The DragonForce ransomware operation has allegedly added two new organizations, JAKN and GGroupCPAs, to its dark web leak portal in a near simultaneous disclosure observed on May 25, 2026. The listings were flagged by the ThreatMon Threat Intelligence Team, which monitors ransomware leak sites and underground cybercriminal infrastructure. The posts appeared roughly three minutes apart, indicating a coordinated publication pattern consistent with double extortion campaigns.
What Happened
According to dark web monitoring channels, DragonForce posted GGroupCPAs to its victim page at 14:52:21 UTC+3, followed by JAKN at 14:55:49 UTC+3 on May 25, 2026. The proximity of the two timestamps suggests the operators staged the leak page entries together, likely to maximize visibility across underground forums and threat intelligence feeds tracking the group.
No technical indicators, sample files, or forensic artifacts were released alongside the public claims. This is consistent with the early stage of DragonForce extortion timelines, where operators typically publish only the victim name to apply psychological pressure before any stolen material is released in tranches. Neither JAKN nor GGroupCPAs has publicly confirmed an intrusion at the time of the listing.
What Was Taken
DragonForce has not yet disclosed sample data, file trees, or volume estimates for either victim. Historically, the group has exfiltrated a mixture of financial records, client documentation, employee personally identifiable information, internal communications, and operational data prior to encryption. Given GGroupCPAs operates in the certified public accounting space, any stolen archive likely contains highly sensitive third party tax filings, audit work papers, banking details, and client identification material subject to strict regulatory protection.
JAKN's exposure profile is unclear pending confirmation of the organization's primary business activity, but the group's standard playbook implies a parallel exfiltration of internal databases and document repositories.
Why It Matters
Accounting and professional services firms remain disproportionately attractive ransomware targets because they aggregate sensitive financial data for dozens or hundreds of downstream clients. A single compromise at a CPA firm can produce a supply chain effect that exposes the firm's clients to identity theft, wire fraud, and regulatory action. DragonForce's continued focus on small and midsize professional services targets reinforces a wider trend of ransomware affiliates pursuing high leverage data that compels rapid payment to avoid client litigation and reputational fallout.
The dual listing also signals that DragonForce affiliate operations remain active and well resourced through 2026, despite ongoing law enforcement disruption efforts targeting ransomware as a service ecosystems.
The Attack Technique
DragonForce affiliates historically rely on a mix of initial access vectors including phishing with malicious attachments, exploitation of internet exposed remote services such as RDP and VPN concentrators, and the abuse of valid credentials sourced from infostealer logs. Once inside, operators typically pivot using legitimate administrative tooling, escalate via Active Directory misconfigurations, and stage data exfiltration through cloud storage services before deploying the DragonForce locker. No specific intrusion vector has been disclosed for the JAKN or GGroupCPAs incidents.
What Organizations Should Do
- Enforce phishing resistant multi factor authentication on all remote access, email, and privileged administrative accounts to neutralize stolen credentials.
- Audit and restrict outbound traffic to unsanctioned cloud storage and file transfer services commonly abused for exfiltration staging.
- Patch internet facing VPN, firewall, and remote desktop appliances on an accelerated schedule, prioritizing vulnerabilities already weaponized by ransomware affiliates.
- Segment client data repositories from general purpose workstations, and apply least privilege access controls on accounting and audit work paper shares.
- Maintain immutable, offline backups and rehearse restoration of critical financial systems under a documented incident response playbook.
- Monitor infostealer marketplaces and credential dump feeds for exposure of corporate identities, and force resets where matches are found.