Ransomware victim disclosure

TPA Group Slovakia

Claimed by TEAM UNDERGROUND · listed 2 days ago

$15 million

Ransom

demanded

Age

since listed · listed for ransom

Status timeline

Listed
Jun 2, 2026

Current state: Listed for ransom

At a glance

Group: TEAM UNDERGROUND
Status: Listed for ransom
Country: Slovakia
Sector: Consulting
Listed on leak site: Jun 2, 2026
Ransom demanded: $15 million

About the victim

AI dossier — public-source company profile

TPA Group Slovakia (TPA Slovensko) is a tax and consulting firm operating as part of Baker Tilly International. They provide tax advisory, compliance, and business consulting services across multiple sectors in Slovakia.

Industry: Professional Services & Tax Consulting

Attack summary

Severity: high — Professional services firm handling sensitive client financial and tax data at scale; $15M ransom demand and multi-domain compromise indicate significant exfiltration; consulting/accounting firms process regulated PII and financial information.

TEAM UNDERGROUND claims to have compromised TPA Group Slovakia and is demanding $15 million ransom. The group references both tpa-group.com and tpa-group.sk domains, suggesting a multi-entity attack across the TPA Group network.

high

Data the group says was taken

AI dossier — extracted from the leak post

tax client records
financial advisory files
business consulting documents
potentially regulated tax/compliance data

The leak post

captured from the group's site

tpa-group.com $281 million; tpa-group.sk $15 million

Screenshot of the leak post

Sources

Victim sitetpa-group.sk
Leak posthttp://47glxkuxyayqrvugfumgsblrdagvrah7gttfscgzn56eyss5wg3uvmqd.onion

Source

Indexed 2 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About TEAM UNDERGROUND

TEAM UNDERGROUND is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited operational history makes comprehensive attribution difficult at this time. With only a single known victim recorded to date, the group has demonstrated a targeting preference for the Audit, Tax Advisory, and Legal Services sector, suggesting a deliberate focus on organizations that handle sensitive financial, legal, and confidential client data — a common strategic choice among financially motivated threat actors seeking high-value exfiltration leverage. Given the group's extremely recent emergence and minimal operational footprint, detailed technical indicators regarding their initial access vectors, tooling, encryption methodology, or affiliation with broader ransomware ecosystems have not yet been publicly documented by authoritative sources such as CISA, the FBI, Mandiant, or equivalent research bodies. No confirmed affiliations with known ransomware-as-a-service platforms or established threat actor groups have been publicly established, nor have any notable high-profile campaigns, law enforcement actions, or ransom figures been attributed to this group in open-source reporting. TEAM UNDERGROUND should currently be regarded as an emerging and closely monitored threat, with its full capabilities, infrastructure, and operational scope remaining largely uncharacterized pending further observed activity and independent security research. The group has been linked to 7 public disclosures across our corpus. First observed on a leak site on May 14, 2026; most recent post June 2, 2026. The operation is currently active.

Timeline of this disclosure

June 2, 2026TPA Group Slovakia listed by TEAM UNDERGROUNDon the group's public leak site

Ransom demanded: $15 million

Sector and geography

This disclosure adds to ransomware activity in the Consulting sector. Geographically, TPA Group Slovakia is reported in Slovakia, a country with 3 ransomware disclosures in our corpus.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.