Ransomware Group: SAFEPAY

VICTIM NAME: frapack[.]de

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak pertains to the German company Frapack.de, a manufacturer specializing in packaging materials such as plastic, paper, and industrial packaging for various sectors including food and beverages. The attack date is recorded as April 16, 2025, indicating a recent security incident involving this company. The attackers, associated with a group identified as ‘safepay,’ have publicly disclosed a claim URL, and the breach was discovered shortly thereafter. The leak likely includes sensitive company information and operational details, evident from the provided screenshot, which depicts internal documents. No specific PII or employee data appears to be exposed according to the available information.

The publicly accessible leak site features a graphic showing the company’s internal documents, hinting at a data breach that might involve proprietary or operational data. There is mention of an infostealer component, though it indicates no employees or user data were compromised. The company operates within the manufacturing sector in Germany and emphasizes sustainable, high-quality packaging solutions. The leak does not specify particular data contents or the extent of the compromise beyond the release of some internal visuals. No direct links to downloadable data are provided, but the presence of a claim URL suggests ongoing threat activity and potentially further disclosures or negotiation avenues for affected stakeholders.