Ransomware victim disclosure
← All victimsOneDealer
Claimed by Hellcat · listed 1 year ago
Status timeline
- ListedFeb 28, 2025
- Data leakeddate unknown
At a glance
About the victim
AI dossier — public-source company profileOneDealer is a B2B software platform providing automotive network management (ANM) solutions for OEMs, importers, and dealer groups. The company operates across Europe and the Middle East, supporting 50+ automotive networks and 1,000+ dealerships with digital sales, marketing, and after-sales management tools. It serves major automotive brands including Hyundai, BMW, Audi, Kia, and Škoda.
- Industry
- Automotive Software & Digital Transformation
Attack summary
Severity: critical — Exfiltration of 330,000+ records containing PII (customer data), vehicle identifiers (VINs/license plates), and business intelligence from a centralized automotive network platform affecting major OEMs and dealer groups. The scale, data sensitivity, and downstream impact on multiple regulated entities justifies critical classification.Hellcat claims to have exfiltrated over 330,000 records from OneDealer's partner network, including sales reports, leads, customer data, vehicle identification numbers (VINs), and license plates. The breach exposed data from multiple automotive dealers and OEM partners stored within the platform.
Data the group says was taken
AI dossier — extracted from the leak post- sales reports
- sales leads
- customer data
- vehicle VINs
- license plates
- partner company information
What the group claims
We have obtained over 330,000 records from OneDealer partners, including sales reports, leads, customer data, and vehicle details with VINs and license plates. Affected companies include AutoHellas, AutoBesikos, KosmoCar, AWT, Karenta AE, QA, Proaxia, Hyundai, BMW, Audi, Kia,
Sources
- Victim siteonedealer.com
Source
Indexed 1 year agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

