On June 4, 2026, the SpaceBears ransomware group claimed responsibility for a cyberattack against Sicol – JS Cobranças e Serviços (sicol.com.br), a prominent Brazilian debt collection and credit management firm. The threat actors have publicly threatened to leak sensitive employee and client data, including financial documents, unless their ransom demands are met. The claim was first surfaced through DeXpose threat intelligence monitoring of ransomware leak sites.
What Happened
SpaceBears, a ransomware operation known for double extortion tactics, added Sicol to its data leak site on June 4, 2026. The group issued a public statement claiming it had exfiltrated significant volumes of sensitive data from the company's internal systems. According to the actor's posted notice, "Personal information of employees and clients, financial documents, and other files will be leaked unless contacted." As of publication, Sicol has not issued a public statement confirming or denying the breach, and the company's operational status remains unclear.
What Was Taken
While the full scope of the data exfiltration has not been independently verified, SpaceBears claims to hold:
- Personal information of Sicol employees
- Personal information of Sicol's clients, which given the company's debt collection business likely includes financial details of debtors and creditors
- Financial documents tied to collection operations and credit management workflows
- Additional internal files of unspecified nature
The exposure is particularly sensitive given Sicol's core business handles delinquent debt portfolios, meaning compromised data could include payment histories, identification numbers (CPF/CNPJ), contact details, and creditor relationships.
Why It Matters
Sicol operates in Brazil's debt collection sector, an industry that aggregates highly sensitive financial data across thousands of consumers and corporate creditors. A breach here cascades downstream: leaked debtor data can fuel identity fraud, social engineering against vulnerable consumers already in financial distress, and regulatory exposure under Brazil's LGPD (Lei Geral de Proteção de Dados). For creditor clients that outsource collections to Sicol, this incident represents a third-party risk event that may trigger their own breach notification obligations. SpaceBears has been increasingly active against Latin American targets, signaling continued interest in financial services intermediaries that hold rich data but often lack enterprise-grade security maturity.
The Attack Technique
SpaceBears has not publicly disclosed the initial access vector used against Sicol. The group historically leverages a combination of techniques common to mid-tier ransomware operations, including phishing campaigns delivering loaders, exploitation of internet-facing services such as VPN appliances and RDP, and use of stolen credentials sourced from infostealer logs sold on underground markets. The group operates a Tor-based leak site and follows a double-extortion model: encrypting victim environments while simultaneously exfiltrating data to pressure payment. No indicators of compromise specific to this intrusion have been published at this time.
What Organizations Should Do
Organizations in financial services, debt collection, and related sectors should treat this incident as a prompt to review their own posture:
- Audit exposed infrastructure: Inventory all internet-facing services (VPN gateways, RDP, Citrix, web portals) and confirm they are patched, MFA-enforced, and behind conditional access controls.
- Monitor for credential exposure: Continuously scan dark web markets and infostealer log dumps for compromised corporate and employee credentials, rotating any found exposures immediately.
- Validate offline, immutable backups: Confirm backups are recent, encrypted, and stored in immutable or air-gapped configurations to survive ransomware encryption and deletion attempts.
- Enforce MFA universally: Apply phishing-resistant MFA across all remote access, email, and privileged accounts, eliminating SMS-based fallbacks where possible.
- Run a compromise assessment: For organizations sharing data with Sicol or similar collection partners, initiate a review of integration points, shared credentials, and data flows that could be downstream affected.
- Engage incident response counsel early: Pre-establish relationships with IR firms and breach counsel before an incident, and never negotiate with ransomware actors without legal and law enforcement coordination.
Sources: SpaceBears Ransomware Attack on Sicol Unveils Sensitive Data - DeXpose