A low-profile ransomware crew that operates under the name Krybit had its busiest day on record on July 1, 2026, adding nine organizations to its dark-web extortion site in a single 24-hour window. The victims span four continents and a striking mix of industries, from a Taiwanese avionics manufacturer to a Catholic hospital in Italy, a pattern that points to an opportunistic operation taking whatever networks it can breach rather than hunting one sector.
Krybit is not a household name. In the weeks before this batch it had been posting only one to three claims at a time, so nine listings in a day is roughly triple its previous high and a clear jump in tempo. It is the same kind of single-day surge seen from other newer crews recently, including when the Settra crew named a dozen victims in one day. July 1 was a heavy day for leak sites in general, with the more established Gentlemen gang posting its own record batch the same day.
Who Krybit named
The nine organizations read like a cross-section of the mid-market businesses that extortion crews increasingly favor, spread across Asia, Europe, North and Central America, and the Middle East:
- AeroVision Avionics (Taiwan), a high-tech avionics and electronics maker, the most sensitive name on the list.
- JAWS Co., Ltd. (Taiwan), a manufacturer of electronic connectors and cable assemblies.
- Global Software Partner (Spain), an IT consulting and software firm with more than 30 years in business.
- Hopital Catholique Saint Joseph Moscati (Italy), a Catholic hospital, the latest healthcare provider drawn into leak-site extortion.
- German Imaging Technologies (Dubai, UAE), a German-founded imaging and printing supplier.
- Northern Access Transportation (United States), a Minnesota-based transport company.
- DISS Analytics (United States), the data and statistical reporting arm of an imaging solutions group.
- B'Laofood (Vietnam) and Transportes y Logistica Bras (Guatemala), a food manufacturer and a heavy-haul logistics operator.
These are claims, not confirmed breaches
Everything on a leak site is an accusation made by the attackers themselves. Groups like Krybit post a victim's name, and often a sample of stolen files, to pressure the organization into paying before any data is released. Such listings can be exaggerated, recycled from an older intrusion, or occasionally fabricated, and a name appearing here is not proof that sensitive data was actually taken. None of the nine organizations has publicly confirmed an incident, and IntelFusions has not independently verified the claims. We are reporting what Krybit asserts, attributed to the gang's own leak site as tracked by the ransomware.live project, not any admission by the victims.
What defenders should take from it
The value in a batch like this is less about any single name and more about the signal: a previously quiet crew has ramped up and is casting a wide, cross-border net. Organizations in manufacturing, healthcare, and logistics, the sectors most represented here, should treat it as a prompt to check the basics these crews exploit. Enforce multi-factor authentication on every remote-access and VPN entry point, patch internet-facing systems and edge appliances promptly, keep offline and tested backups, and watch for the unusual administrative activity and bulk data staging that tend to precede a leak-site listing. Krybit is now tracked on its own actor profile as this activity develops.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.