On April 13, 2026, ransomware group DragonForce claimed responsibility for a cyberattack against Eldorado Trading Group (edtg.com), a U.S.-based firm operating in the banking sector. The group asserts it exfiltrated sensitive data from the organization's network and is threatening public release unless negotiations begin. No ransom figure has been disclosed publicly.

What Happened

DragonForce posted a claim on its dark web leak site on April 13, 2026, naming Eldorado Trading Group as a victim. The group's statement reads: "Your network was compromised, and sensitive data was extracted. We demand negotiations to prevent data leak." As of publication, Eldorado Trading Group has not issued a public statement confirming or denying the breach. The threat follows the group's established double-extortion model: infiltrate, exfiltrate, encrypt, and apply escalating public pressure through a countdown to data release.

What Was Taken

The specific categories and volume of exfiltrated data have not been independently verified. DragonForce's claim implies access to sensitive internal records consistent with a banking-sector target, which could include customer account data, transaction records, KYC and AML documentation, internal communications, and employee personally identifiable information. The full scope of the exfiltration will only become clear through forensic investigation or if the group begins publishing samples on its leak site.

Why It Matters

Banking-sector targets carry elevated risk for downstream victims. Data exfiltrated from a financial firm can enable fraud, identity theft, and targeted social engineering campaigns against both retail and institutional clients. DragonForce has demonstrated a pattern of targeting mid-sized financial and critical infrastructure organizations, where security posture may lag behind enterprise-scale peers but data value remains high. A confirmed breach at a U.S. banking entity also carries potential regulatory exposure under the Gramm-Leach-Bliley Act, SEC incident disclosure rules, and applicable state breach notification statutes, compounding operational disruption with legal and reputational pressure.

The Attack Technique

The initial access vector for this intrusion has not been publicly disclosed. DragonForce affiliates have historically leveraged phishing campaigns, exposed RDP endpoints, and credential stuffing using data sourced from infostealer malware logs to establish initial footholds. Once inside, the group typically deploys legitimate remote management tooling for lateral movement before staging data for exfiltration and deploying ransomware payloads across the network. Organizations in this sector should treat credential exposure from third-party breaches and infostealer infections as high-priority precursor indicators requiring immediate action.

What Organizations Should Do

1. Conduct a compromise assessment immediately. Determine the scope of access, identify any persistence mechanisms left behind, and preserve forensic artifacts before remediation steps alter the evidence trail.
2. Audit exposed credentials. Cross-reference employee and service account credentials against known infostealer log dumps and dark web markets. Force rotation on any accounts with confirmed or suspected external exposure.
3. Harden the external attack surface. Audit all internet-facing services, disable unnecessary RDP and remote access paths, and enforce phishing-resistant MFA on every authentication entry point without exception.
4. Validate backup integrity. Confirm that backups are current, encrypted, and stored in an offline or immutable environment that is network-isolated from the primary infrastructure.
5. Engage incident response counsel before any negotiation. Do not initiate direct contact with the ransomware group without legal guidance. Retaining outside IR counsel preserves privilege protections during any subsequent regulatory response.
6. Monitor the leak site actively. Track DragonForce's publication platform for sample releases or countdown updates. Early visibility on published data allows faster client notification and regulator disclosure.

Sources: DragonForce Hits Eldorado Trading Group with Ransomware Attack - DeXpose