Ransomware Group: SAFEPAY

VICTIM NAME: gjszlin[.]cz

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to the website identified as gjszlin.cz, which is located in the Czech Republic. The attack was publicly disclosed on May 26, 2025, with the attack date officially recorded as May 21, 2025. The page does not specify the activity sector of the victim, and some information appears to be automatically generated, providing limited insights into the nature of the compromise. The leak includes a screenshot of the affected website or relevant data, indicating that sensitive information or internal materials might have been exposed. The details suggest that the incident involves the safepay group and includes references to infostealer malware, specifically Raccoon and RedLine, which are associated with information theft and credential compromise.

The leak introduces references to multiple third-party entities linked to the illicit activity, alongside a small number of affected users. There are no publicly available press statements, but a claim URL on the dark web provides further access to the leak details. The incident’s timeline indicates updates to the published leak occurred shortly after the initial discovery, highlighting the ongoing management of this breach. The nature of the data exposed in this leak could include login credentials, personal information, or internal documents, although no explicit PII or company-sensitive details are present in the summary. The leak’s overall goal appears to be the publication and dissemination of stolen data associated with the victim in the context of cyber extortion.