Was KoMiCo hit by ransomware?

KoMiCo was listed by the anubis ransomware operation, and stolen data was published on the group's leak site. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the anubis ransomware group?

anubis is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

What data was leaked in the KoMiCo breach?

anubis published data attributed to KoMiCo. Darkfield captured the leak post and a screenshot of the listing.

Ransomware victim disclosure

← All victims

KoMiCo

Claimed by Anubis · listed 5 hours ago

Today

Age

since listed · data leaked

Status timeline

ListedJun 15, 2026
Data leakeddate unknown

At a glance

Group: Anubis
Status: Data leaked
Listed on leak site: Jun 15, 2026

About the victim

AI dossier — public-source company profile

KoMiCo is a South Korean public company founded in 1996, headquartered in Anseong-si. It specializes in precision cleaning and special coating services for semiconductor equipment parts, serving the semiconductors, displays, and solar photovoltaics industries. The company has a market capitalization of approximately $1.66 billion.

Industry: Semiconductor Equipment Cleaning & Coating Services
Address: Anseong-si, South Korea
Founded: 1996

Attack summary

Severity: critical — Confirmed exfiltration of PII at scale (employee identification documents, salary data) combined with sensitive non-public financial information from a publicly traded company with $1.66B market cap. Exposure of confidential personnel files and internal financial data not normally disclosed to shareholders represents material breach of regulated company data.

The Anubis group claims to have exfiltrated internal company data including non-public financial records, employee personal information (identification documents, salary data), and confidential personnel files from the publicly traded company.

critical

Data the group says was taken

AI dossier — extracted from the leak post

financial records
salary data
employee identification documents
personnel files
non-public financial information

What the group claims

Inside the internal data of a publicly traded company.

The leak post

captured from the group's site

, founded in 1996, is a public company headquartered in Anseong-si, South Korea. Specializing in precision cleaning and special coating services for semiconductor equipment parts, KoMiCo serves industries including semiconductors, displays, and solar photovoltaics.
The internal data you will see here reveals a detailed picture of the company’s financial position. Although the company is publicly traded, it is only required to disclose a limited portion of its financial information. This means that a significant amount of the financial data exposed in this leak may be seen for the first time even by shareholders.
Among the internal company data are documents that are strictly non-public, including employee personal information such as identification documents, financial records like salary data, and various other confidential personnel files.
Once again, it is worth noting that a company always has the opportunity to prevent a data breach, and in most cases, this ultimately comes down to financial investment. The company in question is no exception, yet it appears to have allowed the situation to unfold—a questionable decision given that its current market capitalization stands at a…

Sources

Leak posthttp://om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion/r/F3TB5nyWk7efxUlZ6toKtFCKcPvgXLUwyph+uvlzaWUPwLGxJxReO73XPbuPl5Y27QJHUzDNSYzUN49O3slD0NuYTI5WXBm

Source

Indexed 5 hours ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About anubis

Anubis is a recently emerged ransomware group that began operations in February 2025, primarily motivated by financial gain through encryption and extortion attacks. The group has demonstrated rapid expansion, accumulating 65 documented victims within a short operational timeframe. Given the group's recent emergence, limited information is publicly available regarding their specific country of origin, organizational structure, or confirmed affiliations with other cybercriminal entities, though their operational patterns suggest they may operate as an independent group or small-scale ransomware-as-a-service operation. Their attack methodology appears to focus on opportunistic targeting across multiple geographic regions, with victims concentrated primarily in the United States, Australia, Canada, the United Kingdom, and France, indicating either English-language proficiency or the use of automated tools that facilitate cross-border operations. The group demonstrates a clear preference for targeting healthcare organizations and manufacturing companies, followed by business services and technology sectors, suggesting they prioritize organizations with critical operational dependencies that may be more likely to pay ransoms quickly. Due to the group's recent emergence in early 2025, there is insufficient publicly documented information from established cybersecurity firms or law enforcement agencies regarding their specific technical capabilities, encryption methods, or whether they employ double or triple extortion tactics involving data theft and leak sites. As of current reporting, Anubis remains an active threat with continued victim acquisition, though the full scope of their capabilities and long-term operational sustainability remains to be determined as security researchers continue to analyze their activities. The group has been linked to 84 public disclosures across our corpus. First observed on a leak site on February 25, 2025; most recent post June 15, 2026. The operation is currently active.

Timeline of this disclosure

June 15, 2026KoMiCo listed by anubison the group's public leak site

Other recent disclosures by anubis

anubis has been linked to 84 public victims on Darkfield. A sample of the most recent:

See the full anubis dossier →

If your organisation is affected

A listing by anubis means KoMiCo appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Monitor for the data appearing on anubis's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.