FulcrumSec, also known as The Threat Thespians, has gone public with a dedicated leak site claiming 21 victims and announcing two active campaigns, according to a May 11, 2026 report from MOXFIVE analyst Dylan Duncan. The cloud-focused extortion crew, active since September 2025, has hit technology, professional services, financial, and healthcare organizations across multiple countries, with additional targets listed by revenue in the tens of billions of dollars.

What Happened

FulcrumSec launched a public leak site branded "Index of /Shame" listing 21 claimed victims and naming two additional campaigns already in progress. The group publishes stolen data when victims refuse to pay and escalates personally when targets push back. MOXFIVE notes that despite the group's stated commitment in initial outreach communications never to target healthcare organizations, healthcare victims have appeared on the site alongside technology, professional services, and financial sector entities. Unlike conventional ransomware crews, no encryption activity or ransomware binary has been observed across any known FulcrumSec operation. The group operates as a pure data theft and extortion outfit, focused exclusively on enterprise cloud environments.

What Was Taken

FulcrumSec exfiltrates data directly from cloud storage and data platform environments, including AWS, Azure, Google Cloud Platform, Databricks, and MongoDB, using standard platform tooling rather than custom malware. The group concentrates on organizations where sensitive data accumulates in cloud-native infrastructure: AI platforms, SaaS providers, and cloud-first enterprises. Confirmed targeting includes information repositories and cloud storage objects, mapping to MITRE techniques T1530 (Data from Cloud Storage Object) and T1213 (Data from Information Repositories). Specific volumes per victim were not disclosed in the public reporting, but the breadth of 21 confirmed victims plus two ongoing campaigns indicates a substantial cumulative theft footprint across multiple sectors.

Why It Matters

FulcrumSec represents a maturing class of cloud-native extortion actor that abandons encryption entirely and weaponizes the leak site as the sole pressure mechanism. The group's public self-documentation of techniques on its own campaign pages signals confidence and a recruiting or branding posture aimed at sustained operations. Their stated ethical commitments are unreliable: the public victim list contradicts their initial healthcare carve-out, meaning defenders in regulated sectors cannot count on actor self-restraint. The mix of n-day exploitation, dormant credential abuse, and opportunistic harvesting of exposed cloud storage makes FulcrumSec a credible threat to any organization with imperfect patch cadence or weak cloud posture management.

The Attack Technique

FulcrumSec relies on three documented intrusion paths. The first is exploitation of CVE-2025-55182, known as React2Shell, an unauthenticated remote code execution flaw in unpatched React frontend applications. MOXFIVE documented at least one intrusion in which the victim had not patched the vulnerability for more than two months after it was listed as actively exploited, with reuse against additional targets five weeks later. The second is abuse of dormant credentials and API keys for initial cloud access. The third, central to the Index of /Shame campaign, requires no exploitation at all: the group scans for staging servers and cloud storage buckets left publicly accessible through basic misconfigurations. Mapped MITRE ATT&CK techniques include T1190 (Exploit Public-Facing Application), T1552.005 (Cloud Instance Metadata API), T1552.001 (Unsecured Credentials in Files), T1580 (Cloud Infrastructure Discovery), and T1567 (Exfiltration Over Web Service).

What Organizations Should Do

1. Patch CVE-2025-55182 (React2Shell) immediately on any internet-facing React frontend application and audit logs for indicators of prior exploitation dating back to its disclosure.
2. Inventory and rotate dormant credentials and API keys across AWS, Azure, GCP, Databricks, and MongoDB environments, and enforce short-lived tokens with conditional access where supported.
3. Run external attack surface scans against your own cloud storage, staging servers, and S3 or Azure Blob buckets to identify open directories and publicly accessible repositories before adversaries do.
4. Restrict access to cloud instance metadata APIs (IMDSv2 on AWS, equivalent hardening on Azure and GCP) to prevent credential theft from compromised workloads.
5. Deploy data exfiltration detection focused on anomalous egress from cloud storage and data platforms over web services, rather than relying solely on endpoint-based ransomware indicators.
6. Assume extortion actor commitments, including sector carve-outs, will not be honored, and build incident response playbooks for data theft scenarios that do not involve encryption.

Sources: Who Is FulcrumSec? Inside the Cloud Extortion Group Behind 21 Victims… and Counting