Italian grocery retailer and distributor Selex Gruppo Commerciale has been listed as a victim on the INC Ransom dark web leak site, with the threat actor claiming exfiltration of approximately 1 terabyte of sensitive corporate, employee, and customer data. The listing was published on April 27, 2026, and aggregated by RedPacket Security. As with all INC Ransom claims, the listing should be treated as unconfirmed pending independent corroboration, though the volume and specificity of the alleged data trove suggest deep network access.

What Happened

INC Ransom posted Selex Gruppo Commerciale to its Tor-based extortion blog on April 27, 2026, characterizing the incident as both a cyber attack and a large-scale data breach. According to the leak page, the intrusion took place "in recent days" and resulted in the exfiltration of roughly 1TB of data spanning production and development environments. No ransom figure or payment deadline has been published on the listing, which is consistent with INC Ransom's pattern of using initial victim posts to pressure negotiation before disclosing terms or staging proof packs. Selex, one of Italy's largest grocery distribution consortia serving thousands of retail locations nationwide, has not issued a public statement at the time of writing.

What Was Taken

The threat actor's posting describes an unusually broad data set indicating access to core operational systems rather than a single-segment compromise. Categories listed include:

• Intellectual property, project plans, and confidential development documents
• Production and development source materials
• Product catalogs, supplier records, and specifications
• Login credentials and authentication tokens
• A workflow engine and business process management (BPM) system
• Employee personal data: names, addresses, payroll, and financial records
• Customer and partner personal and financial information

The presence of credentials, tokens, and BPM artifacts is particularly concerning, as these enable downstream attacks against integrated suppliers, payment processors, and franchisee systems even after the initial intrusion is contained.

Why It Matters

Selex sits at the center of an Italian grocery supply chain that serves millions of consumers and integrates hundreds of independent retailers and suppliers. A 1TB exfiltration spanning supplier specifications, BPM workflows, and credential stores creates risk well beyond Selex itself: third parties whose data, pricing, or access tokens were stored in Selex environments now face derivative exposure. INC Ransom has been steadily escalating its targeting of European retail and consumer services through 2025 and into 2026, and this listing reinforces the trend of double-extortion crews pivoting away from healthcare scrutiny toward retail and logistics targets where operational pressure is high and downtime costs mount quickly.

The Attack Technique

INC Ransom has not disclosed an initial access vector for the Selex intrusion, and Selex has not issued technical details. Historically, INC Ransom affiliates have favored exploitation of internet-facing edge devices (Citrix NetScaler CVE-2023-3519, Fortinet, and Ivanti Connect Secure flaws), spearphishing with malicious attachments, and the abuse of valid credentials sourced from infostealer logs. Post-access tradecraft typically includes Impacket and PsExec for lateral movement, AnyDesk and Splashtop for persistence, MEGA and rclone for staging exfiltration, and selective deployment of the INC encryptor only after data theft is complete. The reference to harvested "tokens" in the leak listing aligns with this pattern of credential-driven lateral expansion.

What Organizations Should Do

Retailers, distributors, and any organization with supplier relationships involving Selex should take immediate defensive action:

1. Rotate all shared credentials and API tokens exchanged with Selex environments, including EDI, ordering, and payment integration secrets, on the assumption they may be in the leaked dataset.
2. Hunt for INC Ransom indicators including unauthorized AnyDesk/Splashtop installs, rclone or MEGAcmd execution, and Impacket-style WMI/SMB lateral movement against domain controllers.
3. Patch and audit edge infrastructure including Citrix, Fortinet, Ivanti, and SonicWall appliances, and confirm that MFA is enforced on all remote access portals.
4. Validate offline, immutable backups for ERP, BPM, and workflow systems, and rehearse restore procedures end-to-end rather than spot-check.
5. Monitor underground markets and leak sites for Selex-derived data appearing in combolists or initial access broker postings, and brief staff to expect targeted phishing referencing real internal projects.
6. Engage legal and DPO functions early under GDPR Article 33, as personal data of employees, customers, and partners appears to be in scope and notification clocks may already be running.

Sources: [INCRANSOM] - Ransomware Victim: Selex - Gruppo Commerciale - RedPacket Security