Ransomware Group: SAFEPAY

VICTIM NAME: faltner[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On 2025-08-26 09:47:40.194383, the ransomware leak post attributed to the Safepay group references the victim faltner[.]de. The post identifies faltner[.]de as a German technology provider founded in 1946 and based in Germany; the precise address is redacted. The leak page describes the victim as a supplier of agricultural and forestry equipment, along with tools and gardening supplies, and notes an online shop offering both new and used machines, replacement parts (under the Agroparts brand), and maintenance services for rural customers. No explicit compromise date is provided, so the post date serves as the relevant timestamp. A claim URL is indicated as present on the page, but there are no downloadable files, and no screenshots or images are shown on the page. The visible content reads like a corporate profile rather than technical breach details, and no ransom amount or data type is disclosed in the excerpt.

From a threat intelligence perspective, the page offers limited indicators beyond the victim domain faltner[.]de, the actor group Safepay, and the country Germany. There is no explicit label of impact such as Encrypted or Data leak, and no ransom figure is listed in the provided data. The page shows zero images or screenshots, and there are no visible data samples or downloads on the leak page, which limits assessment of the actual data exposure. The presence of a claim URL suggests potential future ransom activity or data release, but the current post contains no concrete materials. Analysts should monitor for follow-up posts or additional leakage from Safepay related to faltner[.]de to determine whether data exfiltration occurred and what data, if any, was affected.