Ransomware victim disclosure
← All victimsESOP Direct
listed as esopdirect.com · Claimed by LockBit · listed 7 months ago
Status timeline
- ListedDec 31, 2025
- Data leakeddate unknown
At a glance
- Group
- LockBit
- Status
- Data leaked
- Country
- India
- Sector
- Financial Services
- Listed on leak site
- Dec 31, 2025
About the victim
AI dossier — public-source company profileESOP Direct is an India-based firm specializing in the equity compensation domain, offering services including plan design and administration of Employee Stock Ownership Plans (ESOPs). The company serves corporate clients managing equity-based employee benefit programs. Its focus is on the legal, financial, and administrative aspects of equity compensation.
- Industry
- Equity Compensation & ESOP Administration Services
Attack summary
Severity: critical — ESOP Direct handles sensitive financial and employee compensation data including personal and financial records of plan participants at scale; data has been confirmed published (data_published status), making this a critical disclosure of regulated financial and PII data in the financial services sector.LockBit claims to have attacked ESOP Direct and has published data from the breach. The disclosed status indicates data has been exfiltrated and published, though the specific data volume was not stated in the leak post.
Data the group says was taken
AI dossier — extracted from the leak post- Equity compensation plan documents
- Employee stock ownership records
- Corporate client data
- Financial compensation data
- Personally identifiable information of plan participants
What the group claims
ESOP Direct: ESOP Direct, focussed on the Equity compensation domain, is engaged in Plan Design, Le...
Sources
- Victim siteesopdirect.com
Source
Indexed 7 months agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

