Heavy-lift crane manufacturer Favelle Favco has been listed on the SafePay ransomware group's darknet leak site, with attackers claiming exfiltration of 237GB of corporate data spanning more than 140,000 files. The Malaysia-based group, which maintains production facilities in Prestons, Sydney, was added to the leak portal on April 16, 2026. The dataset reportedly includes scans of Australian employee passports and driver's licences, internal and customer communications, financial records, and sensitive technical and maintenance documentation tied to crane operations.

What Happened

On April 16, 2026, the SafePay ransomware crew published Favelle Favco on its darknet extortion site, signalling either a failed negotiation or a refusal to pay following an intrusion of unspecified date. SafePay used the listing to reiterate its operational posture, stating on its leak portal that "SafePay ransomware has never provided and does not provide the RaaS," distinguishing itself from affiliate-driven crews. The volume listed, 237GB across 140,000+ files, indicates sustained access to corporate file shares rather than an opportunistic smash-and-grab. Favelle Favco and related entity Kroll operate across Malaysia, Australia, the Middle East, Europe, and the US, expanding the potential blast radius beyond a single jurisdiction.

What Was Taken

The dataset is reported to contain a damaging cross-section of corporate, personal, and engineering material:

• Scans of Australian employees' passports and driver's licences, providing high-grade identity documents suitable for downstream fraud and synthetic identity creation.
• Internal and customer communications, exposing commercial relationships and contractual posture.
• Financial information covering corporate operations.
• Technical documentation relating to cranes manufactured by the company.
• Maintenance records, including documents tied to the 2025 Derrimut crane collapse in Melbourne's western suburbs.

The presence of incident-specific maintenance records is particularly notable, as those documents may be material to ongoing or future legal proceedings linked to the Derrimut collapse.

Why It Matters

This leak is not a single-policy event. The combination of identity documents, customer correspondence, engineering specifications, and incident-related records means a single intrusion can simultaneously trigger exposure across cyber, professional indemnity, directors and officers, and product liability lines. For Australian privacy regulators, the inclusion of passport and licence scans almost certainly engages Notifiable Data Breach obligations. For litigants in any current or future Derrimut-related disputes, the unauthorised release of maintenance and engineering documentation could complicate evidentiary chains and disclosure positions. SafePay's track record, including the Ingram Micro intrusion in July 2025 that led to notifications for more than 42,000 individuals, and the March 2026 attack on Smile Team Orthodontics, demonstrates the group's capacity to follow through on data publication.

The Attack Technique

Public reporting on the Favelle Favco intrusion does not yet specify an initial access vector, dwell time, or the lateral movement tradecraft used to reach the file repositories from which 237GB was staged. SafePay, active across listings in the UK, US, Italy, New Zealand, Canada, Belgium, Brazil, Germany, Barbados, and Argentina, has historically relied on access through exposed remote services, valid account abuse, and rapid escalation against under-segmented Windows environments in prior incidents tracked across the wider ransomware ecosystem. Until Favelle Favco or an incident response partner releases a technical post-mortem, attribution of the specific intrusion path remains unconfirmed.

What Organizations Should Do

1. Treat any sensitive document repository, including engineering, maintenance, and HR identity scans, as crown-jewel data and segment it behind tiered access with conditional access policies and just-in-time elevation.
2. Hunt for SafePay-aligned activity, including unusual large-volume outbound transfers, the use of legitimate file-sync tooling for staging, and creation of new privileged accounts in the days preceding any anomalous data movement.
3. Validate that personal identification scans (passports, licences) are encrypted at rest with strict key access controls, and review retention policies to purge documents no longer required.
4. Rehearse the legal and regulatory notification workflow for the Notifiable Data Breaches scheme, including pre-staged communications for affected employees and customers.
5. Confirm immutable, offline-tested backups exist for engineering, financial, and HR systems, and validate restoration timelines under a worst-case extortion scenario.
6. Coordinate with cyber, D&O, and professional indemnity insurers in advance to clarify trigger conditions when leaked data spans multiple policy classes.

Sources: Heavy-lift crane maker Favelle Favco faces 237GB data leak | Insurance Business