Was Ink hit by ransomware?

Ink was listed by the Dragonforce ransomware operation (United Kingdom), and stolen data was published on the group's leak site. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the Dragonforce ransomware group?

Dragonforce is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

What data was leaked in the Ink breach?

Dragonforce published data attributed to Ink. Darkfield captured the leak post and a screenshot of the listing.

Ransomware victim disclosure

← All victims

Ink

Claimed by Dragonforce · listed 3 days ago

Age

since listed · data leaked

Status timeline

ListedJun 14, 2026
Data leakeddate unknown

At a glance

Group: Dragonforce
Status: Data leaked
Country: United Kingdom
Listed on leak site: Jun 14, 2026

About the victim

AI dossier — public-source company profile

INK is an award-winning digital production studio based in London specialising in CGI, animation, and retouching. The company combines technical expertise with creative design to deliver visual content across film, print, and interactive platforms for high-profile clients in automotive, technology, aerospace, and consumer brands.

Industry: Digital Production & Creative Services
Address: 445 Caledonian Road, London, N7 9BG, United Kingdom

Attack summary

Severity: high — Confirmed exfiltration of significant business data including internal documentation, software, and correspondence from a creative studio with access to sensitive client projects and proprietary materials. The post references 551 related entries suggesting broad data compromise.

The dragonforce group claims to have exfiltrated internal documentation, contractor information, software, and correspondence from INK. The post lists 551 entries of victim companies and includes only INK as the primary target; the other listed entities appear to be clients or counterparties whose data may have been accessed.

high

Data the group says was taken

AI dossier — extracted from the leak post

internal documentation
contractor information
software
correspondence
client project files
counterparty records

What the group claims

(including internal documentation, counterparties, contractors, software, correspondence, and the like) INK is an award-winning production studio based in London specialising in CGI, Animation and Retouching. We combine the technical and the beautiful to bring ideas to life across film, print and interactive platforms.

The leak post

captured from the group's site

We're opened the public registration, build your own RaaS team in 1 hour
445 Caledonian Rd, London, Greater London, United Kingdom
(including internal documentation, counterparties, contractors, software, correspondence, and the like) INK is an award-winning production studio based in Londo...
Khalifa Bin Zayed The First St - Al Danah - Zone 1 - Abu Dhabi - United Arab Emirates
At the heart of the Central Business District. Situated along the stunning Corniche stretch, our hotel’s 305 luxurious guest rooms offer breathtaking views of t...
89 & 91 Hing Wah Street West, Lai Chi Kok, Kowloon, Hong Kong
Cheoy Lee Shipyards Ltd. specializes in the design and manufacturing of a diverse range of vessels, including tugs, ferries, crew boats, pilot boats, and luxury...
Ras Al Khor Industrial Area, Dubai, United Arab Emirates
Al Ishrak Contracting Company, established in 1975 in Dubai, specializes in construction works including industrial warehouses, residential and commercial build...
Durrat Al Bahrain, P.O.Box 11416, Manama, Kingdom of Bahrain
Durrat Resort Management specializes in providing high-quality resort management services. Their offerings include operational management, marketin…

Sources

Source

Indexed 3 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About Dragonforce

Dragonforce is a relatively new ransomware group that emerged in December 2023, operating with apparent financial motivations based on their targeting patterns and victim selection. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, though their rapid accumulation of 439 documented victims suggests either sophisticated capabilities or possible connections to existing ransomware infrastructure. Based on their targeting patterns across diverse sectors including manufacturing, business services, technology, and construction, Dragonforce appears to employ opportunistic attack methodologies, though specific initial access vectors, encryption methods, and extortion tactics have not been publicly detailed by major security firms or law enforcement agencies. The group has demonstrated a preference for targeting organizations primarily in English-speaking countries and Western Europe, with the United States, United Kingdom, Germany, Australia, and Italy representing their most frequent victim locations, suggesting possible language capabilities or geographic operational preferences. As of current reporting, Dragonforce appears to remain active given their recent emergence and ongoing victim acquisition, though the lack of detailed public analysis from major threat intelligence organizations indicates either operational security measures that have limited researcher visibility or that the group has not yet conducted sufficiently high-profile attacks to warrant extensive public documentation by CISA, FBI, or established security research firms. The group has been linked to 598 public disclosures across our corpus. First observed on a leak site on December 13, 2023; most recent post June 16, 2026. The operation is currently active.

Also tracked as: DRAGON FORCE.

Timeline of this disclosure

June 14, 2026Ink listed by Dragonforceon the group's public leak site

Other recent disclosures by Dragonforce

Dragonforce has been linked to 598 public victims on Darkfield. A sample of the most recent:

Tecfi SpABusiness Services · IT · June 16, 2026

See the full Dragonforce dossier →

Sector and geography

Geographically, Ink is reported in United Kingdom, a country with 372 ransomware disclosures in our corpus.

If your organisation is affected

A listing by Dragonforce means Ink appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Report the incident to your national CERT, NCSC (United Kingdom), as required for your jurisdiction.
Monitor for the data appearing on Dragonforce's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.