Ransomware victim disclosure

ECCI SRL

listed as ecci-srl.com · Claimed by krybit · listed 5 days ago

Age

since listed · data leaked

Status timeline

Listed
May 30, 2026
Data leaked

At a glance

Group: krybit
Status: Data leaked
Country: IT
Sector: Business Services
Listed on leak site: May 30, 2026

About the victim

AI dossier — public-source company profile

ECCI SRL is an Italian construction and real estate development company specializing in property project execution. The company operates a quality control department focused on monitoring and overseeing construction work delivery, with noted involvement in projects in Santa Cruz.

Industry: Real Estate Development & Construction

Attack summary

Severity: medium — Data has been published by the threat actor, indicating confirmed exfiltration. However, without detailed inventory of sensitive categories (financial, PII scale, or regulatory data) and no operational disruption claims, severity remains medium rather than high.

Krybit claims to have attacked ECCI SRL and exfiltrated data. The group has published data, though the specific nature of exfiltrated files and operational impact are not detailed in the available post excerpt.

medium

Data the group says was taken

AI dossier — extracted from the leak post

Quality control records
Project documentation
Construction execution data

What the group claims

Empresa dedicada al rubro de construcción de proyectos inmobiliarios, particularmente la Ciudad Nueva Santa Cruz. El á...

The leak post

captured from the group's site

Empresa dedicada al rubro de construcción de proyectos inmobiliarios, particularmente la Ciudad Nueva Santa Cruz. El área de control de calidad se orienta al seguimiento y control de calidad de la ejecución de las obras de la empresa

Sources

Source

Indexed 5 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About krybit

Krybit is an emerging ransomware group that was first observed in April 2026, operating with apparent financial motivations based on their limited documented attacks against diverse sectors. The group's origin and affiliations remain unclear due to limited public intelligence, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only four known victims documented across geographically diverse regions including Mexico, Austria, Japan, and Botswana, the group appears to employ broad targeting rather than focused regional or sector-specific campaigns, though their attack methodology, encryption techniques, and data exfiltration practices have not been publicly documented by major security firms or law enforcement agencies. No notable high-profile campaigns or significant ransoms have been publicly reported, and no law enforcement actions against the group have been documented. Given the recent emergence of this group and extremely limited public reporting, Krybit's current operational status and capabilities remain largely unknown to the broader cybersecurity community. The group has been linked to 41 public disclosures across our corpus. First observed on a leak site on April 3, 2026; most recent post June 3, 2026. The operation is currently active.

Timeline of this disclosure

May 30, 2026ecci-srl.com listed by krybiton the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 2,643 disclosures indexed across all operators we track. Geographically, ecci-srl.com is reported in IT, a country with 195 ransomware disclosures in our corpus.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.