A ransomware gang calling itself D1R claims to have stolen sensitive engineering data from German engineering giant Bosch, allegedly obtained through a breach of US chip-design and electronic design automation firm Synopsys. According to reporting from Cybernews, D1R has listed Bosch on its dark web leak site and set an 11-day countdown for the company to make contact and negotiate before the files are published. A separate listing targets Synopsys directly, with the gang claiming to have exfiltrated a database of 40,000 corporate clients under the same deadline.
What Happened
D1R, a newly surfaced ransomware operation with only three victims currently listed on its leak site, posted Bosch to its extortion portal along with a data sample and a directory listing of allegedly stolen files. Rather than claiming a direct intrusion into Bosch's own infrastructure, the gang says the data was pulled from an alleged compromise of Synopsys, whose software is widely used across the semiconductor and electronic design automation industry. If accurate, this frames the incident as a third-party supply chain breach, in which attackers compromise a technology provider to reach downstream customer data. The full scope of the breach remains unconfirmed, and little is publicly known about D1R's tactics, infrastructure, or affiliations.
What Was Taken
The published sample points to hardware communications material tied to Bosch products. One screenshot shows the first page of a Controller Area Network (CAN) user manual, the industry-standard communication protocol Bosch originally developed in 1983 and which underpins electronics in cars, trains, aircraft, embedded systems, and consumer devices. More concerning is the directory listing, which Cybernews researchers noted includes numerous .vhd files alongside other project files. Those files could contain VHDL source code, used to design hardware through code. If legitimate, such material could expose proprietary hardware development details. In the separate Synopsys entry, D1R claims possession of a client database covering roughly 40,000 corporate customers.
Why It Matters
The exposure of VHDL design files and hardware communication documentation carries strategic weight beyond a typical data leak. As Cybernews researchers put it, this "increases the risk of exposing how Bosch designs its hardware, which could be valuable both to competitors and to attackers interested in hardware hacking." Leaked design-level intellectual property can erode competitive advantage and, critically, hand adversaries a blueprint for identifying weaknesses in widely deployed hardware. Because CAN and Bosch components appear in everything from household appliances to automotive systems, the downstream risk surface is broad. The alleged Synopsys angle amplifies the concern: a single compromised EDA provider could expose confidential design data belonging to a large slice of the semiconductor supply chain.
The Attack Technique
D1R attributes its access to an alleged breach of Synopsys rather than a direct compromise of Bosch systems, positioning the event as a classic supply chain intrusion. In this model, the attacker targets a trusted third-party vendor whose tools, platforms, or repositories hold customer engineering data, then leverages that foothold to exfiltrate information belonging to the vendor's clients. The specific initial access vector, whether stolen credentials, an exploited vulnerability, or exposed cloud storage, has not been disclosed. Both the Bosch and Synopsys listings use the same 11-day negotiation window, a pressure tactic typical of double-extortion operations that pair data theft with the threat of public disclosure. Given D1R's short track record, defenders should treat attribution and stated methods as unverified claims pending confirmation.
What Organizations Should Do
- Inventory and assess third-party and vendor relationships, especially EDA, CAD, and design-tool providers that hold or process proprietary engineering data, and demand clear breach-notification commitments.
- Enforce least-privilege access and strong multi-factor authentication on all vendor-facing accounts, shared repositories, and cloud storage where design files reside.
- Classify and segment intellectual property such as VHDL source, schematics, and protocol documentation, restricting access and monitoring for bulk exfiltration.
- Monitor dark web leak sites and threat intelligence feeds for mentions of your organization and key suppliers so extortion listings are caught early.
- Establish an incident response and legal playbook for third-party breaches, including ransom-demand handling, regulatory notification, and customer communication.
- Validate the integrity and provenance of hardware designs and toolchains, and prepare for the possibility that leaked design data could enable targeted hardware attacks.
Sources: Hackers threaten to leak Bosch engineering data after alleged Synopsys hack | Cybernews