew that has moved fast. IntelFusions previously reported that the group claimed 20 victims in a single week shortly after it surfaced, and that its affiliates were handed custom tooling built to disable endpoint defenses. The TKMS listing fits the group's pattern of chasing large, recognizable names. You can track its activity on the The Gentlemen profile.
A busy stretch on the leak sites
The defense sector claim landed during a heavy run of extortion postings. In the same window, a newer crew tracked as Settra dumped roughly a dozen victims in a single day, spanning South Korea's Doosan, Singapore chemicals maker DyStar, Taiwanese retailer PChome, and several US firms. Established operations stayed busy too: INC Ransom posted a cluster of US personal injury law firms, while Play, Qilin, and Akira each added fresh names. The pace echoes the recent LockBit surge that flooded its blog with 26 victims in two days.
Why leak site claims deserve caution
Leak site posts are marketing for the criminals. Gangs routinely inflate, recycle, or misattribute victims to pressure payment, and a name on a blog does not by itself confirm that data was stolen or that operations were disrupted. Treat each listing as a claim to be verified, not a fact.
What defenders should do
Organizations in manufacturing and defense supply chains should assume they are targets and prioritize the basics that blunt these intrusions: enforce phishing resistant multi factor authentication, patch internet facing systems quickly, keep offline and tested backups, and segment networks so a single compromise cannot spread across the whole estate. If your organization is named on a leak site, engage incident response and legal counsel early rather than negotiating blind.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.