Ransomware victim disclosure

Cheng Di Public Elementary School (成德國民小學)

listed as ctps.tp.edu.tw · Claimed by krybit · listed 5 days ago

Age

since listed · data leaked

Status timeline

Listed
May 26, 2026
Data leaked

At a glance

Group: krybit
Status: Data leaked
Country: TW
Sector: Education
Listed on leak site: May 26, 2026

About the victim

AI dossier — public-source company profile

Cheng Di Public Elementary School is a public elementary school located in Nangang District, Taipei City, Taiwan. It serves students in the primary education sector as part of Taiwan's public school system.

Industry: Public Education – Elementary School
Address: Nangang District, Taipei City, Taiwan

Attack summary

Severity: medium — The target is a public elementary school with potential access to student and staff records (PII), but no proof files, data samples, or confirmation of exfiltration are provided in the truncated leak post. Classification as medium reflects the sensitive nature of educational institution data and the disclosure status, despite lack of concrete evidence.

The Krybit group claims to have accessed ctps.tp.edu.tw (the school's official website domain). No specific details on data exfiltration, encryption, or operational disruption are stated in the leak post.

medium

What the group claims

ctps.tp.edu.tw — Taiwanese Public Elementary School ctps.tp.edu.tw is the official website of 臺北市南港區成...

The leak post

captured from the group's site

ctps.tp.edu.tw — Taiwanese Public Elementary School
ctps.tp.edu.tw is the official website of 臺北市南港區成德國民小學 — i.e., Cheng Di Public Elementary School in Nangang District, Taipei City

Screenshot of the leak post

Sources

Source

Indexed 5 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About krybit

Krybit is an emerging ransomware group that was first observed in April 2026, operating with apparent financial motivations based on their limited documented attacks against diverse sectors. The group's origin and affiliations remain unclear due to limited public intelligence, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. With only four known victims documented across geographically diverse regions including Mexico, Austria, Japan, and Botswana, the group appears to employ broad targeting rather than focused regional or sector-specific campaigns, though their attack methodology, encryption techniques, and data exfiltration practices have not been publicly documented by major security firms or law enforcement agencies. No notable high-profile campaigns or significant ransoms have been publicly reported, and no law enforcement actions against the group have been documented. Given the recent emergence of this group and extremely limited public reporting, Krybit's current operational status and capabilities remain largely unknown to the broader cybersecurity community. The group has been linked to 36 public disclosures across our corpus. First observed on a leak site on April 3, 2026; most recent post May 27, 2026. The operation is currently active.

Timeline of this disclosure

May 26, 2026ctps.tp.edu.tw listed by krybiton the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Education sector, which has 694 disclosures indexed across all operators we track. Geographically, ctps.tp.edu.tw is reported in TW, a country with 46 ransomware disclosures in our corpus.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.