Operator dossier

secpo is a ransomware operator currently active on public leak sites. Darkfield has indexed 5 public victims claimed by this operator between April 14, 2026 and April 29, 2026. SecPo is a ransomware group that first emerged in April 2026, operating with apparent financial motivations based on their limited documented activity. With only four known victims primarily concentrated in Canada, the group appears to target business services and manufacturing sectors, though their small operational footprint suggests they may be a nascent or highly selective threat actor. Due to the group's recent emergence and limited public documentation, details regarding their country of origin, potential affiliations, or ransomware-as-a-service model remain unclear to security researchers. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by major security firms, likely due to their limited scope of operations and recent timeline of activity. No major campaigns, high-profile victims, or significant law enforcement actions have been publicly reported for this group, which aligns with their apparently small-scale operations. Given their recent emergence in 2026, SecPo's current operational status and long-term capabilities remain to be determined as security researchers continue to monitor their activities.

Most-targeted sectors

Business Services2 victims
Manufacturing1 victims
Not Found1 victims

Most-affected countries

CA2 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

secpo

5 victims indexed · first seen 1 month ago · last activity 21 days ago

Victims indexed

#244 of 348 tracked operators

<1m

Active period

Apr 2026 → Apr 2026

Countries hit

top CA · 2

At a glance

Status: active
First seen: 1 month ago
Last activity: 21 days ago
Primary sector: Business Services · 2 hits

About

SecPo is a ransomware group that first emerged in April 2026, operating with apparent financial motivations based on their limited documented activity. With only four known victims primarily concentrated in Canada, the group appears to target business services and manufacturing sectors, though their small operational footprint suggests they may be a nascent or highly selective threat actor. Due to the group's recent emergence and limited public documentation, details regarding their country of origin, potential affiliations, or ransomware-as-a-service model remain unclear to security researchers. Their attack methodology, encryption techniques, and specific tools have not been extensively documented by major security firms, likely due to their limited scope of operations and recent timeline of activity. No major campaigns, high-profile victims, or significant law enforcement actions have been publicly reported for this group, which aligns with their apparently small-scale operations. Given their recent emergence in 2026, SecPo's current operational status and long-term capabilities remain to be determined as security researchers continue to monitor their activities.

Timeline

1 months

2026-04-01T00:00:00+00:002026-04-01T00:00:00+00:00

Top countries

🇨🇦 CA

CA dossier →

Top sectors

Business Services

Manufacturing

Not Found

Business Services dossier →Manufacturing dossier →Not Found dossier →

MITRE ATT&CK

4 techniques · 3 tactics

Tactics

Initial AccessExecutionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 21 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.