Skip to main content

Ransomware victim disclosure

All victims

TPA Group

listed as TPA Group (tpa-group.com) · Claimed by TEAM UNDERGROUND · listed 2 months ago

$281 million
Ransom
demanded
2m
Age
since listed · listed for ransom

Status timeline

  1. ListedMay 16, 2026

Current state: Listed for ransom

At a glance

Status
Listed for ransom
Listed on leak site
May 16, 2026
Ransom demanded
$281 million

About the victim

AI dossier — public-source company profile

TPA Group is a professional services firm specialising in audit, legal, accounting, and tax advisory services, operating across 12 countries in Central and Eastern Europe (CEE) and South-Eastern Europe (SEE), including Austria, Poland, Romania, Slovakia, Croatia, and others. The firm maintains numerous offices across these countries, with a particularly dense presence in Austria. It is one of the leading tax and audit firms in the CEE/SEE region.

Industry
Audit, Tax Advisory & Legal Services

Attack summary

Severity: medium — The post is a listing-only disclosure with a ransom demand but no stated data volume, no published proof files, and no explicit claim of exfiltration or encryption. The target is a major regional professional services firm whose data would likely include sensitive client financial and legal records, elevating it above low, but the absence of any proof or confirmed exfiltration details caps severity at medium.

TEAM UNDERGROUND claims an attack on TPA Group (tpa-group.com) with a ransom demand of $281 million, and a separate listing for tpa-group.sk at $15 million; no specific exfiltration volume or encryption details are provided in the post.

medium

The leak post

captured from the group's site
All data | Underground store Data Announcements All data Afghanistan Albania Algeria American Samoa Andorra Angola Anguilla Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Brazil British Virgin Islands Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Colombia Comoros Congo Congo, Democratic Republic Cook Islands Costa Rica Côte d`Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic East Timor Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenst…

Sources

Source

Indexed 2 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About TEAM UNDERGROUND

TEAM UNDERGROUND is a ransomware group first observed in May 2026 with an apparent financial motivation, though its limited operational history makes comprehensive attribution difficult at this time. With only a single known victim recorded to date, the group has demonstrated a targeting preference for the Audit, Tax Advisory, and Legal Services sector, suggesting a deliberate focus on organizations that handle sensitive financial, legal, and confidential client data — a common strategic choice among financially motivated threat actors seeking high-value exfiltration leverage. Given the group's extremely recent emergence and minimal operational footprint, detailed technical indicators regarding their initial access vectors, tooling, encryption methodology, or affiliation with broader ransomware ecosystems have not yet been publicly documented by authoritative sources such as CISA, the FBI, Mandiant, or equivalent research bodies. No confirmed affiliations with known ransomware-as-a-service platforms or established threat actor groups have been publicly established, nor have any notable high-profile campaigns, law enforcement actions, or ransom figures been attributed to this group in open-source reporting. TEAM UNDERGROUND should currently be regarded as an emerging and closely monitored threat, with its full capabilities, infrastructure, and operational scope remaining largely uncharacterized pending further observed activity and independent security research. The group has been linked to 7 public disclosures across our corpus. First observed on a leak site on May 14, 2026; most recent post June 2, 2026. The operation is currently active.

Timeline of this disclosure

  • May 16, 2026TPA Group (tpa-group.com) listed by TEAM UNDERGROUNDon the group's public leak site
Ransom demanded
$281 million

Sector and geography

This disclosure adds to ransomware activity in the Consulting sector, which has 67 disclosures indexed across all operators we track. Geographically, TPA Group (tpa-group.com) is reported in United States, a country with 11,033 ransomware disclosures in our corpus.

If your organisation is affected

A listing by TEAM UNDERGROUND means TPA Group (tpa-group.com) appeared on a ransomware extortion site and is being pressured to pay before any publication. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

  • Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
  • Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
  • Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
  • Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
  • Monitor for the data appearing on TEAM UNDERGROUND's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.