FBI warns of in-person data theft attacks from extortion gang

FBI warns of in-person data theft attacks from extortion gang

HomeNewsSecurityFBI warns of in-person data theft attacks from extortion gang

FBI warns of in-person data theft attacks from extortion gang By Sergiu Gatlan May 27, 2026 07:51 AM 0 The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a Tuesday flash alert. "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer." By going to the victim's location in person, the malicious actors can steal data by connecting USB drives or external hard drives to the victim's computer. The FBI included the unauthorized installation of external hard drives or USB drives on company computers, and the presence of unidentified or unauthorized individuals claiming to be IT support and attempting to access computers, as possible indicators of an SRG attack. "Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company's location to gain physical access to computers," the FBI added. SRG uses the stolen data to extort the victims by sending a ransom email that threatens to sell or post it on their leak site, and will also call the victims' employees or clients to pressure them into beginning ransom negotiations. Also known as Luna Moth, Chatty Spider, and UNC3753, this cybercrime gang has been active since at least 2022 and has been targeting legal and financial organizations in the United States since early 2023. As previously reported by BleepingComputer, the same group of threat actors was also linked to BazarCall campaigns that provided initial access to corporate networks in Conti and Ryuk ransomware attacks. In March 2022, after the Conti shutdown, they separated from the cybercrime syndicate and formed the Silent Ransom Group (SRG), known for data theft and extortion operations following targeted phishing attacks. This week's flash alert follows a May 2025 FBI private industry notification warning that the same extortion gang had been targeting U.S. law firms in callback phishing and social engineering attacks for more than two years. A May 2025 EclecticIQ report detailing the cybercrime group's attacks on legal and financial institutions in the United States also revealed that the attackers register domains to "impersonate IT helpdesk or support portals for major U.S. law firms and financial services firms, using typosquatted patterns."

The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now

Related Articles: New BlackFile extortion group linked to surge of vishing attacksFBI links cybercriminals to sharp surge in cargo theft attacksMicrosoft: Teams increasingly abused in helpdesk impersonation attacksFBI takedown of W3LL phishing service leads to developer arrest7-Eleven confirms data breach claimed by the ShinyHunters gang Cybercrime

Data Theft

Extortion

FBI

Impersonation

in-person

IT Support

Luna Moth

Phishing

Silent Ransom Group

Social Engineering

Sergiu Gatlan Sergiu is a news reporter who has covered the latest cybersecurity and technology developments for over a decade. Email or Twitter DMs for tips.

Previous Article

Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now

You may also like:

  Upcoming Webinar Popular Stories FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Sponsor Posts Protect Your Business from Ecommerce Fraud

AI is a data-breach time bomb: Read the new report

33% Rise in Healthcare Credential Theft in 2025: What you need to know

Overdue a password health-check? Audit your Active Directory for free

  Upcoming Webinar

Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now

Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT