Australian fine jewellery retailer Gregory Jewellers Pty Ltd has been listed on the dark web leak site of the Kairos ransomware gang, which claims to have exfiltrated 574 gigabytes of data from the company. The listing, first reported by Cyber Daily on 1 May 2026, included a sample of allegedly stolen data before being pulled from the site.

What Happened

Kairos added Gregory Jewellers, a Sydney CBD-based retailer with over 45 years of heritage in fine jewellery, watches and accessories, to its dark web leak site as a confirmed victim. The threat actor claimed to have stolen approximately 574 GB of data from the retailer's environment.

While Kairos provided no technical details about how access was obtained or how long it persisted, the group published a sample of the data to substantiate the claim. Notably, at the time of reporting, the listing and the sample had been pulled from the leak site, a move that often signals private negotiations or partial payment between the victim and the threat actor. Gregory Jewellers had not issued a public statement at the time of disclosure.

What Was Taken

The sample published by Kairos before the listing was removed reportedly included:

• Personal information of clients
• Internal documents relating to an ongoing investigation
• Customer purchase history records
• At least one passport scan
• Additional unspecified internal documents

For a high-end jewellery retailer, customer purchase history is particularly sensitive. It associates named individuals with high-value items and home delivery addresses, creating downstream physical-security risk on top of the privacy and identity-fraud exposure typical of retail breaches. The presence of identity documents such as passports raises the prospect of regulatory notification obligations under the Australian Privacy Act and the Notifiable Data Breaches scheme.

Why It Matters

Gregory Jewellers is the latest in a string of Kairos-claimed Australian victims, with the group naming at least three Australian organisations in April 2026 alone, including NSW-based Strata Republic, from which Kairos claimed to have stolen 441 GB.

The targeting pattern reflects two trends defenders should track. First, Kairos appears to be deliberately scaling its Australian operations, suggesting either local affiliate activity or a deliberate regional focus. Second, mid-market Australian retailers and professional services firms are being hit at a cadence that indicates opportunistic, broad-targeting access rather than bespoke intrusion campaigns. Organisations in adjacent verticals should assume they are within the group's targeting envelope.

The disappearance of the listing also matters. When leak-site posts vanish quickly, it often indicates ransom negotiations rather than vindication, and stolen data may still be sold or re-leaked later regardless of the outcome.

The Attack Technique

Kairos has not disclosed initial access vectors, dwell time, or tooling used in the Gregory Jewellers intrusion. According to threat intelligence firm Cyjax, Kairos surfaced its first victim in November 2024 and has since claimed more than 80 victims globally. The group operates on Russian-language criminal forums and is not currently assessed to be linked to other established ransomware brands or affiliate programmes.

Based on Kairos's broader victimology, defenders should assume the group leverages commodity initial-access techniques common to mid-tier ransomware operators: exposed remote services, stolen credentials sourced from infostealer logs, phishing for session tokens, and exploitation of unpatched edge devices. The 574 GB exfiltration volume implies sustained dwell time and likely use of standard cloud-staging or rclone-style exfiltration tooling.

What Organizations Should Do

Australian retail and SME defenders should treat the Kairos cluster as an active and credible threat. Recommended actions:

1. Hunt for infostealer exposure. Review credential-monitoring feeds for employee logins appearing in stealer logs (RedLine, LummaC2, StealC). Force resets and revoke all active sessions for any matches.
2. Harden external attack surface. Audit internet-exposed RDP, VPN concentrators, and remote-management tooling. Enforce phishing-resistant MFA on every external authentication point, including service accounts.
3. Detect bulk exfiltration early. Implement egress monitoring for traffic to cloud-storage providers and known exfiltration tooling (rclone, MEGA, FileZilla). Alert on anomalous outbound volumes from file servers and document repositories.
4. Segment customer data stores. Treat customer PII, identity document scans, and purchase history as crown-jewel datasets. Restrict access via just-in-time privileges and ensure dedicated logging on read operations.
5. Test incident response and notification workflows. Run a tabletop scenario covering OAIC notification under the Notifiable Data Breaches scheme, including timelines for passport and identity-document disclosure.
6. Prepare for double extortion. Assume any Kairos intrusion involves data theft prior to encryption. Backups alone will not resolve the extortion leverage.

Sources: Exclusive: Kairos claims breach of Australian jewellery company - Cyber Daily