Skip to main content

Ransomware victim disclosure

All victims

Arkın Group

listed as Arkin Group · Claimed by Blacknevas · listed 4 days ago

3d
Age
since listed · data leaked

Status timeline

  1. ListedJun 30, 2026
  2. Data leakeddate unknown

At a glance

Status
Data leaked
Listed on leak site
Jun 30, 2026

About the victim

AI dossier — public-source company profile

Arkın Group is a luxury hotel chain operating in Northern Cyprus, with premium properties including The Arkın Colony, The Arkın Iskele, and Arkın Palm Beach Casino. The group caters to high-net-worth clients and operates a casino facility as part of its portfolio.

Industry
Hospitality & Gaming (Hotels, Casinos)
Address
Northern Cyprus

Attack summary

Severity: critical — Confirmed exfiltration of 1.4 TB including PII at scale (guest profiles, passports), financial data (payment credentials, casino transactions), and sensitive regulatory compliance records (KYC/AML). Data publicly auctioned. High-value targets (casino patrons, HNW individuals) face physical security, fraud, and extortion risks. Regulatory exposure for Northern Cyprus jurisdiction.

Threat group blacknevas (attributed to 'CryptoRex' in the report) exfiltrated approximately 1.4 TB of data from Arkın Group through a compromised employee reservations account. Stolen data includes guest profiles, financial records, casino player databases, passport scans, and KYC/AML compliance documentation. Portions of the data have been auctioned on darknet marketplaces.

critical

Data the group says was taken

AI dossier — extracted from the leak post
  • Full guest profiles (passport details, contact information, stay history)
  • Financial booking details and payment credentials
  • Internal CRM system with VIP client notes
  • Casino database (player IDs, deposits, visit frequency, chip transactions)
  • Scanned passports
  • KYC/AML compliance forms and source-of-funds questionnaires

What the group claims

CYBERSECURITY: ARKIN HOTEL GROUP SUFFERS MASSIVE DATA BREACH — OVER 1 TB OF GUEST AND CASINO DATA STOLENCybersecurity experts from Cyclops Threat Intelligence have reported a critical incident affecting the Arkın Group hotel chain (www.arkingroup.com), including its premium properties The Arkın Colony, The Arkın Iskele, and Arkın Palm Beach in Northern Cyprus. According to preliminary assessments, the attackers managed to exfiltrate over one terabyte of internal documents, customer databases, and transaction logs, including confidential information from the Arkın Palm Beach Casino.▎Attack detailsAnalysts have established that the attackers gained initial access through a compromised employee account in the reservations department. Using legitimate remote administration tools, they gradually expanded their privileges, bypassed network segmentation, and exfiltrated a dataset totalling approximately 1.4 TB. Some of the stolen information has already surfaced on underground forums and darknet marketplaces.The stolen data includes:• Full guest profiles (passport details, phone numbers, addresses, stay history);• Financial details of bookings and payment credentials;• The internal CRM system with staff notes on VIP clients;• Casino database: player IDs, deposit amounts, visit frequency, records of chip exchange transactions and fund movements;• Scanned passports, compliance check forms (KYC/AML), including source-of-funds questionnaires for high rollers.▎Objective and likely operatorBased on the intrusion characteristics and tactics used, experts link the incident to the threat group “CryptoRex” (tracked since 2023), which specialises in attacking hospitality and gambling businesses in the Mediterranean region. A combination of financial extortion and data sale to multiple buyers is considered likely. So far, no official ransom demand has been received, but portions of the archives have been put up for auction with a starting price of 8 bitcoins.▎Potential consequences of the leakThe leakage of confidential guest and especially casino client data entails a cascade of risks that go far beyond reputational damage.1. Personal security of high-net-worth guestsThe VIP casino player database, containing passport details, habits, and financial capabilities, serves as a direct “directory” for kidnappers, extortionists, and organised crime groups. Affected individuals may face real threats to their physical safety, as well as targeted blackmail (e.g., threats to expose gambling activity to business partners or family members in countries where gambling is stigmatised).2. Financial fraudPayment data from hotel guests and credit/debit cards linked to casino accounts will enable unauthorised transactions. Given the high credit limits of casino patrons, the scale of potential phishing and card fraud is assessed as very significant.3. Compliance nightmare and regulatory finesAlthough the international casino operators in Northern Cyprus do not directly fall under GDPR, many guests are citizens of the EU, the UK, and CIS countries. The breach demonstrates a flagrant failure to meet personal data protection standards. Lawsuits by affected individuals in national courts and scrutiny by international payment systems (Visa, Mastercard) are possible, which could suspend acquiring services.4. Risks to the casino itself and the jurisdiction[6/9/2026 1:09 PM] ChatGPT 5 | Deepseek | Claude: The exposure of internal AML records documenting the origin of funds and possible links to politically exposed persons could spark money-laundering investigations. For Northern Cyprus’s gambling zone, already under close watch by the FATF, this could lead to tighter international financial monitoring and being placed on grey lists.5. Reputational ruinNo wealthy client will entrust their data to a hotel incapable of protecting basic IT infrastructure. Trust in the Arkın brand, which for decades has built an image of secluded luxury, will be undermined for years. Competitors in the elite leisure market, especially in Dubai, Monaco, and the Maldives, will immediately exploit the situation to poach wary clientele.▎Analysts’ recommendationsCyclops Threat Intelligence strongly advises all individuals who have ever stayed at Arkın hotels or visited Arkın Palm Beach Casino to:• Immediately block and reissue any bank cards used;• Monitor credit reports for new applications;• Enable additional authentication factors on email and financial services;• Be highly critical of any incoming calls or messages demanding identity confirmation or fund transfers — these could be targeted attacks using contextual details from the leaked staff notes.The Arkın Group press office has not yet responded to official inquiries. The company’s website remains operational, but online booking sections are temporarily unavailable. Northern Cyprus authorities stated that they are “aware of the incident” and have begun consultations with EU experts under a cyber-resilience programme.Report prepared by the Thomson Reuters cybersecurity desk based on the Cyclops Threat Intelligence analytical brief.

Sources

Source

Indexed 4 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About blacknevas

Blacknevas is an emerging ransomware group that was first observed in August 2025, appearing to be primarily financially motivated based on their targeting patterns and operational characteristics. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their diverse geographic targeting suggests either a distributed operation or broad opportunistic approach. Based on available victim data, Blacknevas has compromised at least 23 organizations across multiple countries, with the United States, Spain, India, Japan, and Thailand being the most frequently targeted nations, while their sector focus spans technology, manufacturing, energy, and consumer services industries, suggesting they employ opportunistic rather than sector-specific targeting methodologies. The group's attack vectors, specific tools, and whether they operate as a Ransomware-as-a-Service model or maintain independent operations have not been publicly documented by major cybersecurity firms or government agencies. Due to the group's recent emergence in August 2025, there is insufficient public reporting from established sources like CISA, FBI, or major threat intelligence providers to detail notable campaigns or significant attacks beyond the confirmed victim count. Given the recency of their first observed activity, Blacknevas appears to remain active as of late 2025, though comprehensive threat intelligence profiles from authoritative sources have yet to be published. The group has been linked to 34 public disclosures across our corpus. First observed on a leak site on August 6, 2025; most recent post June 30, 2026. The operation is currently active.

Also tracked as: black nevas.

Timeline of this disclosure

  • June 30, 2026Arkin Group listed by blacknevason the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Business Services sector, which has 3,796 disclosures indexed across all operators we track.

If your organisation is affected

A listing by blacknevas means Arkin Group appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Monitor for the data appearing on blacknevas's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.