Ransomware victim disclosure
← All victimsHaMashkem (המשקם)
listed as www.hameshakem.co.il · Claimed by Devman · listed 9 months ago
Status timeline
- ListedOct 3, 2025
- Data leakeddate unknown
At a glance
About the victim
AI dossier — public-source company profileHaMashkem (המשקם) is Israel's largest social enterprise, jointly owned by the World Zionist Organization and the Israeli Ministry of Welfare and Social Affairs. Founded in 1958, the company employs approximately 2,700 workers with disabilities across the country, from Kiryat Shmona in the north to Eilat in the south. It operates 20 industrial plants, 7 textile workshops, and around 90 landscaping teams, providing vocational rehabilitation and full employment conditions for people with disabilities.
- Industry
- Disability Employment & Vocational Rehabilitation Services
- Address
- חטיבת אלכסנדרוני 1, אור יהודה (Head Office), Israel
- Employees
- 2700
- Founded
- 1958
Attack summary
Severity: critical — 400 GB of data has been exfiltrated and published from a government-affiliated social enterprise employing ~2,700 vulnerable individuals (people with disabilities, elderly citizens). The data almost certainly includes sensitive PII, employment records, and welfare/rehabilitation data for a protected population, constituting a large-scale breach of regulated and sensitive personal data.The group 'devman' claims to have exfiltrated 400 GB of data from HaMashkem and demanded a ransom of $6,000,000. The disclosure status is 'data_published', indicating the stolen data has been or is being released.
Data the group says was taken
AI dossier — extracted from the leak post- Employee records (including workers with disabilities)
- Business and operational data
- Corporate financial information
- Partner and client records
- Internal administrative documents
What the group claims
Ransom: 6kk 400gb exfiltrated
Sources
Source
Indexed 9 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

