Synopsys, one of the world's largest electronic design automation (EDA) and semiconductor IP vendors, has been named as a victim of the D1R ransomware group in a confirmed data breach discovered on 2026-07-13. The threat group has claimed the exfiltration of internal data from the US-based technology firm, adding a high-value chip design supplier to a wave of D1R activity that also hit chip designer ARM on the same day.
What Happened
According to threat intelligence sourced by HookPhish, the D1R ransomware group listed Synopsys (synopsys.com) on its data-leak infrastructure after breaching the company's environment. The breach is dated 2026-07-13 and was surfaced publicly the same day. The listing is categorized as a data and leak event, consistent with the double-extortion model most modern ransomware crews now favor, in which stolen data is threatened with publication to pressure the victim into paying, independent of any file encryption.
Synopsys sits at the core of the global semiconductor supply chain, providing the EDA tooling, silicon IP, and verification software used to design the vast majority of modern chips. That position makes any confirmed intrusion strategically significant well beyond the company itself.
What Was Taken
The D1R listing is classified as a data leak, indicating the group claims to hold exfiltrated internal information from Synopsys. Precise volume, file counts, and data types have not been disclosed in the initial threat feed, and the specific records at risk remain unconfirmed pending further releases from the group or a statement from the company.
Given Synopsys's business, the sensitivity ceiling is high. Potentially exposed categories in an environment of this type include proprietary EDA source and design IP, customer and partner engineering data, employee records, and internal corporate documents. Until the scope is verified, organizations with Synopsys ties should treat the exposure as broad rather than narrow.
Why It Matters
A breach at an EDA and semiconductor IP provider carries supply chain implications. Synopsys tooling and IP flow into the products of chipmakers and device manufacturers worldwide, so stolen design data or customer information can create downstream risk for organizations that never touched the attacker directly. The same-day D1R listing of ARM signals a threat actor deliberately targeting the semiconductor design sector, where the intellectual property is exceptionally valuable and the blast radius is wide.
For defenders, this is a reminder that upstream vendors in your hardware and tooling supply chain are attractive targets, and that a compromise there can become your problem.
The Attack Technique
The initial access vector for this specific intrusion has not been confirmed in the available reporting. That said, the overwhelming majority of ransomware intrusions begin with stolen credentials or a phishing email, followed by lateral movement, privilege escalation, and data exfiltration prior to any extortion demand. Absent vendor confirmation, defenders should assume a credential- or phishing-led entry point and prioritize controls accordingly.
What Organizations Should Do
- Enforce phishing-resistant multi-factor authentication across all remote access, VPN, and privileged accounts to blunt credential-based entry.
- Monitor the dark web and breach feeds for leaked corporate logins and rotate any exposed credentials immediately.
- Segment networks and restrict lateral movement so a single compromised host cannot reach design IP or backup systems.
- Deploy and tune EDR to catch exfiltration staging and unusual outbound data transfers before extortion.
- Maintain tested, offline, immutable backups and rehearse restoration to reduce leverage from encryption or deletion.
- Review third-party and supply chain exposure to Synopsys tooling and data, and watch for follow-on phishing that references this incident.
Sources: Ransomware Group D1R Hits: Synopsys
TWEET: Synopsys, an EDA and chip-IP giant, breached by D1R ransomware in a confirmed data-leak incident discovered July 13. Same-day D1R also hit ARM. Full breakdown: https://wasteland.me/intel/synopsys-d1r-ransomware #CyberSecurity #ThreatIntel