Ransomware Group: SAFEPAY

VICTIM NAME: ctd-dortmund[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to the domain “ctd-dortmund.de,” which appears to be associated with an organization in Germany. The incident was discovered on May 21, 2025, with the attack date also recorded as the same day and time. The group responsible is identified as “safepay,” which may indicate a specific threat actor or gang involved in this attack. The page includes a screenshot that depicts internal information or documents, although the details remain unspecified. No direct information suggests the compromise involved a data breach of employee or user data, as indicated by the infostealer statistics, which show zero employees or users affected.

The leak page does not specify the nature of the data compromised or the attack vector. It also lacks detailed descriptions or claims of data theft. The page provides a claim URL hosted on the dark web, which likely contains further details, but the contents are not accessible here. A prominent feature included is a visual screenshot, which may show internal documents or data extracted during the attack, emphasizing the seriousness of the breach. The description associated with the leak is marked as “[AI generated] N/A,” indicating the absence of detailed background or context. Overall, this incident appears to involve a targeted attack against the organization, with the threat actor possibly seeking to showcase access or exfiltrated data.

• The attack was discovered and reported on May 21, 2025.
• The threat group involved is identified as “safepay.”
• The victim organization is associated with the domain “ctd-dortmund.de” in Germany.
• No specific data about employees or third-party data breaches are indicated.
• The leak page features a screenshot that hints at internal documents or data.
• The URL for further details is hosted on the dark web.